Jump to content

Block IE from accessing anything but Windows Update?


Recommended Posts

Posted

You can probably do this by using a PAC file.

Whitelist the Microsoft URLs associated with WU/MU and send everthing else to localhost or a black-hole proxy.

--

Posted

Yes!

The idea of using a PAC file to block stuff from the internet was conceived about 12 years ago by John R. Lo?Verso (http://www.schooner.com/~loverso/) who used it to block adverts. It is far superior to using the HOSTS file for this purpose, because it is much quicker.

A good article on the subject was written by Sheryl Canter about 4 years ago for both O'Reilly and the American version of PC Magazine. There's a copy of the article on her web-site (Kill Internet Ads with HOSTS and PAC Files).

It seems to me that what you need is an extreme version of this technique, which only allows the Windows Update URLs and blocks everything else.

The BlackHoleProxy Utility mentioned in Sheryl Canter's article does not seem to be available any more, but this should not matter to Internet Explorer.

--

Posted

Killing ads with a HOSTS file is just the incorrect way to do it.

Perhaps this would work;

/* IE: file://c:/windows/proxy.pac */


function FindProxyForURL(url, host) {

	// Sites that we allow

	if (host.match(/^(\w*\.)*microsoft\.(com|org)$/)) { return "DIRECT"; }

	if (shExpMatch(host, "*.windowsupdate.com")) { return "DIRECT"; }

	if (host.match(/^(\w*\.)*mozilla\.(com|org)$/)) { return "DIRECT"; }

	if (host.match(/^(\w*\.)*getfirefox\.com$/)) { return "DIRECT"; }


	// Allow local hosts

	if (isPlainHostName(host)) { return "DIRECT"; }


	// Allow loopback

	if (isInNet(host, "127.0.0.0", "255.0.0.0")) { return "DIRECT"; }


	// Allow sites on the local network

	if (isInNet(host, "192.168.0.0", "255.255.0.0")) { return "DIRECT"; }

	if (isInNet(host, "10.0.0.0", "255.0.0.0")) { return "DIRECT"; }


	// Block all other sites

	// alert("Due to security reasons Internet Explorer is disabled, please use Mozilla Firefox.");

	return "PROXY 0.0.0.0:8080";

}

Too bad you cant write IP ranges as CIDR, like 192.168.0.0/16 and 127.0.0.0/8.

Too bad it seems there are only three return values for the FindProxyForURL() function; "DIRECT , "PROXY" and "SOCKS". It would be nice with a "BLOCK" or "DENY".

Save the above code as proxy.pac in the Windows directory or something.

Internet Explorer -> Tools -> Internet Options -> Connections -> LAN settings. Then select "Use automatic configuration script" and type in: "file://c:/Windows/proxy.pac" (without the quotes).

Good if you want to prevent your siblings, friends, family, or guests from using Internet Explorer to browse the web with, and accidentally get infected with something.

Posted

Neat!

Microsoft KB articles (KB836961 for example) generally recommend the following URLs to be put in the Trusted Zone in order to access WU:

• https://*.microsoft.com

https://download.windowsupdate.com

https://update.microsoft.com/windowsupdate

• http://*.update.microsoft.com

• https://*.update.microsoft.com

http://download.windowsupdate.com

I'm not very good with Regular Expressions, but I'm trying to match update.microsoft.com/windowsupdate against:

(host.match(/^(\w*\.)*microsoft\.(com|org)$/))
I understand the start-of-line & end-of-line parts OK, but I'm a bit lost in the middle. Also, is that a typo at the end of:
(host.match(/^(\w*\.)*getfirefox\.coMS/))

Apologies if it is not, but what does it mean?

You might also want to match www.mozilla-europe.org which is used round here (it downloads from download.mozilla.org though).

Once the shortcuts are removed from the Desktop and Quick Launch bar, this PAC file should make it quite difficult to use IE instead of FF. Thanks for filling-out the idea.

-

Posted

Yeah, I read some article about which domains to unblock. The regular expressions allows anything from the microsoft.com and windowsupdate.com domain.

\ is an escape character, which is used as \. to make it a real dot, because just a dot would be interpreted as any character in regular expressions.

\w means any word-like character, such as a-z and 0-9.

(com|org) means to match both .com and .org.

No, is not a typo. It it supposed to be a com$. But apparently Tarun have configured the forum to automatically replace it with MS, because some people refer to Microsoft with a M and a $ instead of a S. Thanks for spotting it though.

It should be /^(\w*\.)*getfirefox\.com$/

Regular expressions are within / and /.

^ is the start of matching.

$ is the end of matching.

If you don't like the regular expressions, you can use two shExpMatch() instead.

if (shExpMatch(host, "microsoft.com") or shExpMatch(host, "*.microsoft.com")) {return "DIRECT";}

if (shExpMatch(host, "windowsupdate.com") or shExpMatch(host, "*.windowsupdate.com")) { return "DIRECT"; }

  • Administrator
Posted

I fixed your post and made a change to the filter. If it still happens let me know.

Posted

Thanks for the explanation, Eldmannen. My mistake was to read \w as an actual "w" and not as [A-Za-z0-9_]. So I was reading it as "zero or more of w" which is obviously wrong. Correcting the auto-correction on the board helps as well!

.

Posted

Thanks for the explanation, Eldmannen. My mistake was to read \w as an actual "w" and not as [A-Za-z0-9_]. So I was reading it as "zero or more of w" which is obviously wrong. Correcting the auto-correction on the board helps as well!

Here you can read some about regular expressions;

* http://www.php.net/manual/en/regexp.reference.php

Although you seem to know them pretty well.

Regular expressions can be very handy and useful, but they can be pretty difficult to construct and understand.

  • 2 weeks later...
Posted

Not only does configuring IE to use a PAC file affect IE, but it also affects other applications.

I guess other stuff use the PAC setting from IE too. Perhaps WinHTTP API or something. Example, Google Earth is unable to connect to the servers or check for updates.

Posted

I know it is used by MBSA (Microsoft Baseline Security Analyzer) but since Microsoft URLs are allowed, that makes no difference.

Is Google Earth just trying to connect to Google.com or somewhere else?

Posted

I know it is used by MBSA (Microsoft Baseline Security Analyzer) but since Microsoft URLs are allowed, that makes no difference.

Is Google Earth just trying to connect to Google.com or somewhere else?

Not sure.

Either way, there are many applications which rely on the proxy settings in Internet Explorer. So using a PAC file, might not be such a good idea.

  • 3 weeks later...
Posted

I raised security level zone to high.

Internet Explorer on Windows Server have this nice functionality called "Internet Explorer Enhanced Security Configuration" enabled by default, which prevents IE from being used.

I wish Windows XP had it too...

Posted

Now I noticed that changing the security zone level to high in Internet Explorer affects it system-wide, so then you cant download stuff with Firefox either.

I just wish Microsoft would ditch ActiveX, and make it possible to uninstall Internet Explorer.

Posted

I had forgotten that Firefox 3 introduced this new "feature". Some users are really annoyed that Firefox depends on an IE zone setting. There's something about it in mozillazine given as background information to users who are having download problems and need to reset it.

As I understand it, you need FF 3.1 Beta 2, or higher, to disable this. If anyone has any better information I would be interested to hear about it.

.

Posted

The Internet Explorer settings are the same settings as the "Internet Options" applet in the control panel. Being located in the control panel and not having an IE-specific icon, it indicates that it is a system-wide setting.

Though it is strange that you change a system-wide setting from within an application, then you think its an application-specific setting.

So it is diffuse...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...