Want to close a backdoor to the internet on a Windows 2000 terminal server.
Users can right mouse click on the desktop, then select New and then select
shortcut. The shortcut wizard starts.

If they type a URL in the shortcut line, it will create a shortcut to the
web site.
All they have to do is double click on the shortcut to get to the web site.

In the GPO IExplore.exe is blocked from use. Double click on the Internet
explorer icon, and the user is told they do not have permissions to run
IExplore.exe. But if they create a short cut to the web site, it opens just
fine.

How do I block this back door?

1. Restrict access to iexplore.exe via NTFS permissions.
2. Fire those who intentionally subvert your security settings.

Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com

"Charlie Hill" wrote:

> Want to close a backdoor to the internet on a Windows 2000 terminal server.
> Users can right mouse click on the desktop, then select New and then select
> shortcut. The shortcut wizard starts.
>
> If they type a URL in the shortcut line, it will create a shortcut to the
> web site.
> All they have to do is double click on the shortcut to get to the web site.
>
> In the GPO IExplore.exe is blocked from use. Double click on the Internet
> explorer icon, and the user is told they do not have permissions to run
> IExplore.exe. But if they create a short cut to the web site, it opens just
> fine.
>
> How do I block this back door?
>

Hello Charlie,

> In the GPO IExplore.exe is blocked from use.

IMHO a better solution would be to create a user group "NoSurf" and
give them an internal non existing proxy server address via GPO
(UserConfig/Windows/Internet Explorer/Connection/Proxy). IE would be
still working for internal purposes and your problem with shortcuts
would be solved, too.

regards

arno

Hello,

I suggest you refer to the following article to restrict IE from running
via Group Policy. My test steps are as follows, client is XP and the server
is win2k3:

1. Put the computer account called TEST to the OU you want to disallow the
user to use IE.
2. Open the GPO of this OU
3. Locate to the following policy:
4. Computer Configuration\windows settings\security settings\software
restriction policies
5. Create a new policy
6. In Additional Rule->New a path rule
7. Put "%programfiles%\internet explorer\iexplore.exe" in the path, set
the security level to disallow.

NOTE: this policy will take effect when the client restarts.

More information, please refer to the following article:
Q310791 Description of the software restirction
Http://support.microsoft.com/kb/310791

HTH!

Any udpate, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.