Zachary Mutrux | 1 Jul 17:26 2004

supressing IE


Anyone have ideas on how to discourage end users from surfing the Web
with Internet Explorer? I can remove the icon from the desktop and Start
menu, and change the default browser. But is there any way to take it a
step further?

Zac

--
Zachary Mutrux
CompuMentor

I have to exercise early in the morning before my brain figures
out what I'm doing.

Sergey V. Gordeychik | 2 Jul 10:10 2004
Picon

RE: Non Admin Rights + Visual Studio

If any user has any TCP privilege (like Debug or Act like part of operation system), he or she need one step to
become system. So, if coder wants to be a local administrator - he will be a local administrator.  
Don't forget about it.
Good solution - move coders in its personal network, separated from product environment with firewall. 

Regards,
Sergey V. Gordeychik,
MCSE since NT 4.0, MCSA, MCT.

**************************************************************************
Практикум по безопасному использованию систем
электронной почты в авторском курсе Учебного
центра "Информзащита" "Безопасность систем
электронной почты" http://www.itsecurity.ru/edu/kurs/kp_07.html

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Henry Sieff | 5 Jul 19:10 2004

RE: supressing IE

1. Use GPO to set IE to use a proxy config script and point it to a file on
the network somewhere.
2. Make a proxy config script like:
function FindProxyForURL(url, host)
        {
        if (isInNet(host, "192.168.0.0", "255.255.0.0"))
            return "DIRECT";
	  if (isInNet(host, "127.0.0.0", "255.0.0.0"))
		return "DIRECT";
        else
            return "SOCKS 127.0.0.1:1080";
        }

Replace 192.168.0.0 and 255.255.0.0 with your local network and mask.

Anything for local machines will go direct; anything for outside will try to
go to a non-existent proxy SOCKS server.

You can do this without GPO, but you'll need to manually lock down IE to
only use the proxy config script, then.

Henry

> -----Original Message-----
> From: Zachary Mutrux [mailto:zmutrux <at> compumentor.org]
> Sent: Thursday, July 01, 2004 10:27 AM
> To: Focus-MS
> Subject: supressing IE
> 
> 
(Continue reading)

Oliver Schneider | 5 Jul 19:10 2004
Picon

Re: supressing IE

> Anyone have ideas on how to discourage end users from surfing the Web
> with Internet Explorer? I can remove the icon from the desktop and Start
> menu, and change the default browser. But is there any way to take it a
> step further?

Here is how we did it:
- Tell users that IE has unpatched critical security holes
- Exchange the icons or pathes of the links (IE-icon -> Opera; MyIE2-icon ->
Mozilla Firefox)
- Forbid execution of iexplore.exe by policies (GP)
- Adjust file permissions to not allow execution.

Seems to be overkill at first sight but our users are now happy users of
Opera and Firefox :-D

Oliver

--

-- 
---------------------------------------------------
May the source be with you, stranger ... ;)

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Jacob Bresciani | 5 Jul 19:14 2004
Picon
Picon

Re: supressing IE

I took it one step further and removed all permissions but system and  
administrator (for windows update) and it prevented them from running  
IE directly but if they open a file browser they can change the address  
bar to a website (ie http://www.slashdot.org) and the file explorer  
becomes IE.

-------

Jacob Bresciani
Systems Analyst
Electrical and Computer Engineering
University of Alberta
Bus: (780) 492-7368
Fax: (780) 492-1811
jacob.bresciani <at> ualberta.ca

On 1-Jul-04, at 9:26 AM, Zachary Mutrux wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anyone have ideas on how to discourage end users from surfing the Web
with Internet Explorer? I can remove the icon from the desktop and Start
menu, and change the default browser. But is there any way to take it a
step further?

