How can I block access to local files from Internet Explorer?
A. If you type "C:" (or any other drive) in the Microsoft Internet Explorer address box you will be shown the contents and if proper NTFS file permissions are not in place users will be able to delete, rename, read any files on the disk. This is usually a problem if you have a locked down environment where users do not normally have access to Explorer etc (such as an Internet Cafe).
To stop the ability to view local drives from Internet Explorer perform the following:
Start the registry editor (regedit.exe)
Move to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
From the Edit menu select New > DWORD value.
Enter a name of NoRun and press Enter
Double click the new value and set to 1. Click OK to close the value edit dialog.
From the Edit menu select New > DWORD value.
Enter a name of NoDrives and press Enter
Double click the new value and set to a number representing the drives you wish to hide (explained below). Click OK to close the value edit dialog.
For IE 4.01 SP1 and above perform the following steps:
1. From the Edit menu select New > DWORD value.
2. Enter a name of NoFileUrl and press Enter
3. Double click the new value and set to 1. Click OK to close the value edit dialog.
Close the registry editor
The NoRun setting disables viewing local files by typing a file address or URL (for example, "file://d:\") in the Address box, and also disables the Run command on the Start menu.
The NoDrives setting disables the selected drives. It is explained in 'Q. How can I hide drive x from users?'. Basically drive A is 1, B is 2, C is 4, D is 8 etc. and you add the values together. So to hide drive C and D, you would add 4 and 8 which is twelve or C in hexadecimal and set NoDrives to C (selecting Hex mode).
Related videos on Youtube
Ophir Yoktan
Updated on September 17, 2022Comments
-
Ophir Yoktan over 1 year
I want to create a kiosk station that will allow web browsing, but won't allow access to local files.
How can I go about doing this?
-
Joe Taylor about 12 yearsAfter reading the answers, do you really need the URL bar? Following the other answers, do away with the URL bar and setting a homepage to a search engine i.e google would allow users to fully navigate the web and bypass your problem.
-
Ophir Yoktan about 12 years@JoeTaylor I removed the url bar, but this a cosmetic change. For example, a page might include a link to a local file.
-
Squeezy almost 11 yearsWhat is your concern with users downloading local files to the kiosk station itself?
-
-
Arjan about 13 yearsNot sure if things are different nowadays, but the linked article applies to IE6 and earlier.
-
Jackson about 13 yearsIt still applies to IE8 according to what I've read. Not sure about IE9 yet.
-
Ophir Yoktan about 13 yearsKiosk mode doesn't block access to local files, if a user can navigate to them without using the address bar (he can easily create a web page with a link to a known local file)
-
Jackson about 13 yearsYes, they can open a file if they know it's location. But if you're running kiosk mode under a restricted user account that doesn't have access to anything in combination with a well designed local security policy, you can block their access to most anything.
-
Ophir Yoktan almost 13 yearsI tested the specific policy you described, but it doesn't effect internet explorer - just the file explorer and related dialogs (like file open \ save). to quote from your first link "This policy does not prevent users from using other programs to gain access to local and network drives or prevent them from viewing and changing drive characteristics by using the Disk Management snap-in. "
-
Ophir Yoktan almost 13 yearsBy navigating to a known file name using an html link
-
Mucker almost 13 yearsI thought so...Just wanted to clarify that. Well that can't be done. And not with any tool I know of, in fact I think its impossible because of how windows works, let me explain. When you run any program whether it Word, Explorer or IE it runs under whatever access rights your account has. So if your Windows account is allowed access to certain files and folders then there is nothing you can do about it. Let me put it another way, the only to stop them from accessing the C drive 100% completely would be to deny access using NTFS permissions on the files and folders...The problem here though
-
Mucker almost 13 years...cont....The probblem here though is that if you denied access to these files then the computer would stop working. I mean every person that uses this kiosk WILL be able to access say c:\windows and any files there if they know the direct link. You cant deny permissions here though cause Windows needs to access these files in order to run...So the best you can do is hide them using the policies I said.
-
Ophir Yoktan almost 13 yearsWhat I was looking for was something like disabling the 'file' protocol handler (leaving just http)
-
ganesh over 8 years+1 for this part: "if proper NTFS file permissions are not in place"/