Anyone have ideas on how to discourage end users from surfing the Web with Internet Explorer? I can remove the icon from the desktop and Start menu, and change the default browser. But is there any way to take it a step further? Zac -- Zachary Mutrux CompuMentor I have to exercise early in the morning before my brain figures out what I'm doing.
If any user has any TCP privilege (like Debug or Act like part of operation system), he or she need one step to become system. So, if coder wants to be a local administrator - he will be a local administrator. Don't forget about it. Good solution - move coders in its personal network, separated from product environment with firewall. Regards, Sergey V. Gordeychik, MCSE since NT 4.0, MCSA, MCT. ************************************************************************** Практикум по безопасному использованию систем электронной почты в авторском курсе Учебного центра "Информзащита" "Безопасность систем электронной почты" http://www.itsecurity.ru/edu/kurs/kp_07.html --------------------------------------------------------------------------- ---------------------------------------------------------------------------
1. Use GPO to set IE to use a proxy config script and point it to a file on
the network somewhere.
2. Make a proxy config script like:
function FindProxyForURL(url, host)
{
if (isInNet(host, "192.168.0.0", "255.255.0.0"))
return "DIRECT";
if (isInNet(host, "127.0.0.0", "255.0.0.0"))
return "DIRECT";
else
return "SOCKS 127.0.0.1:1080";
}
Replace 192.168.0.0 and 255.255.0.0 with your local network and mask.
Anything for local machines will go direct; anything for outside will try to
go to a non-existent proxy SOCKS server.
You can do this without GPO, but you'll need to manually lock down IE to
only use the proxy config script, then.
Henry
> -----Original Message-----
> From: Zachary Mutrux [mailto:zmutrux <at> compumentor.org]
> Sent: Thursday, July 01, 2004 10:27 AM
> To: Focus-MS
> Subject: supressing IE
>
>
(Continue reading)> Anyone have ideas on how to discourage end users from surfing the Web > with Internet Explorer? I can remove the icon from the desktop and Start > menu, and change the default browser. But is there any way to take it a > step further? Here is how we did it: - Tell users that IE has unpatched critical security holes - Exchange the icons or pathes of the links (IE-icon -> Opera; MyIE2-icon -> Mozilla Firefox) - Forbid execution of iexplore.exe by policies (GP) - Adjust file permissions to not allow execution. Seems to be overkill at first sight but our users are now happy users of Opera and Firefox :-D Oliver -- -- --------------------------------------------------- May the source be with you, stranger ... ;) --------------------------------------------------------------------------- ---------------------------------------------------------------------------
I took it one step further and removed all permissions but system and administrator (for windows update) and it prevented them from running IE directly but if they open a file browser they can change the address bar to a website (ie http://www.slashdot.org) and the file explorer becomes IE. ------- Jacob Bresciani Systems Analyst Electrical and Computer Engineering University of Alberta Bus: (780) 492-7368 Fax: (780) 492-1811 jacob.bresciani <at> ualberta.ca On 1-Jul-04, at 9:26 AM, Zachary Mutrux wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anyone have ideas on how to discourage end users from surfing the Web with Internet Explorer? I can remove the icon from the desktop and Start menu, and change the default browser. But is there any way to take it a step further? Zac - -- Zachary Mutrux(Continue reading)
Zac, It is possible to restrict browser usage using a proxy server. Many proxies allow you to filter requests based upon data in the http header. In this case you could filter based upon the user agent string for IE. Of course this method is not fool proof since some browsers like Safari allow you to enter your own user agent string. On Thu, 2004-07-01 at 11:26, Zachary Mutrux wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Anyone have ideas on how to discourage end users from surfing the Web > with Internet Explorer? I can remove the icon from the desktop and Start > menu, and change the default browser. But is there any way to take it a > step further? > > Zac > > - -- > Zachary Mutrux > CompuMentor > > I have to exercise early in the morning before my brain figures > out what I'm doing. > > > > >(Continue reading)
