Eldmannen Posted October 26, 2008 Posted October 26, 2008 Is there any software or any way to prevent Internet Explorer from being used for web surfing? It should only be able to be used for accessing Windows Updates. Quote
James_A Posted October 31, 2008 Posted October 31, 2008 You can probably do this by using a PAC file. Whitelist the Microsoft URLs associated with WU/MU and send everthing else to localhost or a black-hole proxy. -- Quote
Eldmannen Posted October 31, 2008 Author Posted October 31, 2008 Ah, proxy auto-config, oh. http://en.wikipedia.org/wiki/Proxy_auto-config Quote
James_A Posted October 31, 2008 Posted October 31, 2008 Yes! The idea of using a PAC file to block stuff from the internet was conceived about 12 years ago by John R. Lo?Verso (http://www.schooner.com/~loverso/) who used it to block adverts. It is far superior to using the HOSTS file for this purpose, because it is much quicker. A good article on the subject was written by Sheryl Canter about 4 years ago for both O'Reilly and the American version of PC Magazine. There's a copy of the article on her web-site (Kill Internet Ads with HOSTS and PAC Files). It seems to me that what you need is an extreme version of this technique, which only allows the Windows Update URLs and blocks everything else. The BlackHoleProxy Utility mentioned in Sheryl Canter's article does not seem to be available any more, but this should not matter to Internet Explorer. -- Quote
Eldmannen Posted October 31, 2008 Author Posted October 31, 2008 Killing ads with a HOSTS file is just the incorrect way to do it. Perhaps this would work; /* IE: file://c:/windows/proxy.pac */ function FindProxyForURL(url, host) { // Sites that we allow if (host.match(/^(\w*\.)*microsoft\.(com|org)$/)) { return "DIRECT"; } if (shExpMatch(host, "*.windowsupdate.com")) { return "DIRECT"; } if (host.match(/^(\w*\.)*mozilla\.(com|org)$/)) { return "DIRECT"; } if (host.match(/^(\w*\.)*getfirefox\.com$/)) { return "DIRECT"; } // Allow local hosts if (isPlainHostName(host)) { return "DIRECT"; } // Allow loopback if (isInNet(host, "127.0.0.0", "255.0.0.0")) { return "DIRECT"; } // Allow sites on the local network if (isInNet(host, "192.168.0.0", "255.255.0.0")) { return "DIRECT"; } if (isInNet(host, "10.0.0.0", "255.0.0.0")) { return "DIRECT"; } // Block all other sites // alert("Due to security reasons Internet Explorer is disabled, please use Mozilla Firefox."); return "PROXY 0.0.0.0:8080"; } Too bad you cant write IP ranges as CIDR, like 192.168.0.0/16 and 127.0.0.0/8. Too bad it seems there are only three return values for the FindProxyForURL() function; "DIRECT , "PROXY" and "SOCKS". It would be nice with a "BLOCK" or "DENY". Save the above code as proxy.pac in the Windows directory or something. Internet Explorer -> Tools -> Internet Options -> Connections -> LAN settings. Then select "Use automatic configuration script" and type in: "file://c:/Windows/proxy.pac" (without the quotes). Good if you want to prevent your siblings, friends, family, or guests from using Internet Explorer to browse the web with, and accidentally get infected with something. Quote
James_A Posted November 1, 2008 Posted November 1, 2008 Neat! Microsoft KB articles (KB836961 for example) generally recommend the following URLs to be put in the Trusted Zone in order to access WU: • https://*.microsoft.com • https://download.windowsupdate.com • https://update.microsoft.com/windowsupdate • http://*.update.microsoft.com • https://*.update.microsoft.com • http://download.windowsupdate.com I'm not very good with Regular Expressions, but I'm trying to match update.microsoft.com/windowsupdate against: (host.match(/^(\w*\.)*microsoft\.(com|org)$/)) I understand the start-of-line & end-of-line parts OK, but I'm a bit lost in the middle. Also, is that a typo at the end of: (host.match(/^(\w*\.)*getfirefox\.coMS/)) Apologies if it is not, but what does it mean? You might also want to match www.mozilla-europe.org which is used round here (it downloads from download.mozilla.org though). Once the shortcuts are removed from the Desktop and Quick Launch bar, this PAC file should make it quite difficult to use IE instead of FF. Thanks for filling-out the idea. - Quote
