Due to the fact that we are rolling out all new PCs with Windows 2000, and Internet Explorer is an integral part of this system (no matter what Microsoft told the courts), we needed to be able to turn off or disable Internet Explorer for several thousand users, in several different states and locations. The solution needed to be very flexible and easily deployed and managed. This is the solution that I presented and we are currently rolling out as the testing is completed.
These registry settings work in both NT4 and Windows 2000. They can be distributed at start up and set to "Force Run," "Distribute Always" and "Install Only" (no executable needed). This works well in Novell or Active Directory.
That way if a person with Internet access privileges logs onto a PC, the registry is configured to allow them access to the Internet. If another person logs on to the same PC without Internet access rights, the registry is automatically adjusted to prevent Internet access.
Below are the exact registry settings and their values:
"ProxyOverride"="Do not use proxy server for addresses beginning with:" (ie.. http://www.msn.com;http://www.searchwin2000)
"ProxyOverrideText"="Separate multiple addresses with a semi-colon."
[HKEY_CURRENT_USER\SoftwarePolicies\MicrosoftInternet\ ExplorerControl Panel]
Because we have specified 0.0.0.0:80 as the proxy server, any Internet access will be immediately rejected. By specifying this address for every type of protocol, the proxy address will not be displayed in the proxy settings tab. The last entry in the registry file prevents users from changing the proxy settings in the Control Panel or in Internet Explorers Internet Options.
We set up several different Group Policies, as some departments need to be able to access a couple of different Web sites for information databases. By adding the beginning of the URL, they are allowed to access into the "ProxyOverride" key. These users can access any content on these Web sites as long as it stays within that domain. If they click a link or attempt to go to another Web site, the access is immediately denied.
Other settings that can be used to further restict user interference:
[HKEY_CURRENT_USER\SoftwarePolicies\MicrosoftInternet\ ExplorerRestrictions: Each DWORD value must be set to 1 to be enabled or 0 to restrict.
"NoFileOpen"= Disables open command on file menu, CTL+O, and CTL+L.
"NoFileView"= Disables FileNewWindow, CTL+N"
"NoBrowserSaveAs"= Disables SAVE and SAVE AS in the file menu.
"NoFavorites"= No Favorites menu, adding to favorites, or organizing favorites.
"NoSelectDownloadDir"= Prevents user from being able to select a download folder by not displaying the Save As dialog box when a file is downloaded.
"NoBrowserContextMenu"= Disables HTML context menu when right clicking web page to get IE properties.
"NoBrowserClose"= Disables ALT+F4.
"NoTheaterMode"= Disables F11 key.
"NoBrowserOptions"= Disables Internet Options on the tools menu (disables changing browser settings).
This was first published in October 2001