Preventing Web Page Access from Explorer.exe

[gadgetfan.john]

I've written an application that monitors Internet activity on
machines running Windows 2000 (SP4) and IE6. I thought it was working
well but have discovered a nasty security flaw. If users go directly
to a Windows Explorer window (for example, by double clicking MY
COMPUTER) they can type a web address into the address bar and this
will bring up the page in the Explorer window, making it equivalent to
Internet Explorer. The big problem is that this doesn't show up as
such - the window title is just the web page title, MINUS the
"Microsoft Internet Explorer". Even worse, IEXPLORE.EXE doesn't then
show up in the process list. The end result is that Internet Explorer
is running, but undetectably. I missed this problem initially because
Microsoft seems to have fixed it in Windows XP with IE7.

Any ideas how I can get round this in W2K/IE6? In essence, what I need
to do is to prevent users from accessing web pages via EXPLORER.EXE.
Failing that, I would have to detect that the user was accessing a web
page via Windows Explorer rather than Internet Explorer. I have tried
to find details of DDE commands in Windows Explorer, to let me query
the address in the address bar. If I could see that this started with
"http:" or its variants I should be able to just close the window. I
drew a blank with this - no-one seems to list DDE commands any more.

Removing Windows Explorer title bars or MY COMPUTER doesn't seem to be
an option, as users would then be unable to get to their documents.
The PCs with the problem run Windows 2000 SP4 with IE6. I program in
Borland Delphi (Version 5) but didn't feel this was a Delphi specific
query.

I would be very grateful for any suggestions, as upgrading all our
machines to XP/Vista will take a long time.

 

[Guest]

I've written an application that monitors Internet activity on
machines running Windows 2000 (SP4) and IE6. I thought it was working
well but have discovered a nasty security flaw. If users go directly
to a Windows Explorer window (for example, by double clicking MY
COMPUTER) they can type a web address into the address bar and this
will bring up the page in the Explorer window, making it equivalent to
Internet Explorer. The big problem is that this doesn't show up as
such - the window title is just the web page title, MINUS the
"Microsoft Internet Explorer". Even worse, IEXPLORE.EXE doesn't then
show up in the process list. The end result is that Internet Explorer
is running, but undetectably. I missed this problem initially because
Microsoft seems to have fixed it in Windows XP with IE7.

Any ideas how I can get round this in W2K/IE6? In essence, what I need
to do is to prevent users from accessing web pages via EXPLORER.EXE.
Failing that, I would have to detect that the user was accessing a web
page via Windows Explorer rather than Internet Explorer. I have tried
to find details of DDE commands in Windows Explorer, to let me query
the address in the address bar. If I could see that this started with
"http:" or its variants I should be able to just close the window. I
drew a blank with this - no-one seems to list DDE commands any more.

Removing Windows Explorer title bars or MY COMPUTER doesn't seem to be
an option, as users would then be unable to get to their documents.
The PCs with the problem run Windows 2000 SP4 with IE6. I program in
Borland Delphi (Version 5) but didn't feel this was a Delphi specific
query.

I would be very grateful for any suggestions, as upgrading all our
machines to XP/Vista will take a long time.

Also they can use the Run command to type in the web address or the IP?.
Do you have a GPO policy implemented on these machines?, also on the Domain
server?.
About your Application, you only can patch or rewrite the application to
solve the flaw issue.
You can write a script that will prevent users from accessing some
folders/applications, but again as you said you want them to have access to
their Documents.
HTH.
nass

 

[Jon Kennedy]

You can also restrict internet access via the registry or IE's proxy
settings on the Internet Options...Connect tab, LAN settings button. Set it
to use a non-existent proxy server and then lock out access to the Internet
Options via the registry setting "NoBrowserOptions" below. Corresponding
registry entries re the proxy settings are also below..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
"MigrateProxy"=dword:00000001
"ProxyEnable"=dword:00000001
These settings enable the use of a proxy server.

"ProxyServer"="http://ProxyServername:80"
Contains the address of the Proxy server. Since we want to block web
access, just fill this in with a few random characters.

"ProxyOverride"
Use this setting if there are websites that you want your users to have
access to. Addresses should be separated by a semicolon (.

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet
Explorer\Restrictions]
"NoBrowserOptions"=dword:00000001
This setting prevents users from opening "Internet Options" and
changing the Proxy settings back to default.

Other restrictions you may find useful are in this article:

The restrictions that are available to Internet Explorer 6.0 SP1
http://support.microsoft.com/default.aspx?scid=kb;en-us;823057

 

[gadgetfan.john]

Thanks for the suggestions, but it looks as if I didn't make myself
clear enough. Internet access via windows labelled "Internet Explorer"
or processes that appear in the process list as IEXPLORE.EXE are fine
- I can monitor these and limit IE to one instance.

My problem is that the W2K/IE6 combination is allowing users to open
a web browser that doesn't IDENTIFY itself as such. I want to allow
web browsing only if my application can see that it's happening
(through the window or process name).