Disable 'Run > iexplore' ??

[westin]

I have been searching AO, and Google for a way to block 'Start > Run > IExplore' ... So far I have not come up with much, other than deleting or renaming IExplore.exe ... I was wondering if anyone could offer any suggestions. Is there a PATH statement I can delete ... This would be on Win2K. I appreciate any ideas/suggestions

Westin

[SirDice]

http://technet.microsoft.com/en-us/l.../bb457006.aspx
That's for XP but most of the policy restrictions work on W2K too.


Mind you, this would also prevent the user from using Internet Explorer...
Not sure why you would want to do this or what you're trying to accomplish.

[nihil]

Hi westin,

I agree with SirDice. We might be able to come up with other solutions if you tell us a bit more about your end objective.

I am intrigued by:

a way to block 'Start > Run > IExplore

That sounds as if you have something specific in mind?

Questions that come to mind:are you trying to do this by:

1. User/ user groups?
2. Hardware instances?

Also:

3. Do you want "start" available?
4. Do you want "run" available?
5. Are you trying to block net browsing?
6. Do you want to force the use of an alternative browser?

and so on......................

[Nokia]

You can disable the run prompt via gpedit.msc - (run it from the run prompt - or a command prompt) if you just want to prevent IE from being run via the run prompt but this won't stop it being ran from the command line or a BAT file etc

(I'm going to for most instances of the word run in one post by the way)

There are better ways to remove IE or to render it unusable to be more exact.

Via BAT file:

Code:

@echo off 
C: 
cd "\Program Files\Internet Explorer" 
if not exist IEXPLORE.EXE goto End 
if exist IEXPLORE.EX_ del IEXPLORE.EX_ 
if not exist IEXPLORE.DIR md IEXPLORE.DIR 
if not exist IEXPLORE.DIR goto End 
attrib -r -h -s IEXPLORE.EXE 
ren IEXPLORE.EXE IEXPLORE.EX_ 
if exist IEXPLORE.EXE goto End 
ren IEXPLORE.DIR IEXPLORE.EXE 
echo IE disabled. 
echo If prompted, click "Cancel" then "Yes" on File Protection restore. 
echo Run enable-ie.bat to allow IE to run again. 
:End

To enable it again via BAT file:

Code:

@echo off 
C: 
cd "\Program Files\Internet Explorer" 
if not exist IEXPLORE.EX_ goto End 
if not exist IEXPLORE.EXE goto Activate 
attrib -r -h -s IEXPLORE.EXE 
rd IEXPLORE.EXE 
if exist IEXPLORE.EXE del IEXPLORE.EXE 
:Activate 
ren IEXPLORE.EX_ IEXPLORE.EXE 
echo IE enabled. 
:End

( I have set these as logon / logoff scripts to prevent certain users from using IE...)

You can do it via a Group Policy Object if you are on a domain

You can set IE to use a proxy and enter 0.0.0.0 on port 00 to stop it getting onto the Internet (if the user has local admin rights then they will be able to change this back again)

The MS method is to set the IEAccess=off switch in the Unattend.txt file in WIndows XP to disable IE but leave all the code intact so services that rely on it can still function - such as Automatic Windows Updates.....

You can also do it via the control panel: from HERE

Navigate to the Control Panel by clicking on Start, followed by Control Panel (or Settings and then Control Panel, depending on how you're setup).

In the Control Panel window, open Add or Remove Programs.

Note: In Microsoft Windows XP, depending on how your operating system is setup, you may not see the Add or Remove Programs icon. To correct this, click on the link on the left-hand side of the Control Panel window that says Switch to Classic View.

In the Add or Remove Programs window, click on the Set Program Access and Defaults button on the menu on the left.

Choose the Custom option in the Choose a configuration: area.

Click OK. Windows XP will apply your changes and the Add or Remove Programs window will close automatically.

If you do not want to disable IE then ignore all of the above

[westin]

wow. thanks for the quick replies. I work for a bottle shoppe [fancy name for a liquor store] ... my boss wanted a way to restrict IE access, but did not want to block it completely... I know there are a ton of ways to prevent access to IE, but he wanted me to do it in a way that there were no major changes to the way we log in, or the general setup of the computers. So I figure I will go with a security through obscurity approach. I wrote a small program in VB.NET that just uses an IF/THEN statement to check the "password", then opens up IExplore.exe ... I removed the shortcut for IE from the desktop and start menu. So far this seems to be working. Like I said, I know there are a lot more thorough ways of doing this, but with the group of people I work with, you could change the color of the e from blue to red, and they would never find it. Disabling IE from opening through the run command is just one more precaution.

[WolfeTone]

What if somebody opens up "My Computer" and types www.google.com???

[westin]

What if somebody opens up "My Computer" and types www.google.com???

*L* good point. I could probably hide the address bar in "My Computer" and that would eliminate 90% of the other employees ever even thinking about trying that. I wish I could explain all of the circumstances... Most of the people I work with think a computer is just a myspace machine. We are trying to prevent those people from accessing the internet. To make matters worse, I am not the one in charge of the network. They are using the people that installed their POS/Inventory software. The same people that insist that we need to have the entire C drive shared with Read AND Write permissions, on every computer in the building. I am sure you can imagine some problems with this setup. Files that are supposed to be accessed only through the software suite with the manager's password, are open to anyone with access to "My Computer" or "My Network Places"... it has been this way for several years, and I am the only person to ever question the logic of this setup... sorry I am getting carried away here... back to my point ... I think as far as IE access goes, blocking the easy routes to the browser will be enough.

Thanks again for the quick, and informational responses.

[Nokia]

It sounds like folks using the Internet is the least of your worries

[westin]

It sounds like folks using the Internet is the least of your worries

you are exactly right... but many warnings have fallen on deaf ears... seems kind of like the cassandra complex ... I am just glad that I am the only one that has noticed this huge privacy invasion... [that I know of at least] ... I am almost afraid to say anything about it... I would not be surprised if I was terminated for bringing this to the owners attention. I have discovered some pretty sensitive information. someone could actually change their rate of pay, or have access to all of the employees SSNs, DOBs, rate of pay, alarm codes etc... I would love to help my co-workers by pointing this problem out, but quite frankly I am scared. if any of you have any advice on how to approach this, I would appreciate any advice. this has turned from a simple discussion on disabling the run command for a specific application to a sort of ethics issue, I hope you don't mind. All of this has sort of come to a head in the last couple of days...

westin

[morganlefay]

Well...

I would down load\find what your privacy laws are in your region...highlight where the company is in violation...and present it to the owner of the company...cause ultimately...its his a$$ on the line..here in Canada anyway.

and if you find your personal info is available to anyone and everyone...and you get fired....sue them for breach of privacy

You could do it anonymously...I guess.

MLF