Locking Down IE9 and Network
Browsing
I have been setting up a couple of
computers to act as kiosks for a particular site and naturally have
had to lock them down as much as possible. I am doing this through a
GPO policy via Active Directory. I have the computer and IE locked
down pretty tightly except for one thing:
When in IE, if you hit Ctrl-J the View
Downloads window pops up. Click on the Options button at the bottom
left and the Download Options dialogue opens. Click on the Browse
button and a window pops up that says,
“This operation has been cancelled
due to restrictions in effect on this computer. Please contact your
system administrator”.
All well and good except when you click
the OK button you are given a window which has two panes. On the
left hand pane are options for “Favorites”, “Libraries”, and
“Network”. Clicking on the Network option gives you a list of
every computer on the network that is visible along with any public
shares they have.
Not so good.
I went through every option in the GP
and did a lot of Google searching but could not find any way of
turning off this behaviour. However Google did turn up a registry
setting change that stops it.
If you modify this key:
HKEY_CLASSES_ROOT\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\Attributes
from b0040064
to b0940064, you will
remove the Network icon from the Windows 7 Navigation Pane. No more
network browsing!
Be
aware this option affects everyone who uses the computer.
You
can set this registry key in the GPO when editing it in Windows
Server 2008. To do this, navigate to
- Computer Configuration → Preferences → Windows Settings → Registry
- Right click on Registry and select New → Registry Item.
- Select the HKEY_CLASSES_ROOT hive and browse to the correct keypath.
- Type Attributes into the Value Name
- Set the value type to REG_DWORD
- Enter B0940064 in the Value Data
- Set the Base to Hexadecimal.
Note re previous post: Not updating the blog 'much' doesn't mean 'never'!
