Re: Local policy, IE and SP2...
From: KM (konstmor_at_nospam_yahoo.com)
Date: 02/22/05
- Next message: KM: "Re: DOK USB Boot -> 7B Error"
- Previous message: Matt Kellner \(MS\): "Re: Internet Kiosk image + extras. Advice please"
- In reply to: YaronM: "Re: Local policy, IE and SP2..."
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 21 Feb 2005 17:49:36 -0800
YaronM,
Assuming that when you load/unload the user hive properly, your approach should work with SP1 and SP2.
I am not sure why it is failing with SP2. I doubt it is a missing dependency issue but rather some internal default Explorer
policies have changed for SP2 (would be interesting to know).
I'd suggest you to test the policies on your image without switching between Shells first. Just stick with Explorer. If you
successful there, you can move forward to your scheme.
Let us know what you find out.
--
Regards,
KM, BSquare Corp.
PS. I agree with you about IE. It is definitely not an "embedded application".
Although you always have a choice to switch to use WebBrowser2 interface instead and provide your own absolutely custom UI and lock
down the shell as much as you want.
> Hi KM,
>
> The procedure I'm using includes a small utility I created that configures
> the type of shell for each user profile.
> The "shell-configurator" allows you to choose between the MS-Explorer and
> our custom-shell. after you choose, it loads the ntuser.dat hive from the
> user's profile folder to the
> registry (to a "saltemp" hive under hkey_users). then I do a "reg import"
> command to import the policy.reg (attached as a txt file).
> the policies are intended to make the user use the IE for internet browsing
> only and to be able to run specific shortcuts on the user's desktop.
> besides the policies, the user's shell is also configured in the windows
> nt\winlogon key as described in the MS-article of "different shell for each
> user...".
> the hive is then unloaded and the user can log-in using his chosen shell.
> needless to say that I commit the changes in the EWF before restarting.
>
> I used this procedure perfectly under SP1 with no changes. I now run it
> under SP2 and all of the policies are active besides the NoViewOnDrive that
> still enables access to drive C.
> oddly, I do get an Access denied on drive Z..
> I also seen it works on XPPro-SP2 and that's what keeps me searching for
> clues..
>
> I will try to find some other solutions and maybe include some NTFS
> permissions too. I will also check the option of using the stronger sister
> of DisallowRun- the "Only run these specific..." and maybe this will help me
> out.
>
> I still think MS makes our life much more difficult because of the IE
> integration so deep in the OS environment. things could have been much
> easier if I could get a decent browser-only application (and I'm not
> reffering to the opensource-alternative "F" word :))).
>
> Thanks for your help.
>
> YaronM
>
>
>
> "KM" <konstmor@nospam_yahoo.com> wrote in message
> news:O2gKfLFGFHA.1348@TK2MSFTNGP14.phx.gbl...
> > YaronM,
> >
> > I must mention here that I rarely use GPEdit and almost always I change
> > the Explorer or System policies through registry.
> > The same I did for those tests I mentioned for SP2. As I said earlier, the
> > NoViewOnDrive worked just fine for me.
> > Could you write for us the steps you did exactly (including logoff's and
> > reboot's)?
> >
> > However, this is true - those policies will not allow you to lock user
> > accounts from launching applications from hidden drives.
> > That is where the DisallowRun can help you. I checked - it worked fine for
> > me on XP Pro SP2. Therefore it will work on XPe SP2 too.
> >
> > Although I must admit, locking some applications through NTFS permissions
> > may be a better idea.
> >
> > If you really want to lock down the OS you may want to take a look at some
> > 3rd party solutions. E.g., Sygate agent will allow you to
> > lock down user account(s) to allow the launch of only particular
> > applications. There is an XPe version of Sygate client available.
> >
> > --
> > Regards,
> > KM, BSquare Corp.
> >
> >
> >> Hi,
> >>
> >> I am using different shells for each user. I use the Explorer.exe for the
> >> administrator and my custom shell for the user.
> >> I have two problems:
> >> 1. the policy NoViewOnDrive only works if I use it through gpedit.msc and
> >> not if I set it manually in the user's hive (NTuser.dat in his profile).
> >> by locking through gpedit.msc I am limited because it can affect the
> >> admin account also and I need to use workarounds such as NTFS deny on the
> >> GroupPolicy folder or the
> >> registry.pol and it is very inconvenient to administer and maintain.
