Solved

Disable Open in Download File from Internet Explorer

Posted on 2003-11-11
29
8,417 Views
Last Modified: 2013-12-04
Using a Win2k server to configure policies for our domain.  We have been able to successfully stop a user from saving the file, but we can't find a way to disable the "open" button.  Is there a way to do that?   (Script or Configuration setting will work.)

PLEASE HELP!  

(In general, when you try to download a file, we don't want them to be able to say "open")

Thanks in advanced.
0
Comment
Question by:Kyle Abrahams
  • 13
  • 9
  • 2
  • +3
29 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9726378
Not sure if this would solve

open IE
go to tools --> Internet options ---> advanced and under browsing
uncheck "notify when downloads complete"

BY this what would happen is downloads wont give that dialog box to open the file .It will basically close ...

Sunray
0
 
LVL 5

Expert Comment

by:juliancrawford
ID: 9726414
As far as im aware this CANNOT be done.

Sometimes the correct answer is not the one that you want to hear :)
0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 9726997
Yes ! you can do more than that but by using Group Policy
0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 9727126
HOW TO: Administer GPOs in Windows 2000
Applies To
This article was previously published under Q322143
IN THIS TASK
SUMMARY

How to Open Group Policy as a Standalone Snap-in
How to Edit a GPO
How to Edit the Local GPO
How to Create a New GPO
How to Delete a GPO
How to Link a GPO to a Site, a Domain, or an Organizational Unit
How to Block Policy Inheritance
How to Disable a GPO for a Site, a Domain, or an Organizational Unit
How to Prevent a GPO from Being Overridden
SUMMARY
This article describes how to administer Group Policy objects (GPOs) in a Windows 2000-based environment. You must be a member of the Administrators group on a computer that is running Windows 2000 Advanced Server to perform the tasks that are described in this article. Policy settings are stored in GPOs. You may find it helpful to think of the Group Policy snap-in as a program that creates GPOs, in the same way that a word processor creates .doc or .txt files. There are two kinds of GPOs:
Nonlocal GPOs: These GPOs are stored on a domain controller and are available only in an Active Directory environment. They apply to users and computers in the site, domain, or organizational unit with which the GPO is associated.
Local GPOs: These GPOs are stored on each computer that is running Windows 2000. Only one local GPO exists on a computer, and it has a subset of the settings available in a nonlocal GPO. Local GPO settings can be overwritten by nonlocal settings if the GPOs conflict with each other; otherwise, both GPOs apply.
back to the top
How to Open Group Policy as a Standalone Snap-in
Click Start, click Run, type mmc, and then click OK.
On the Console menu, click Add/Remove Snap-in.
On the Standalone tab, click Add.
Click Group Policy, and then click Add.
Either click Local Computer to edit the local GPO or locate the GPO that you want to edit.
Click Finish, and then click OK.
back to the top
How to Edit a GPO
Start the Group Policy snap-in.
Expand the GPO that you want to edit.
In the details pane, double-click the item that you want to change, and then change the appropriate settings.

NOTE: You must have Read and Write permissions on a GPO to open it.
If you change a GPO, the changes are applied immediately. Therefore, you may want to disable the GPO while you are editing it. For information about how to disable a GPO, see the "How to Disable GPOs" section in this article.

back to the top
How to Edit the Local GPO
Each computer that is running Windows 2000 has exactly one local GPO that is using these objects. You can store Group Policy settings on individual computers regardless of whether they are part of an Active Directory environment or part of a networked environment.

Because GPOs that are associated with sites, domains, and organizational units can overwrite the local GPO settings, the local GPO is the least influential GPO in an Active Directory environment. In a non-networked environment (or in a networked environment that does not have a Windows 2000-based domain controller), the local GPO settings are more important because other GPOs do not overwrite the local GPO settings.

