Jump to content

Block IE from accessing anything but Windows Update?


Recommended Posts


The idea of using a PAC file to block stuff from the internet was conceived about 12 years ago by John R. Lo?Verso (http://www.schooner.com/~loverso/) who used it to block adverts. It is far superior to using the HOSTS file for this purpose, because it is much quicker.

A good article on the subject was written by Sheryl Canter about 4 years ago for both O'Reilly and the American version of PC Magazine. There's a copy of the article on her web-site (Kill Internet Ads with HOSTS and PAC Files).

It seems to me that what you need is an extreme version of this technique, which only allows the Windows Update URLs and blocks everything else.

The BlackHoleProxy Utility mentioned in Sheryl Canter's article does not seem to be available any more, but this should not matter to Internet Explorer.


Link to comment
Share on other sites

Killing ads with a HOSTS file is just the incorrect way to do it.

Perhaps this would work;

/* IE: file://c:/windows/proxy.pac */

function FindProxyForURL(url, host) {

	// Sites that we allow

	if (host.match(/^(\w*\.)*microsoft\.(com|org)$/)) { return "DIRECT"; }

	if (shExpMatch(host, "*.windowsupdate.com")) { return "DIRECT"; }

	if (host.match(/^(\w*\.)*mozilla\.(com|org)$/)) { return "DIRECT"; }

	if (host.match(/^(\w*\.)*getfirefox\.com$/)) { return "DIRECT"; }

	// Allow local hosts

	if (isPlainHostName(host)) { return "DIRECT"; }

	// Allow loopback

	if (isInNet(host, "", "")) { return "DIRECT"; }

	// Allow sites on the local network

	if (isInNet(host, "", "")) { return "DIRECT"; }

	if (isInNet(host, "", "")) { return "DIRECT"; }

	// Block all other sites

	// alert("Due to security reasons Internet Explorer is disabled, please use Mozilla Firefox.");

	return "PROXY";


Too bad you cant write IP ranges as CIDR, like and

Too bad it seems there are only three return values for the FindProxyForURL() function; "DIRECT , "PROXY" and "SOCKS". It would be nice with a "BLOCK" or "DENY".

Save the above code as proxy.pac in the Windows directory or something.

Internet Explorer -> Tools -> Internet Options -> Connections -> LAN settings. Then select "Use automatic configuration script" and type in: "file://c:/Windows/proxy.pac" (without the quotes).

Good if you want to prevent your siblings, friends, family, or guests from using Internet Explorer to browse the web with, and accidentally get infected with something.

Link to comment
Share on other sites


Microsoft KB articles (KB836961 for example) generally recommend the following URLs to be put in the Trusted Zone in order to access WU:

• https://*.microsoft.com



• http://*.update.microsoft.com

• https://*.update.microsoft.com


I'm not very good with Regular Expressions, but I'm trying to match update.microsoft.com/windowsupdate against:

I understand the start-of-line & end-of-line parts OK, but I'm a bit lost in the middle. Also, is that a typo at the end of:

Apologies if it is not, but what does it mean?

You might also want to match www.mozilla-europe.org which is used round here (it downloads from download.mozilla.org though).

Once the shortcuts are removed from the Desktop and Quick Launch bar, this PAC file should make it quite difficult to use IE instead of FF. Thanks for filling-out the idea.


Link to comment
Share on other sites

Yeah, I read some article about which domains to unblock. The regular expressions allows anything from the microsoft.com and windowsupdate.com domain.

\ is an escape character, which is used as \. to make it a real dot, because just a dot would be interpreted as any character in regular expressions.

\w means any word-like character, such as a-z and 0-9.

(com|org) means to match both .com and .org.

No, is not a typo. It it supposed to be a com$. But apparently Tarun have configured the forum to automatically replace it with MS, because some people refer to Microsoft with a M and a $ instead of a S. Thanks for spotting it though.

It should be /^(\w*\.)*getfirefox\.com$/

Regular expressions are within / and /.

^ is the start of matching.

$ is the end of matching.

If you don't like the regular expressions, you can use two shExpMatch() instead.

if (shExpMatch(host, "microsoft.com") or shExpMatch(host, "*.microsoft.com")) {return "DIRECT";}

if (shExpMatch(host, "windowsupdate.com") or shExpMatch(host, "*.windowsupdate.com")) { return "DIRECT"; }

Link to comment
Share on other sites

Thanks for the explanation, Eldmannen. My mistake was to read \w as an actual "w" and not as [A-Za-z0-9_]. So I was reading it as "zero or more of w" which is obviously wrong. Correcting the auto-correction on the board helps as well!

Here you can read some about regular expressions;

* http://www.php.net/manual/en/regexp.reference.php

Although you seem to know them pretty well.

Regular expressions can be very handy and useful, but they can be pretty difficult to construct and understand.

Link to comment
Share on other sites

  • 2 weeks later...

I know it is used by MBSA (Microsoft Baseline Security Analyzer) but since Microsoft URLs are allowed, that makes no difference.

Is Google Earth just trying to connect to Google.com or somewhere else?

Not sure.

Either way, there are many applications which rely on the proxy settings in Internet Explorer. So using a PAC file, might not be such a good idea.

Link to comment
Share on other sites

  • 3 weeks later...

I had forgotten that Firefox 3 introduced this new "feature". Some users are really annoyed that Firefox depends on an IE zone setting. There's something about it in mozillazine given as background information to users who are having download problems and need to reset it.

As I understand it, you need FF 3.1 Beta 2, or higher, to disable this. If anyone has any better information I would be interested to hear about it.


Link to comment
Share on other sites

The Internet Explorer settings are the same settings as the "Internet Options" applet in the control panel. Being located in the control panel and not having an IE-specific icon, it indicates that it is a system-wide setting.

Though it is strange that you change a system-wide setting from within an application, then you think its an application-specific setting.

So it is diffuse...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...