> >> in SP1 the manual setting in the user's registry hive worked fine and
> >> now in SP2, Windows is ignoring the registry settings and just let the
> >> user
> >> access the drive's content.
> >> 2. even when using the above policy, the user can still write a full path
> >> to
> >> a file in the IE address-bar and launch it. for example,
> >> C:\WINDOWS\NOTEPAD.EXE. only if I prevented running the specific file or
> >> locked it using NTFS CALS then the file will be locked. but this means
> >> changing all the system's default permissions on all files and I can't
> >> even
> >> imagine what problems could come from such an approach.
> >>
> >> I basically need to turn IE into an "Internet Browser Only Mode" without
> >> any
> >> local access to files and folders (if such a thing even exist...).
> >>
> >> Thanks,
> >>
> >> YaronM
> >>
> >>
> >>
> >> "KM" <konstmor@nospam_yahoo.com> wrote in message
> >> news:uqlIFx%23FFHA.1456@TK2MSFTNGP09.phx.gbl...
> >> > YaronM,
> >> >
> >> > I haven't tried the DisallowRun policy on SP2 but NoViewOnDrive and
> >> > NoDrives worked for me just fine.
> >> >
> >> > As you know the NoDrives key would only "hide" the specified drives in
> >> > My
> >> > Computer folder (user can still type a hidden drive name or a folder on
> >> > that drive and can navigate there). However, if the NoViewOnDrive would
> >> > disallow the user to go into any folder of the restricted drive and on
> >> > typing in the Explorer address bar user would see an error message
> >> > saying
> >> > something about the policies set up.
> >> >
> >> > That worked for me on XP Pro SP2 and XPe SP2.
> >> >
> >> > KM
> >> >
> >> >> Hi,
> >> >>
> >> >> I've been working with local security policies since SP1 and used many
> >> >> registry tweaks to lock-down the user's desktop.
> >> >> now, after I upgraded my builds to SP2 level, I'm getting some strange
> >> >> behaviour from Windows.
> >> >>
> >> >> My purpose is to lock the user's access to the local drive (i.e. C:
> >> >> Flash
> >> >> and Z: Ram-disk). that way, the user can only browse the internet
> >> >> using
> >> >> IE and launching application using my custom-shell.
> >> >> I've used the following reg-policies on the HKCU to prevent access for
> >> >> the user only (not the admin account):
> >> >>
> >> >> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
> >> >> "DisallowRun"=dword:00000001
> >> >> "NoViewOnDrive"=dword:67108863
> >> >> "NoDrives"=dword:67108863
> >> >>
> >> >> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
> >> >> "1"="ewfmgr.exe"
> >> >> "2"="mmc.exe"
> >> >> "3"="musrmgr.exe"
> >> >> "4"="tweakui.exe"
> >> >> "5"="explorer.exe"
> >> >>
> >> >>
> >> >> the number 67108863 represent "all drives". the problem is that on
> >> >> SP1,
> >> >> when a user launched IE and on the address-bar entered C:\ or some
> >> >> sort
> >> >> of a local path- it gave him "access denied" errors. now, in SP2 if I
> >> >> type C:\ it doesn't allow but if I launch c:\windows it does... :((
> >> >> (P.S. I tried setting the number that represnt C+Z only.. same
> >> >> behaviour).
> >> >>
> >> >> maybe I am looking in the wrong direction.. is there a way to turn IE
> >> >> to
> >> >> be an Internet-Browser only, without having this irritating synergy
> >> >> with
> >> >> the Explorer shell ?
> >> >>
> >> >> just a thought: maybe I could rename explorer.exe to MSshell.exe and
> >> >> set
> >> >> it to be the admin's defeault shell, that way in the user's session
> >> >> the
> >> >> IE will not find it...
> >> >>
> >> >> anyways, if anyone could share it's expirience I will be most thankful
> >> >> !
> >> >>
> >> >> Cheers,
> >> >>
> >> >> YaronM
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>
>
- Next message: KM: "Re: DOK USB Boot -> 7B Error"
- Previous message: Matt Kellner \(MS\): "Re: Internet Kiosk image + extras. Advice please"
- In reply to: YaronM: "Re: Local policy, IE and SP2..."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
