Disable Internet Explorer

[Guest]

I want to disable IE for users, but allow an administrator to use it. I
thought that a policy and the "runas" command would do the trick, but I
seem to be wrong. Can someone lead me in the right direction on how to
do that- or at least the same result of disallowing internet access
except for admins without having to switch xp users? The Norton
firewall program has a setting but it is easy to defeat. The machine
has a cable internet connection.

This failed: Local Security Policy- Software Restriction Policy-
Additionall Rules- path rule=C:\Program Files\Internet
Explorer\iexplore.exe option=disallowed- then enforcement = Apply
Software Restriction Policies to : All users except local
administrators

Then starting IE is disabled(obviously)- I want to open it using Runas-
(admin- pass) but that doesn't work either. The service "secondary
logon" is running. Shouldn't the enforcement option allow the runas?

 

[Steven L Umbach]

It is pretty futile to try and disable internet access by not allowing a
user access to IE as they still may be able to access via other ways such as
URLs in a Word document. The best solution is to use a firewall that can
firewall rules that include users/groups if you are describing an Active
Directory domain such as Microsoft ISA. If you are talking about one or a
few computers take a look at the PortsLock personal firewall that can
different firewall configuration based on the logged on user account.
Another possibility is to logon to the user accounts, configure a bogus
proxy server via IE connections settings, and then make sure that the user
can not access the proxy settings via Group Policy or registry mod. See the
second link below for more info on how to do that.

Steve

http://www.portslock.com/
http://articles.techrepublic.com.com/5100-1009_11-5838360.html?tag=nl.e101

 

[Guest]

It is pretty futile to try and disable internet access by not allowing a
user access to IE as they still may be able to access via other ways such as
URLs in a Word document. The best solution is to use a firewall that can
firewall rules that include users/groups if you are describing an Active
Directory domain such as Microsoft ISA. If you are talking about one or a
few computers take a look at the PortsLock personal firewall that can
different firewall configuration based on the logged on user account.
Another possibility is to logon to the user accounts, configure a bogus
proxy server via IE connections settings, and then make sure that the user
can not access the proxy settings via Group Policy or registry mod. See the
second link below for more info on how to do that.

Steve

http://www.portslock.com/
http://articles.techrepublic.com.com/5100-1009_11-5838360.html?tag=nl.e101

Thanks for answering so quickly. My above method works fine- not sure
about the word doc link-
on a per user log in- however I want to be able to allow admins quick
access without having to logon/ switch users. Does anyone know if the
runas command should work for this? Seems like it should- but that's
just an assumption. Things aren't always as they seem- or is it
something wrong with my configuration?

 

[Steven L Umbach]

I am not sure if runas will work when a SRP is used. You certainly try it
and also check the application log when something does not work as planned
as SRP will record events when it blocks an application from running.
Another possibility is to use a bogus default gateway on the computer and
then the admin user can configure it properly when he needs it but will need
to reconfigure to be bogus again when done. You might be able to create a
batch files using the netsh command to do that which only the admin could
run with runas.

Steve