Wednesday, June 01, 2005

How to limit ie access in a controlled environment

A couple times people have asked on the board whether it is at all possible to create a truly controlled environment, whether it be for a company intranet, or an Internet café terminals.

There are quite a few things you can do, depending on how controlled the environment needs to be. Assuming you have already set the most basic restrictions using administrative tools, here are some additional steps you can take. Note that these steps require making changes to the Windows Registry. Do not attempt to make any of these changes unless you feel completely comfortable editing the registry, as it can otherwise cause your computer to malfunction.

ie toolbar Restrictions

Reg Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Create a DWORD key SpecifyDefaultButtons and give it a value of 1

to remove a button from the toolbar, create additional DWORD keys with a value noted below:

Key: Value = Effect
Btn_Back: 2 = Back button and menu item.
Btn_Forward: 2 = Forward button and menu item.
Btn_Stop: 2 = Stop button and menu item.
Btn_Refresh: 2 = Refresh button and menu item.
Btn_Home: 2 = Home button and menu item.
Btn_Search: 2 = Search button and menu item.
Btn_History: 2 = History button and menu item.
Btn_Favorites: 2 = Favorites button and menu item.
Btn_Media: 2 = Media button and menu item. [Only available with ie 6]
NoBandCustomize: 1 = No adding or removing menu or toolbars.
NotoolbarCustomize: 1 = Customizing the toolbar.

Note that these keys will remove both the toolbar button and the menu item, successfully disabling access to that particular functionality.

ie Restrictions

Reg Key: HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions

Create a DWORD key:
NoBrowserBars: Disable changes to browsers bars.
NoBrowserClose: Disable the option of closing Internet Explorer.
NoBrowserContextMenu: Disable right-click context menu.
NoBrowserOptions: Disable the tools / Internet Options menu.
NoBrowserSaveAs: Disable the ability to Save As
Nofavorites: Disable the Favorites.
NofileNew: Disable the File / New
NofileOpen: Disable the File / Open
NofindFiles: Disable the Find Files
NoSelectDownloadDir: Disable the option to change download directory
NoTheaterMode: Disable the Full Screen view
NoOpeninNewWnd: Disable Open in New Window
NoViewSource: Disable the ability to view the page source HTML.
NoNavButtons: Disables the Forward and Back buttons
NoPrinting: Remove Print and Print Preview from the File menu.
AlwaysPromptWhenDownload: Always prompt user when downloading files.

Give it a value of 1 to turn on the restriction

Reg Key: HKCU\Software\Policies\Microsoft\Internet Explorer\toolbars\Restrictions

Create a DWORD key:
NotoolbarOptions: Disables adding, removing, or moving toolbars.

Give it a value of 1 to turn on the restriction.

Keyboard Control

Finally, there are times when complete keyboard control is required (such as disallowing Ctrl commands). If buying special terminal keyboards is not an option, do not worry. There are ways in which you can "turn off" any key on the keyboard, by altering the scan code mappings for your keyboard.

Reg Key: HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout
IMPORTANT: There is also a Keyboard Layouts key (notice the plural form) under the Control key, but that key should not be modified.

In the Keyboard Layout key, the Scancode Map value (REG_BINARY) must be added. The first and second DWORDS store header information and should be set to all zeroes for the current version of the Scan Code Mapper. The third DWORD entry holds a count of the total number of mappings that follow, including the null terminating mapping. The minimum count would therefore be 1 (no mappings specified). The individual mappings follow the header. Each mapping is one DWORD in length and is divided into two WORD length fields. Each WORD field stores the scan code for a key to be mapped.

Once the map is stored in the registry, the system must be rebooted for the mappings to take effect. Note that if the mapping of a scan code is necessary on a keypress, the step is performed in user mode just before the scan code is converted to a virtual key. Doing this conversion in user mode can present certain limitations, such as mapping not working correctly when running under Terminal Services.

For the purposes of this tutorial, I will show how to turn off both Ctrl-keys. The following value should be stored in the Scancode Map key:

00000000 00000000 03000000 00001D00 00001DE0 00000000

0x00000000 = Header: Version
0x00000000 = Header: Flags
0x00000003 = Three entries in the map
0x001D0000 = Remove the left CTRL key (0x001D --> 0x00).
0xE01D0000 = Remove the right CTRL key (0xE01D --> 0x00).
0x00000000 = Null terminator

Like I said -- this method can be used to turn off any key on the keyboard. It can also be used to create custom keys, or keys that you normally don't have on your keyboard (such as a mute key). All changes require reboot before going into effect.

More info: http://www.webmasterworld.com/forum21/7542.htm
http://www.microsoft.com

posted by Noel J @ 2:15 PM   0 comments

0 Comments:

Post a Comment

<< Home