If you went any further to disable IE, I would be concerned with the following: 1) Microsoft would no longer support the OS if something went wrong. 2) You would decrease reliability/stability. 3) Windows Explorer *is* Internet Explorer, as you will notice when you type in an Internet URL in the address bar of Windows Explorer. Instead, consider the following: 1) If you are running an Active Directory domain, consider forcing (through Group Policy) the proxy server settings in IE to an RFC 1918 IP address on your network which does not have proxy capabilities. 2) AdCruncher http://mysite.verizon.net/~mr_fish/AdCruncher/ReadMe.html 3) A proxy for HTTP traffic and block the nasty stuff. 4) http://www.qwik-fix.net/ 5) SpywareBlaster Lots of options... Danny On Thu, 01 Jul 2004 08:26:36 -0700, Zachary Mutrux <zmutrux <at> compumentor.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1(Continue reading)
Zac, Just uninstall Internet Explorer program completely. You can use IE Eradicator. Google it for download sites. Zachary ZER Computers -----Original Message----- From: Zachary Mutrux [mailto:zmutrux <at> compumentor.org] Sent: Thursday, July 01, 2004 11:27 AM To: Focus-MS Subject: supressing IE -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anyone have ideas on how to discourage end users from surfing the Web with Internet Explorer? I can remove the icon from the desktop and Start menu, and change the default browser. But is there any way to take it a step further? Zac - -- Zachary Mutrux CompuMentor I have to exercise early in the morning before my brain figures out what I'm doing.(Continue reading)
You can go BOFH style on them. Using Apache as a web proxy (unfortunately I can't figure out a way to do this in Squid) you can limit or restrict users, based on what the "User-Agent" string reports. For example in httpd.conf: SetEnvIfNoCase User-Agent "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)" bad_browser You can then use that variable later on, for example in bandwidth limiting directives, or access control directives. Or you could redirect them to HTTP rewrite pages telling them not to use that browser and provide a link to download firefox/etc every once in a while. Or you could just set site policy, install it remotely and use GPO as mentioned to make them use it. Personally I would be careful taking IE away, many business web based applications require ActiveX, meaning they only work with IE. Of course you could just filter outgoing access and let user's access the sites they must with IE and block everything else. Kurt Seifried, kurt <at> seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ --------------------------------------------------------------------------- ---------------------------------------------------------------------------
On 2004-07-05 zrowe <at> zercomputers.com wrote: > Just uninstall Internet Explorer program completely. You can use IE > Eradicator. Google it for download sites. IEradicator works for Win9x only. On Windows 2000 and XP it would break the system since various components (e.g. help system) depend on mshtml.dll, which contains the functionality and also many of the security holes. Regards Ansgar Wiechers --------------------------------------------------------------------------- ---------------------------------------------------------------------------
RSS Feed1 | |
|---|---|
6 | |
22 | |
27 | |
16 | |
17 | |
30 | |
3 | |
9 | |
3 | |
11 | |
7 | |
3 | |
21 | |
5 | |
5 | |
5 | |
13 | |
4 | |
4 | |
5 | |
4 | |
5 | |
16 | |
39 | |
47 | |
7 | |
52 | |
27 | |
47 | |
6 | |
17 | |
6 | |
19 | |
52 | |
43 | |
5 | |
9 | |
57 | |
26 | |
46 | |
58 | |
62 | |
22 | |
32 | |
64 | |
118 | |
100 | |
70 | |
92 | |
97 | |
85 | |
19 | |
60 | |
71 | |
145 | |
62 | |
38 | |
87 | |
108 | |
134 | |
55 | |
116 | |
133 | |
109 | |
169 | |
96 | |
35 | |
135 | |
209 | |
70 | |
118 | |
68 | |
79 | |
45 | |
44 | |
69 | |
107 | |
56 | |
171 | |
143 | |
140 | |
178 | |
116 | |
133 | |
90 | |
107 | |
130 | |
147 | |
112 | |
62 | |
141 | |
64 | |
110 | |
215 | |
189 | |
68 | |
184 | |
340 | |
190 | |
1 |