Eldmannen Posted November 1, 2008 Author Posted November 1, 2008 Yeah, I read some article about which domains to unblock. The regular expressions allows anything from the microsoft.com and windowsupdate.com domain. \ is an escape character, which is used as \. to make it a real dot, because just a dot would be interpreted as any character in regular expressions. \w means any word-like character, such as a-z and 0-9. (com|org) means to match both .com and .org. No, is not a typo. It it supposed to be a com$. But apparently Tarun have configured the forum to automatically replace it with MS, because some people refer to Microsoft with a M and a $ instead of a S. Thanks for spotting it though. It should be /^(\w*\.)*getfirefox\.com$/ Regular expressions are within / and /. ^ is the start of matching. $ is the end of matching. If you don't like the regular expressions, you can use two shExpMatch() instead. if (shExpMatch(host, "microsoft.com") or shExpMatch(host, "*.microsoft.com")) {return "DIRECT";} if (shExpMatch(host, "windowsupdate.com") or shExpMatch(host, "*.windowsupdate.com")) { return "DIRECT"; } Quote
Administrator Tarun Posted November 1, 2008 Administrator Posted November 1, 2008 I fixed your post and made a change to the filter. If it still happens let me know. Quote
Eldmannen Posted November 1, 2008 Author Posted November 1, 2008 I fixed your post and made a change to the filter. If it still happens let me know. Thanks! :jump: Quote
James_A Posted November 2, 2008 Posted November 2, 2008 Thanks for the explanation, Eldmannen. My mistake was to read \w as an actual "w" and not as [A-Za-z0-9_]. So I was reading it as "zero or more of w" which is obviously wrong. Correcting the auto-correction on the board helps as well! . Quote
Eldmannen Posted November 2, 2008 Author Posted November 2, 2008 Thanks for the explanation, Eldmannen. My mistake was to read \w as an actual "w" and not as [A-Za-z0-9_]. So I was reading it as "zero or more of w" which is obviously wrong. Correcting the auto-correction on the board helps as well! Here you can read some about regular expressions; * http://www.php.net/manual/en/regexp.reference.php Although you seem to know them pretty well. Regular expressions can be very handy and useful, but they can be pretty difficult to construct and understand. Quote
Eldmannen Posted November 12, 2008 Author Posted November 12, 2008 Not only does configuring IE to use a PAC file affect IE, but it also affects other applications. I guess other stuff use the PAC setting from IE too. Perhaps WinHTTP API or something. Example, Google Earth is unable to connect to the servers or check for updates. Quote
James_A Posted November 12, 2008 Posted November 12, 2008 I know it is used by MBSA (Microsoft Baseline Security Analyzer) but since Microsoft URLs are allowed, that makes no difference. Is Google Earth just trying to connect to Google.com or somewhere else? Quote
Eldmannen Posted November 13, 2008 Author Posted November 13, 2008 I know it is used by MBSA (Microsoft Baseline Security Analyzer) but since Microsoft URLs are allowed, that makes no difference. Is Google Earth just trying to connect to Google.com or somewhere else? Not sure. Either way, there are many applications which rely on the proxy settings in Internet Explorer. So using a PAC file, might not be such a good idea. Quote
Eldmannen Posted November 30, 2008 Author Posted November 30, 2008 I raised security level zone to high. Internet Explorer on Windows Server have this nice functionality called "Internet Explorer Enhanced Security Configuration" enabled by default, which prevents IE from being used. I wish Windows XP had it too... Quote
Eldmannen Posted December 3, 2008 Author Posted December 3, 2008 Now I noticed that changing the security zone level to high in Internet Explorer affects it system-wide, so then you cant download stuff with Firefox either. I just wish Microsoft would ditch ActiveX, and make it possible to uninstall Internet Explorer. Quote
James_A Posted December 3, 2008 Posted December 3, 2008 I had forgotten that Firefox 3 introduced this new "feature". Some users are really annoyed that Firefox depends on an IE zone setting. There's something about it in mozillazine given as background information to users who are having download problems and need to reset it. As I understand it, you need FF 3.1 Beta 2, or higher, to disable this. If anyone has any better information I would be interested to hear about it. . Quote
Eldmannen Posted December 3, 2008 Author Posted December 3, 2008 The Internet Explorer settings are the same settings as the "Internet Options" applet in the control panel. Being located in the control panel and not having an IE-specific icon, it indicates that it is a system-wide setting. Though it is strange that you change a system-wide setting from within an application, then you think its an application-specific setting. So it is diffuse... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.