To open Group Policy to edit the local GPO:
Click Start, click Run, type gpedit.msc, and then click OK.
In the left pane, expand the GPO that you want to edit.
Double-click the item in the right pane, and then change the appropriate settings.
back to the top
How to Create a New GPO
To create a GPO that is linked to a domain or an organizational unit, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

Alternatively, to create a GPO that is linked to a site, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
In the console, right-click either the site, the domain, or the organizational unit to which you want to link the GPO that you create. (The GPO is stored in the current domain.)
Click Properties, and then click the Group Policy tab.
Click New, type a name for the GPO, and then click Close.
NOTE: By default, the GPO that you create is linked to the site, the domain, or the organizational unit that was selected in the snap-in when the GPO was created. Therefore, the GPO's settings apply to that site, domain, or organizational unit. You might want to remove the link to the GPO from the site, the domain, or the organizational unit so that its settings are not applied.

back to the top
How to Delete a GPO
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click the domain or any organizational unit in the domain.
Click Properties, and then click the Group Policy tab.
To find all of the GPOs that are stored in the domain, click Add, and then click the All tab.
Right-click the GPO that you want to delete, and then click Delete.
When you are prompted to confirm that you want to delete this GPO, click Yes, and then click OK.
NOTE: When you delete a GPO, any sites, domains, or organizational units to which the GPO is linked are no longer affected by the GPO. You may want to disable the GPO instead of deleting it.

back to the top
How to Link a GPO to a Site, a Domain, or an Organizational Unit
To link a GPO to a domain or an organizational unit, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

Alternatively, to link a GPO to a site, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
Right-click the site, the domain, or the organizational unit to which the GPO should be linked.
Click Properties, and then click the Group Policy tab.
To add the GPO to the Group Policy object Links list, click Add.
Click the All tab, click the GPO that you want to add, click OK, and then click OK.
NOTE: You link a GPO to specify that its settings apply to users and computers in the site, the domain, or the organizational unit, and to users and computers in Active Directory containers that inherit data from the site, the domain, or the organizational unit.

back to the top
How to Block Policy Inheritance
To block policy inheritance in a site, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

Alternatively, to block policy inheritance in a domain or organizational unit, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click the site, the domain, or the organizational unit in which you want to block Group Policy inheritance, and then click Properties.
Click the Group Policy tab, make sure the Block Policy inheritance check box is selected, and then click OK.
NOTE: The Block Policy inheritance setting blocks GPOs that are higher in the Active Directory hierarchy of sites, domains, and organizational units. This setting does not block GPOs if they have the No Override setting selected.

The Block Policy inheritance setting is set only on sites, domains, and organizational units, and not on individual GPOs.

back to the top
How to Disable a GPO for a Site, a Domain, or an Organizational Unit
To disable a GPO for a domain or an organizational unit, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

Alternatively, to disable a GPO for a site, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
Right-click the site, the domain, or the organizational unit from which you want to remove the link to the GPO.

After you remove the link, the GPO is disabled for that site, domain, or organizational unit.
Click Properties, and then click the Group Policy tab.
Select the GPO that you want to disable, and then click Delete.
Make sure Remove the link from the list is selected, and then click OK.
IMPORTANT: If you click Remove the link from the list to delete the GPO permanently, all of the sites, the domains, and the organizational units to which the GPO is linked no longer have those Group Policy settings applied to them.

back to the top
How to Prevent a GPO from Being Overridden
For a GPO linked to a domain or an organizational unit, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

Alternatively, for a GPO linked to a site, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click the site, the domain, or the organizational unit to which the GPO is linked.
Click Properties, and then click the Group Policy tab.
Right-click the GPO link you want to prevent from being overridden, click No Override on the Context menu, and then click OK.

The No Override state is changed to Active, and a check mark appears in the No Override column.
NOTE: If you set No Override on a GPO link, all the Group Policy settings are not overridden for all users or computers in the site, the domain, or the organizational unit, and on all users and computers in Active Directory containers that inherit Group Policy from it. Group Policy settings that have the No Override setting cannot be blocked.

back to the top
The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server


http://support.microsoft.com/default.aspx?scid=kb;en-us;322143
0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 9727646
sun_ray:
I'm talking about prior to saving the file.  We don't want them downloading anything.  We have been successful in preventing them from saving, but if you click open rather than save to disk, it will download and launch, circumventing what we're trying to do.

NADIR:

Please note we are doing this in active directory.  We want to specify for a specific OU that they may not open a file.  I'll take a look at the group policies as I need to be at the server to configure.  Can you provide any more information on where to specifically find the switch to not allow them to click open?
0
 
LVL 2

Expert Comment

by:Mihailo
ID: 9727702
For internet security zone (3)  - all sites.

User Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
System Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Value Name: 1803
Data Type: REG_DWORD
Value Data: (0 = downloads enabled, 3 = downloads disabled)

You can do it for every zone, just change number at the end of regisrty key (like Zones\2 - trusted, Zones\1 - intranet ...)
0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 9728275
okay, but now I have to effect the registry by either a script or using the active directory, how do I do that?
0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 9732666

Dim objShell, RegKey

Set objShell = CreateObject("WScript.Shell")
RegKey = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1803"
    objShell.RegWrite RegKey, "3", "REG_DWORD"
RegKey = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1803"
    objShell.RegWrite RegKey, "3", "REG_DWORD"


the vbs script to change the registry.

Mihailo, nice answer, where you pull that from?  (Like how do I find what values each one of those are.)

(IE: zone 3 is all sites, 1803 is the setting I need to change)


0
 
LVL 2

Assisted Solution

by:Mihailo
Mihailo earned 250 total points
ID: 9732988
http://lists.nas.nasa.gov/archives/ext/bugtraq/1998/08/msg00183.html

 Zone    0   My computer
           1   Intranet
           2   Trusted Sites
           3   Internet
           4   restricted Sites

   Values
       For Enabled/Disabled/Prompt
           0x0 Enabled
           0x1 Prompt
           0x3 Disabled
           # 0x2 is unknown

  Keys under \...\Internet Settings\Zones\(Zone)
       ActiveX controls and Plugins Section
           1004    "Download unsigned ActiveX controls"
           1405    "Script ActiveX controls marked safe for scripting"
           1201    "Initialize and script activeX controls not
                       marketed as safe"
           1001    "Download signed ActiveX controls"
           1200    "Run ActiveX controls and plugins"
       User Authentication Section
           1A00    Logon
                   0x10000 Prompt
                   0x0     Automatic
                   0x20000 Automatic in intranet
                   0x30000 Anonymous login
       Downloads
           1604    Font Download
           1803    File Download
       Java
           1C00    Java Permissions
                0x30000       Low
                0x20000       medium
                0x10000       high
                0x80000       Custom
                0x0           disable
                # Custom is not sub-enumerated here.

       Miscellaneous
           1E05    Software Channel Permissions
                   Low, medium, high per Java Permissions
           1804    Launching applications and files in an IFRAME
           1800    Installation of Desktop Items
           1601    Submit non-encrypted form data
           1802    drag and drop or copy and paste files
                   All use Prompt, enable, disable standard
       Scripting
           1402    Scripting of Java applets
           1400    Active Scripting
                   Both use Prompt, enable, disable standard
0
 
LVL 2

Expert Comment

by:Mihailo
ID: 9733033
http://support.microsoft.com:80/support/kb/articles/Q182/5/69.ASP&NoWebContent=1

Description of Internet Explorer Security Zones Registry Entries
View products that this article applies to.
This article was previously published under Q182569
SUMMARY
This document describes how and where Internet Explorer security zones and privacy settings are stored and managed in the registry.
MORE INFORMATION
Internet Explorer 6 Privacy
Internet Explorer 6 added a Privacy tab to give users more control over cookies. There are different levels of privacy on the Internet zone and they are stored in the registry at the same location as the security zones.

You can also add a site to allow or block cookies based on the site, regardless of the privacy policy on the Web site, those registry keys are stored here:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
Listed under this key are domains that have been added as a managed site. The possible DWORD values for these domains are as follows:

0x00000005 - Always Block 0x00000001 - Always Allow
Internet Explorer 4.x, 5, and 6
Internet Explorer security zones settings are stored under the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
These registry keys contain the following keys:

    * TemplatePolicies
    * ZoneMap
    * Zones

NOTE: Security zones settings are stored in the HKEY_CURRENT_USER registry key. Because this key is dynamically loaded for each user, the settings for one user do not affect the settings of another. The local computer settings are only used if the following DWORD value is present and has a value of 1:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
When this DWORD value is set to 1, computer settings are used instead of user settings. For example, HKEY_LOCAL_MACHINE is read instead of HKEY_CURRENT_USER and all users have the same security settings.
TemplatePolicies
The TemplatePolicies key determines the settings of the default security zone levels (Low, Medium Low, Medium, and High). While the security level settings can be changed from the default settings, there is no way to add additional security levels. The keys contain values that determine the setting for the security zone. Each key contains a Description string value and a Display Name string value that determine the text displayed on the Security tab for each security level.
ZoneMap
The ZoneMap key contains the following keys:

    * Domains
    * ProtocolDefaults
    * Ranges

The Domains key contains domains and protocols that have been added to change their behavior from the default behavior. When a domain is added, a key is added to the Domains key. Subdomains appear as keys under the domain to which they belong. Each key that lists a domain contains a DWORD with a value name of the affected protocol. The value of the DWORD is the same as the numeric value of the security zone to which the domain is added.

The ProtocolDefaults key specifies the default security zone used for a particular protocol (ftp, http, https). To change the default setting, you can either add a protocol to a security zone by clicking Add Sites on the Security tab, or you can add a DWORD value under the Domains key. The name of the DWORD value must match the protocol name, and it must not contain any colons (:) or slashes (/).

The ProtocolDefaults key also contains DWORD values that specify the default security zones in which a protocol is used. You cannot use the controls on the Security tab to change these values. This setting is used when a particular Web site does not fall in a security zone.

The Ranges key contains ranges of TCP/IP addresses. Each TCP/IP range that you specify appears in an arbitrarily named key. This key contains a string value (:Range) that contains the specified TCP/IP range. For each protocol, a DWORD value is added that contains the numeric value of the security zone for the specified IP range.

When the Urlmon.dll file uses the MapUrlToZone public function to resolve a particular URL to a security zone, it uses one of the following methods:

    * If the URL contains a fully qualified domain name (FQDN), then the Domains key is processed.

      In this method, an exact site match overrides a wildcard match.
    * If the URL contains an IP Address, then the Ranges key is processed. The IP address of the URL is compared to the :Range value that is contained in each of the arbitrarily named keys under the Ranges key.

      NOTE: Because arbitrarily named keys are processed in the order in which they were added to the registry, this method may find a wildcard before it finds an exact match. If this is the case, the URL may be executed in a different security zone than the one to which it is typically assigned. This behavior is by design.

Zones
The Zones key contains keys that represent each security zone defined for the computer. By default, the following five zones are defined (numbered zero through four):

   Value    Setting
   ------------------------------
   0        My Computer
   1        Local Intranet Zone
   2        Trusted sites Zone
   3        Internet Zone
   4        Restricted Sites Zone
                        

NOTE: My Computer does not appear in the Zone box on the Security tab.

Each of these keys contains the following DWORD values that represent corresponding settings on the custom Security tab:

NOTE: Unless stated otherwise, each DWORD value is equal to zero, one, or three. A setting of zero typically sets a specific action as being permitted, a setting of one causes a prompt to appear, and a setting of three prohibits the specific action.

   Value    Setting
   -----------------------------------------------------------------------
   1001     Download signed ActiveX controls
   1004     Download unsigned ActiveX controls
   1200     Run ActiveX controls and plug-ins
   1201     Initialize and script ActiveX controls not marked as safe
   1206     Unknown
   1400     Active scripting
   1402     Scripting of Java applets
   1405     Script ActiveX controls marked as safe for scripting
   1406     Access data sources across domains
   1407     Allow paste operations via script
   1601     Submit non-encrypted form data
   1604     Font download
   1605     Unknown
   1606     User Data persistence
   1607     Navigate sub-frames across different domains
   1608     Allow META REFRESH *
   1609     Display mixed content *
   1800     Installation of desktop items
   1802     Drag and drop or copy and paste of files
   1803     File Download
   1804     Launching programs and files in an IFRAME
   1805     Unknown
   1806     Launching applications and unsafe files
   1A00     Logon
   1A02     Allow persistent cookies that are stored on your computer
   1A03     Allow per-session cookies (not stored)
   1A04     Don't prompt for client certificate selection when no
            certificates or only one certificate exists *
   1A05     Allow 3rd party persistent cookies *
   1A06     Allow 3rd party session cookies *
   1A10     Privacy Settings *
   1E05     Software channel permissions
   1C00     Java permissions
   {AEBA21FA-782A-4A90-978D-B72164C80120}   First Party Cookie *
   {A8A88C49-5EB2-4990-A1A2-0876022C854F}   Third Party Cookie *