Zac

- --
Zachary Mutrux
(Continue reading)

Matt Richard | 5 Jul 19:30 2004
Picon

Re: supressing IE

Zac,

It is possible to restrict browser usage using a proxy server.  Many
proxies allow you to filter requests based upon data in the http
header.  In this case you could filter based upon the user agent string
for IE.  Of course this method is not fool proof since some browsers
like Safari allow you to enter your own user agent string.

On Thu, 2004-07-01 at 11:26, Zachary Mutrux wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Anyone have ideas on how to discourage end users from surfing the Web
> with Internet Explorer? I can remove the icon from the desktop and Start
> menu, and change the default browser. But is there any way to take it a
> step further?
> 
> Zac
> 
> - --
> Zachary Mutrux
> CompuMentor
> 
> I have to exercise early in the morning before my brain figures
> out what I'm doing.
> 
> 
> 
> 
> 
(Continue reading)

Danny | 5 Jul 23:47 2004
Picon

Re: supressing IE

If you went any further to disable IE, I would be concerned with the following:

1) Microsoft would no longer support the OS if something went wrong.
2) You would decrease reliability/stability.
3) Windows Explorer *is* Internet Explorer, as you will notice when
you type in an Internet URL in the address bar of Windows Explorer.

Instead, consider the following:

1) If you are running an Active Directory domain, consider forcing
(through Group Policy) the proxy server settings in IE to an RFC 1918
IP address on your network which does not have proxy capabilities.

2) AdCruncher
http://mysite.verizon.net/~mr_fish/AdCruncher/ReadMe.html

3) A proxy for HTTP traffic and block the nasty stuff.

4) http://www.qwik-fix.net/

5) SpywareBlaster

Lots of options...

Danny

On Thu, 01 Jul 2004 08:26:36 -0700, Zachary Mutrux
<zmutrux <at> compumentor.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
(Continue reading)

zrowe | 5 Jul 20:20 2004

RE: supressing IE

Zac,

Just uninstall Internet Explorer program completely. You can use IE
Eradicator. Google it for download sites.

Zachary
ZER Computers

-----Original Message-----
From: Zachary Mutrux [mailto:zmutrux <at> compumentor.org] 
Sent: Thursday, July 01, 2004 11:27 AM
To: Focus-MS
Subject: supressing IE

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anyone have ideas on how to discourage end users from surfing the Web
with Internet Explorer? I can remove the icon from the desktop and Start
menu, and change the default browser. But is there any way to take it a
step further?

Zac

- --
Zachary Mutrux
CompuMentor

I have to exercise early in the morning before my brain figures
out what I'm doing.
(Continue reading)

Kurt Seifried | 6 Jul 01:16 2004

Re: supressing IE

You can go BOFH style on them. Using Apache as a web proxy (unfortunately I
can't figure out a way to do this in Squid) you can limit or restrict users,
based on what the "User-Agent" string reports. For example in httpd.conf:

SetEnvIfNoCase User-Agent "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; .NET CLR 1.1.4322)" bad_browser

You can then use that variable later on, for example in bandwidth limiting
directives, or access control directives. Or you could redirect them to HTTP
rewrite pages telling them not to use that browser and provide a link to
download firefox/etc every once in a while.

Or you could just set site policy, install it remotely and use GPO as
mentioned to make them use it. Personally I would be careful taking IE away,
many business web based applications require ActiveX, meaning they only work
with IE. Of course you could just filter outgoing access and let user's
access the sites they must with IE and block everything else.

Kurt Seifried, kurt <at> seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Ansgar -59cobalt- Wiechers | 6 Jul 10:14 2004
Picon

Re: supressing IE

On 2004-07-05 zrowe <at> zercomputers.com wrote:
> Just uninstall Internet Explorer program completely. You can use IE
> Eradicator. Google it for download sites.

IEradicator works for Win9x only. On Windows 2000 and XP it would break
the system since various components (e.g. help system) depend on
mshtml.dll, which contains the functionality and also many of the
security holes.

Regards
Ansgar Wiechers

---------------------------------------------------------------------------
---------------------------------------------------------------------------


Gmane