Lock down file downloads in IEAk 2

[gfunk123]

I am using IeAK to build a locked down ie5.5 as we are about to introduce 'internet to the desktop'. I do not want any member of staff to download or run any executables etc. I have selected the option to disable the ability to "save this file to disk" but cannot seem to restrict 'open this file from its current location' I basically dont even want the file download dialog box to appear at all for FTP or HTTP downloads (also right click 'Save target as'). Is this possible??

PS I dont mind the users saving web pages to disk by using File - Save as, but am just worried about programs/viruses etc

any help would be greatly appreciated

 

[KeyTech]

you can use the system policy editor to restrict running of .exe programs, the clients will still be able to downlaod them but they wont be able to run or install them... Jay~

"I have to think of a funny footer to
put in here!!!???"

~KeyTech

 

[gfunk123]

Thanks but presumably if i do this, the clients will not be able to run any .exe's at all including word, excel outlook etc??? effectively disavling the machine

 

[KeyTech]

no thats the beauty of the the policy editor, you can restrict only specific apps and run what ever you want!!
so you can put in msword.exe or outlook.exe and what ever you want! Jay~

"I have to think of a funny footer to
put in here!!!???"

~KeyTech

 

[gfunk123]

Sorry If Im not understanding corectly,You say I can restrict certain apps, but how would I know the names of the specific .exe files that are being downloaded so as to restrict them. Unless there is a way to allow ONLY certain .exes to be run, rather than only being able to disable certain .exes

 

[KeyTech]

yes sorry thats what I meant!! The policy editor will let you only run certain apps, like word etc, so if there is on that is downloaded and its not in the list it wont be run, but you have to be careful in what you allow, I mean that you have to find out what apps are necessary to run the machine, like winlogon.exe
have a quick look in your task manager for the processes running and jot them down. These have to be put in the list of allowed apps.
Id really recommend this, its great for this kinda stuff. Jay~

"I have to think of a funny footer to
put in here!!!???"

~KeyTech

 

[reghakr]

I've never used the IEAK or the Policy Editor, but you can add these through a script file.

If the clients are running IE5 or IE5.5. you can go to Start>Run, type regedit. Navigate to:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions]
If the Restrictions key doesn't exist create it, then right-click on it, choose new>DWORD value, name it NoSelectDownloadDir and give it a value of 1.

The user will get the Restrictions Dialog Box "This operation has been cancelled due to restrictions in effect on this computer. Please contact you system administrator."

If the user chooses save target as you can add this DWORD value under the same key:
NoBrowserSaveAs with a value of 1.

I'd create the value on your machine and give it a value of 0, then export the key, which you save as an undo file, at some point you'll need to download those Microsoft Security Updates that come out every week.

reghakr

 

[gfunk123]

Thanks Reghakr. There are similar restrictions available within IEAK, but i still have a problem with people selecting 'open this file from its current location' which i cant seem to restrict. Do you happen to know how i could restrict this option or am I expecting too much from Microsoft

 

[reghakr]

gfunk123,

Here ya go:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions

Add a new DWORD value named NoFileOpen and give it a value of 1.

reghakr

 

[bec336]

Could someone please help me (reghakr?)??
I keep changing my IE5 start page keys using regedit which works while I'm logged into Win98. When I shutdown and restart the home page is reset again to another (spam)web site. How come the keys are changed after rebooting? THANKS!!

bec336

 

[KeyTech]

If you have checked the reg, and found nothing, go to Start->Run and type in msconfig and in there check the Startup and your win.ini file tabs for anything strange....In the startup tab, windows should not be running any apps like 5-54-55.exe or strange names like that, nor should it be running any temp files, or anything from the \temp folder. If there is something odd in there, untick the box for it...which should do it, and that might also give you a clue to something in the reg which you may have missed.... Jay~

My new Tae Kwon Do website is up and running!!

http://www.airport-tkd.com

~KeyTech

 

[bec336]

Thanks KeyTech,
I tried rebooting in safe mode and the IE start page keys are unchanged. After normal boot they are changed to point to the spam site. I tried renaming the win.ini file so windows would create a new file AND I renamed system.cb (clean boot) to system.ini so both files are clean as during safe mode - but the keys in the system registry are still modified to contain the spam site address. When I search and replace the registry to remove all occurrences of the web site address and then view the user.dat and system.dat files using wordpad I can still find text containing the site. Why can I see the web address in wordpad but not with regedit. I also ran a utility called regclean to no avail. Most puzzling - must be an insidious virus, but where? Thanks for any help you can give

Andy (Tech User)

 

[reghakr]

bec336,

Check my FAQ in the Internet Explorer area:

faq608-1148

reghakr