* indicates an Internet Explorer 6 or later setting
                        

Notes about 1200, 1803, 1A00, 1A10, 1E05, and 1C00:
Run ActiveX controls and plug-ins (1200) has an extra setting called Aministrator approved; when this is checked the DWORD value is 00010000. When this value is turned on, the following registry key is checked for a list of approved controls:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls
There is no prompt setting for File Download (1803) because it is either allowed or not allowed.

Logon setting (1A00) has the following four possible values (hexadecimal):

Value    Setting
   ---------------------------------------------------------------
   0x00000000 Automatically logon with current username and password
   0x00010000 Prompt for user name and password
   0x00020000 Automatic logon only in the Intranet zone
   0x00030000 Anonymous logon
                        

Privacy Settings (1A10) is used by the privacy tab slider, DWORD values are:

Block All Cookies: 00000003
High: 00000001
Medium High: 00000001
Medium: 00000001
Low: 00000001
Accept all Cookies: 00000000
Software channel permissions (1E05) has 3 different values; high, low, and medium safety. Values for these are:

high: 00010000
medium: 00020000
low: 00030000
The Java Permissions setting (1C00) has the following five possible values (binary):

   Value    Setting
   -----------------------
   00 00 00 00 Disable Java
   00 00 01 00 High safety
   00 00 02 00 Medium safety
   00 00 03 00 Low safety
   00 00 80 00 Custom
                        

If Custom is selected, it uses {7839DA25-F5FE-11D0-883B-0080C726DCBB} (located in the same registry location) to store the custom information in a binary blob.

Each security zone contains the Description string value and the Display Name string value. The text of these values appears on the Security tab when you click a zone in the Zone box. There is also an Icon string value that sets the icon displayed for each zone. Except for the My Computer zone, each zone contains a CurrentLevel, MinLevel, and RecommendedLevel DWORD value. The MinLevel value sets the lowest setting that can be used before you receive a warning message, CurrentLevel is the current setting for the zone, and RecomendedLevel is the recommended level for the zone.

What values for Minlevel, RecommendedLevel, and CurrentLevel mean:

Value (Hexadecimal)        Setting
----------------------------------
0x00010000         Low Security
0x00010500         Medium Low Security
0x00011000         Medium Security
0x00012000         High Security
                        

The Flags DWORD value determines the ability of the user to modify the security zone's properties. To determine the Flags value, add the numbers of the appropriate settings together. The following Flags values are available (decimal):

   Value    Setting
   ------------------------------------------------------------------
   1        Allow changes to custom settings
   2        Allow users to add Web sites to this zone
   4        Require verified Web sites (https protocol)
   8        Include Web sites that bypass the proxy server
   16       Include Web sites not listed in other zones
   32       Do not show security zone in Internet Properties (default
            setting for My Computer)
   64       Show the Requires Server Verification dialog box
   128      Treat Universal Naming Connections (UNCs) as intranet
            connections
                        

If you add settings to both the HKEY_LOCAL_MACHINE and the HKEY_CURRENT_USER keys, the settings are additive. If you add Web sites to both keys, only those Web sites in the HKEY_CURRENT_USER key can be seen. The Web sites in the HKEY_LOCAL_MACHINE key are still enforced according to their settings, but they cannot be seen or modified. This can be confusing because a Web site may be listed in only one security zone for each protocol.
Internet Explorer 3.x
The security settings for Internet Explorer 3.x are kept in two sections, one for changing options and one for level.

