How can I block access to local files from Internet Explorer?

security permissions internet-explorer kiosk
9,574

A. If you type "C:" (or any other drive) in the Microsoft Internet Explorer address box you will be shown the contents and if proper NTFS file permissions are not in place users will be able to delete, rename, read any files on the disk. This is usually a problem if you have a locked down environment where users do not normally have access to Explorer etc (such as an Internet Cafe).

To stop the ability to view local drives from Internet Explorer perform the following:

Start the registry editor (regedit.exe)
Move to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
From the Edit menu select New > DWORD value.
Enter a name of NoRun and press Enter
Double click the new value and set to 1. Click OK to close the value edit dialog.
From the Edit menu select New > DWORD value.
Enter a name of NoDrives and press Enter
Double click the new value and set to a number representing the drives you wish to hide (explained below). Click OK to close the value edit dialog.
For IE 4.01 SP1 and above perform the following steps:
1. From the Edit menu select New > DWORD value.
2. Enter a name of NoFileUrl and press Enter
3. Double click the new value and set to 1. Click OK to close the value edit dialog.
Close the registry editor

The NoRun setting disables viewing local files by typing a file address or URL (for example, "file://d:\") in the Address box, and also disables the Run command on the Start menu.

The NoDrives setting disables the selected drives. It is explained in 'Q. How can I hide drive x from users?'. Basically drive A is 1, B is 2, C is 4, D is 8 etc. and you add the values together. So to hide drive C and D, you would add 4 and 8 which is twelve or C in hexadecimal and set NoDrives to C (selecting Hex mode).

Share:
9,574

Related videos on Youtube

Ophir Yoktan
Author by

Ophir Yoktan

Updated on September 17, 2022

Comments

  • Ophir Yoktan
    Ophir Yoktan over 1 year

    I want to create a kiosk station that will allow web browsing, but won't allow access to local files.

    How can I go about doing this?

    • Joe Taylor
      Joe Taylor about 12 years
      After reading the answers, do you really need the URL bar? Following the other answers, do away with the URL bar and setting a homepage to a search engine i.e google would allow users to fully navigate the web and bypass your problem.
    • Ophir Yoktan
      Ophir Yoktan about 12 years
      @JoeTaylor I removed the url bar, but this a cosmetic change. For example, a page might include a link to a local file.
    • Squeezy
      Squeezy almost 11 years
      What is your concern with users downloading local files to the kiosk station itself?
  • Arjan
    Arjan about 13 years
    Not sure if things are different nowadays, but the linked article applies to IE6 and earlier.
  • Jackson
    Jackson about 13 years
    It still applies to IE8 according to what I've read. Not sure about IE9 yet.
  • Ophir Yoktan
    Ophir Yoktan about 13 years
    Kiosk mode doesn't block access to local files, if a user can navigate to them without using the address bar (he can easily create a web page with a link to a known local file)
  • Jackson
    Jackson about 13 years
    Yes, they can open a file if they know it's location. But if you're running kiosk mode under a restricted user account that doesn't have access to anything in combination with a well designed local security policy, you can block their access to most anything.
  • Ophir Yoktan
    Ophir Yoktan almost 13 years
    I tested the specific policy you described, but it doesn't effect internet explorer - just the file explorer and related dialogs (like file open \ save). to quote from your first link "This policy does not prevent users from using other programs to gain access to local and network drives or prevent them from viewing and changing drive characteristics by using the Disk Management snap-in. "
  • Ophir Yoktan
    Ophir Yoktan almost 13 years
    By navigating to a known file name using an html link
  • Mucker
    Mucker almost 13 years
    I thought so...Just wanted to clarify that. Well that can't be done. And not with any tool I know of, in fact I think its impossible because of how windows works, let me explain. When you run any program whether it Word, Explorer or IE it runs under whatever access rights your account has. So if your Windows account is allowed access to certain files and folders then there is nothing you can do about it. Let me put it another way, the only to stop them from accessing the C drive 100% completely would be to deny access using NTFS permissions on the files and folders...The problem here though
  • Mucker
    Mucker almost 13 years
    ...cont....The probblem here though is that if you denied access to these files then the computer would stop working. I mean every person that uses this kiosk WILL be able to access say c:\windows and any files there if they know the direct link. You cant deny permissions here though cause Windows needs to access these files in order to run...So the best you can do is hide them using the policies I said.
  • Ophir Yoktan
    Ophir Yoktan almost 13 years
    What I was looking for was something like disabling the 'file' protocol handler (leaving just http)
  • ganesh
    ganesh over 8 years
    +1 for this part: "if proper NTFS file permissions are not in place"/

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Change Browser settings by script
Android: java.lang.SecurityException: does not have permission to uri 0 @ content://com.android.chrome.FileProvider/BlockedFile
Hide the taskbar using C#
dcomcnfg functionality programmatically
File permissions; Should my www-folder content be owned by www-data?
How to grant non-root user access only to /var/log directory
How can I lock down ubuntu?
How to run IntelliJ IDEA as a dedicated system user?
Untrusted Application Launcher
How did this exploit allow write access to root owned files?