Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I prevent use of Windows Explorer Address Bar to get to C drive?

Posted on 2008-10-30
8
Medium Priority
?
5,124 Views
Last Modified: 2013-12-05
On Windows Server 2000, using Terminal Services, I have hidden the C and D drives via AD Group Policy, but in Windows Explorer, how to I prevent use of the Address bar to get to C:\?   The C drive (and it's contents) needs the NTFS permissions to be Everyone, so I cannot prevent users from access to the C drive while in Windows Explorer through NTFS permission changes.   I thought that perhaps there would be an AD Group Policy and/or reg hack for this, but I cannot find it.  Goal is for users to get a simple "Access Denied" message if they type C:\ in the Windows Explorer Address bar.
0
Comment
Question by:uswrad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
8 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 22852178
You can't, and that AD Group Policy thing is a joke. And if you think about it, hiding it from the my computer screen is the best you can do. Programs run as the person who started them, so if you open IE, your name is in the process list as the username. So if username can't view the C: or some interupt happens, the program will never be run in the first place.
Perhaps there is another way... what is the real goal? Prevent software installs?
-rich
0
 

Author Comment

by:uswrad
ID: 22853225
The goal is to publish Windows Explorer on a MS Windows Server 2000 Terminal Services server (already being done) and at least block the obvious ways that a user could accidentally get into trouble (like going to the Server C drive instead of his local client C drive.  

My real problem is that this was already accomplished several years ago on some servers we have by an outside consultant but we did not document how he accomplished it and he is no longer available.  We are just wanting to do what is already working on older servers on our newer servers (still Windows Server 2000 server).   We tried the obvious AD setting under the User config area  titled "Prevent access to drives from My Computer." However, blocking access through this group policy setting prevents Windows Explorer from running for a user (as you mention in your post above).

We are launching Explorer.exe from a simple command line script (after the script simply maps the drives/resources the user SHOULD have access to), so I'm wondering if there might be a "switch" that prevents direct use of the Address bar OR (as second option for a solution) removes/hides the Address bar all together.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 22853366
You can simply go to view and uncheck address bar? is that what you wanted.
Also, there are quite a few switches for explorer
http://support.microsoft.com/kb/307856
But they don't do what you want necassarily, you could use them in combination to do what you  want, disable the buttons and address bars, then call "Explorer /e,C:\some_folder\you_want" and there is not apparent way to go up or down directories.
This may also help: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
-rich


0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 22853466
The registry settings are:http://support.microsoft.com/?kbid=842903
You should be able to make the setting as an admin, copy the profile to all users and it should stick, until someone sees they can put a check next to them in view...
-rich
0
 

Accepted Solution

by:
uswrad earned 0 total points
ID: 22957328
I finally found the correct specific group policy setting that blocks users from typing C:\ (or any paths to drives) in the Address bar.   It is NOT under the Windows Explorer group policy area and it does not have a name that you would predict.

Under User Configuration/Administrative Templates/Start Menu and Taskbar, enabled Remove Run menu from Start Menu

Here is part of what is stated in the Description for this policy setting:
"Allows you to remove the Run command for the Start menu, Internet Explorer, and Task Manager.   If you enable this setting, the following changes occur:  (1) The Run command is removed from the Start menu.  (2) The New Task (Run) command is removed from Task Manager.  (3) The user will be blocked from entering the following into the Internet Explorer Address Bar:
- A UNC path: \\<server>\<share>
- Accessing local drives:  e.g., C:
- Accessing local folders:  e.g., \temp>"

Enabling this group policy, along with the one that hides the local C and D drives makes for a nice published Windows Explorer environment where users cannot easily accidentally make folder/file level changes to the Citrix server side, but can get to the file resources they desire and should get to.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 22966824
neat, does it prevent short-cut keys? Like Windows-Key+R http://labmice.techtarget.com/articles/keyboard.htm Just curious.
-rich
0
 
LVL 9
ID: 24486863
richrumble - enabling this group policy setting does indeed prevent Windows Logo shortcuts like Win+R
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24486909
Does it remove the "new task" option in task manager (ctrl+alt+delete File->new task(run))
-rich
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Know what services you can and cannot, should and should not combine on your server.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question