Options that are enabled or disabled are located in the following registry keys:

HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
The specific options under the Security tab are:

Allow downloading of active content
String - "Code Download"
Values - Yes (checked) or No (unchecked)

Enable ActiveX controls and plug-ins
Binary - "Security_RunActiveXControls"
Values - Checked=hex:01,00,00,00 Unchecked=hex:00,00,00,00

Run ActiveX scripts
Binary - "Security_RunScripts"
Values - Checked=hex:01,00,00,00 Unchecked=hex:00,00,00,00

Enable Java programs
Binary - "Security_RunJavaApplets"
Values - Checked=hex:01,00,00,00 Unchecked=hex:00,00,00,00
The settings for the safety levels are located in the following registry keys:

HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_USERS\.default\Software\Microsoft\Internet Explorer\Security

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
The options for the registry listings are:

High
String = "Trust Warning Level"
Value = "High"
String = "Safety Warning Level"
Value = "FailInform"

Medium
String = "Trust Warning Level"
Value = "Medium"
String = "Safety Warning Level"
Value = "Query"

None
String = "Trust Warning Level"
Value ="No Security"
String = "Safety Warning Level"
Value ="SucceedSilent"
The information in this article applies to:

    * Microsoft Internet Explorer version 6 for Windows XP
    * Microsoft Internet Explorer version 6 for Windows 2000
    * Microsoft Internet Explorer version 6 for Windows NT 4.0
    * Microsoft Internet Explorer version 6 for Windows 98
    * Microsoft Internet Explorer version 6 for Windows Millennium Edition
    * Microsoft Internet Explorer version 6 for Windows 98 Second Edition
    * Microsoft Internet Explorer 5.5 for Windows Millennium Edition
    * Microsoft Internet Explorer 5.0 for Windows 98 Second Edition
    * Microsoft Internet Explorer 5.01 for Windows 98 Second Edition
    * Microsoft Internet Explorer 5.5 for Windows 98 Second Edition
    * Microsoft Internet Explorer 5.0 for Windows 98
    * Microsoft Internet Explorer 5.01 for Windows 98
    * Microsoft Internet Explorer 5.5 for Windows 98
    * Microsoft Internet Explorer 4.x for Windows 95
    * Microsoft Internet Explorer 4.0 for Windows NT 4.0
    * Microsoft Internet Explorer 4.01 for Windows NT 4.0
    * Microsoft Internet Explorer 4.01 for Windows 98 SP 1
    * Microsoft Internet Explorer 4.01 for Windows 98 SP 2
    * Microsoft Internet Explorer 5.0 for Windows NT 4.0
    * Microsoft Internet Explorer 5.01 for Windows NT 4.0
    * Microsoft Internet Explorer 5.5 for Windows NT 4.0
    * Microsoft Internet Explorer 5.0 for Windows 95
    * Microsoft Internet Explorer 5.01 for Windows 95
    * Microsoft Internet Explorer 5.5 for Windows 95

Last Reviewed:      5/12/2003 (3.0)
Keywords:      kbenv kbinfo KB182569
0
 
LVL 2

Expert Comment

by:Mihailo
ID: 9733053
What else do you need? :)
0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 9734782
One last thing:
   
  If I use a logon script:  
    It launches before the registry is fully loaded and the settings don't take.


 When I try to edit the default registry.  The settings are in the default registry but they don't take either.  

  Am not going to trust the user to restrict themselves, nor do I want them having access to said scripts to modify, read or anything of the like.  

How do we get these settings to apply at logon?
0
 
LVL 2

Expert Comment

by:Mihailo
ID: 9735695
Maybe a better idea is to make restriction per-machine rather then per-user.

--------------------------------------------------------------------
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
When this DWORD value is set to 1, computer settings are used instead of user settings. For example, HKEY_LOCAL_MACHINE is read instead of HKEY_CURRENT_USER and all users have the same security settings.
--------------------------------------------------------------------
0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 9736506
if you make it per machine though, will administrators be able to download files without flipping the key?  Or simply attach another script that enables it on the machine and then the next user to sign on will flip it?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 2

Expert Comment

by:Mihailo
ID: 9736655
>  if you make it per machine though, will administrators be able to download files without flipping the key?

no, per-machine settings apply to all accounts.

other solution is to use login script and put some delay for execution (WScript.Sleep) so the script can do the job after user logon. first time users will be allowed to download, but next time they logon the restrictions will apply. or you can check registry value, if they can download, change the value and force user logoff, so they can logon again with restrictions applied.


0
 
LVL 2

Expert Comment

by:Mihailo
ID: 9736685
>  first time users will be allowed to download
thniking again, i'm not shure about this. check it out.
0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 9736973
I know for a fact that the changes are on the fly (if you change the registry, it won't allow the download).  However if they are able to get IE open in that time then it will cause a security violation.  This also brings up another issue though.  I have it set so that windows won't start until the scripts are finished executing.  This is to ensure that they do everything they need to do.  Which kind of nullifies they sleep.  I know I'm asking for the perfect solution, but I feel there has to be a way . . . and I'm not sure I'm willing to sacrifice letting windows start without the scripts finishing.  Is there another way?  I appologize for racking your brain so much, just that I figure if we have the perfect set up it will save many headaches down the road.  

0
 
LVL 2

Expert Comment

by:Mihailo
ID: 9738730
You can't change values in HCU because they are not loadad yet.
So you must work on HLM or HU. I can see two solutions:

1) change per-machine settings (force using HLM values + change value for download).
For admins, script should clear that values
(will this apply on the fly?)

2) change values in all sub-hives in HKEY_USERS (for all users).
If admins logs in, clear HCU value when they logon.
(this must work, but it's little bit complicated to write a code)

0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 9740149
It won't allow me to edit either, it's telling me that I have an invalid root on line 9:  Here's my script:


2)  Dim objShell, RegKey

4)  Set objShell = CreateObject("WScript.Shell")


7)  RegKey = "HKEY_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1803"
8)  msgbox(regkey)
9)  objShell.RegWrite RegKey, "3", "REG_DWORD"



RegKey = "HKEY_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1803"
objShell.RegWrite RegKey, "3", "REG_DWORD"


RegKey = "HKEY_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1803"

objShell.RegWrite RegKey, "3", "REG_DWORD"


It quits at 9, note, if I run this with admin it runs fine, which means it's something in my permissions.  Any way to run a script as admin?

0
 
LVL 5

Expert Comment

by:juliancrawford
ID: 9740230
and at the end of all this debate you still cannot disable the open button.
0
 
LVL 2

Expert Comment

by:Mihailo
ID: 9741314
0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 9742016
It's disabled if I do it for one user julian, the problem is now getting it to do it automatically based on user.

0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 9750499
ieak requires registration, that way is no good.

There's something missing, I just don't know what it is.  We can't change the registry as Joe User, but can as admin.  

(even if I do current user with a logon script)  Is there a way that I can disable editing the registry?  If so then I could allow them to write to the registry, and the last line in the script will disable editing the registry.  



0
 
LVL 24

Accepted Solution

by:
Kenneniah earned 250 total points
ID: 9753254
You can set Internet Security Zones in a GPO. Unfortunately I can remember exactly where and I can't look right now since I'm at home. I do know the in gpedit.msc on a local machine it's under User Configuration|Windows Settings|Internet Explorer Maintenance|Security.

I haven't ever used it to stop downloads however, as we block those based on username through our proxy server.
0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 9771162
Sorry I haven't replied, it's been busy the last couple of days.  Looking at it now, have to learn about GPO's.  We just got a watchguard 700, so we may end up using the proxy as well to disbale user name.

0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 9771480
Okay, finally found it see solution below.  Split as follows:

Kenn: 250
Mih: 250


Here's what I did:



Under admin for the domain, I set internet browsing as I wanted it for the group. (To disable downloads, you can click on tools, internet options, security, and then you can set a custom level for each site.  In each of those sites, there's a spot to disable downloads.)  Went to User Configuration|Windows Settings|Internet Explorer Maintenance|Security.  In the GPO, clicked import file settings.  Was as easy as 123 when I knew where I was looking.  Note, it is recommended that you also disbale the security page under admin templates, windows components, IE so the user can't flip it back.  





0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 9771501
It's not allowing me to split the points, I'll have an admin do it.
0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 9771511
Nevermind, LOL  Thanks for all your help guys!
0
 
LVL 24

Expert Comment

by:Kenneniah
ID: 9771969
Most welcome, glad it worked out for you!
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Was laptop hacked? 11 84
Nessus Scan 1 65
Why can't I delete this folder? 6 82
Can we get infected by copying & pasting 6 69
In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now