Novell Home

Controlling Internet Access with ZENworks

Novell Cool Solutions: Trench
By Guy Baker

Digg This - Slashdot This

Posted: 1 Mar 2000
 

Current Version: ZENworks 2


We use ZENworks to enable or disable the proxy settings in Internet Explorer 4.x and 5. Basically if you are a member of the IEAUTH Group, you get the settings for the firewall, if not you don't. If you login behind someone who was authorized, it removes the settings.

You can't change the Internet Options, because we disable this feature. You can't bypass login prompts, because we require authentication.

We run Windows 95/98 with IE 4.01 SP2, but the registry settings work with IE5.

  1. Obtain an updated Shdocvw.dll file by installing Internet Explorer 4.01 Service Pack You can obtain Internet Explorer 4.01 Service Pack 2 from the Microsoft Web site.

    The following tables list additional restrictions provided by this updated file. You must manually edit the registry of each computer using the updated Shdocvw.dll file and add the corresponding registry value and setting for each restriction.

    Note that these restrictions also apply when you are using Kiosk mode.

    Restrictions under HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions: Each DWORD value must be set to 1 to be enabled. To disable the restriction, set the value to 0.

    bakerg

    Restriction

    Description

    NoFileOpen

    Disables Open command on File menu, CTRL+O, and CTRL+L.

    NoFileNew

    Disables CTRL+N

    NoBrowserSaveAs

    Disables Save and Save As on the File menu.

    NoBrowserOptions

    Disables Internet Options on the View menu. (Disables changing browser settings).

    NoFavorites

    No Favorites menu, adding to favorites, or organizing favorites.

    NoSelectDownloadDir

    Prevents user from being able to select download folder by not displaying the Save As dialog box when a file is downloaded.

    NoBrowserContextMenu

    Disables HTML context menu.

    NoBrowserClose

    Disable ALT+F4.

    NoFindFiles

    Disables the F3 key.

    NoTheaterMode

    Disables the F11 key.

  2. Create a group. (We call ours IEAuth.)
  3. In the system login script, prior to NALEXLDR.EXE running, add

    IF MEMBER OF "IEAUTH" THEN BEGIN

    DOS SET AUTH = YES

    ELSE

    DOS SET AUTH = NO

    END

  4. Create one ZEN snAppShot configuring IE with the Proxy Settings or Firewall Settings you use.
  5. We'll call this "Authorized."

    In this app, set the SYSTEM REQUIREMENTS to an Environment Variable.

    The Value Name = AUTH

    The Value Data = contains YES

    DISTRIBUTION is set to Distribute Always.

    ASSOCIATIONS is set to the IEAUTH Group created earlier, with FORCE RUN.

    Add the Registry Entry:

    HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions

    Add the DWORD Value: NoBrowserOptions Set it to: 1

    You can also set any additional settings from above you see fit. This one disables the Internet Options tab on Internet Explorer.

    Also if you are running Windows 98 (I'm not sure if it works on 95) you can add:

    HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\ Policies\Explorer

    Name: Value:

    NoViewContextMenu 1

    This will disable the user's ability to right-click the mouse on the desktop and get to IE properties there.

  6. Copy the above AOT to another ZEN app, and call it UnAuth.
  7. In the SYSTEM REQUREMENTS, change the Environment Variable "AUTH" to contains NO.

    ASSOCIATIONS is set to EVERYONE and FORCE RUN.

    We leave the Registry Entries that disable IE Features and Right-click on the desktop.

    Find the Registry Entries that set the Firewall/Proxy info and remove any values that configure IE.

    DON'T DELETE THE DWORD VALUE, just remove any setting associated with it.

  8. Now if you add a user to the IEAuth Group, they should get the settings for accessing the Internet. If not, it should erase the settings in Internet Explorer.

Comments About this Article

Ruud Hanegraaf

I read the tip by Guy Baker about how to control internet access using ZENworks. We use a similar method which I think is a bit more straightforward. It goes like this:

At the container level we have made an application object (Startup) which is set to 'Force Run', 'Distribute Always' and 'Install only (no executable needed)'. One of the things we have put in is a section of registry settings which sets the proxy settings. The crucial part - in REGEDIT style - is:

REGEDIT4

[HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\ Internet Settings]
"ProxyHttp1.1"=dword:00000000
"ProxyServer"="ftp=0.0.0.0:80; gopher=0.0.0.0:80; http=0.0.0.0:80;https=0.0.0.0:80"
"ProxyOverride"=""
"ProxyEnable"=dword:00000001
[HKEY_CURRENT_USER\Software\ Policies\Microsoft\Internet Explorer\Control Panel]
"Proxy"=dword:00000001

Because we have specified 0.0.0.0 as the proxy server, any internet access will be immediately rejected. By specifying this address for every type of protocol, the proxy address will not be displayed in the Proxy Settings tab. The last entry in the registry file prevents users from accessing the 'Advanced' button in Internet Explorer.

This way the proxy settings will be initially set to 'no internet access' every time a user logs in to the network.

Next we have created a similar application object (Internet) which is also 'Force Run', 'Distribute Always' and 'Install only'. The only thing it contains is the same piece of registry as above, but this time with the proper proxy addresses instead of 0.0.0.0.

All users who should be able to surf the internet are associated with this object.

And presto! The user logs in, first gets the 'no internet access' settings, and then immediately after that he gets the 'internet access' settings.

If you have any questions you may contact Ruud at r.hanegraaf@laurus.nl

Rich

In regards to Controlling Internet Access with ZENworks. We control the proxy address also, but instead use an extensible policy. Copy the following code into Notepad and save it as proxy.adm. We created two policy packages, one associated to allowed internet users, and the other to the rest of the office. We then added the proxy server info in each policy, using 0.0.0.0 for the general office users, and the correct address for the allowed users. It's also a lot easier to maintain and view.

Contents of Proxy.adm:

CLASS USER
CATEGORY !!ConnectionTab
POLICY !!ConnectionTab
KEYNAME "Software\Microsoft\Windows\ CurrentVersion\Internet Settings"
PART !!ProxyEnable CHECKBOX
%09 VALUENAME "ProxyEnable"
%09 END PART
PART !!ProxyText EDITTEXT REQUIRED
%09 VALUENAME "ProxyServer"
%09 END PART
%09 PART !!ProxyOverride EDITTEXT
%09 VALUENAME "ProxyOverride"
%09 END PART
%09 PART !!ProxyOverrideText TEXT
%09 END PART
PART !!RestrictProxy CHECKBOX
KEYNAME "Software\Policies\Microsoft\ Internet Explorer\Control Panel"
VALUENAME Proxy
END PART
END POLICY
END CATEGORY
;;End ConnectionTab
[strings]
ConnectionTab="Connections Page"
Proxy="Proxy Server"
ProxyText="Enter, IP address ":" port number"
ProxyEnable="Enable proxy server"
ProxyOverrideText="Seperate multiple addresses with a semi-colon."
ProxyOverride="Do not use proxy server for addresses beginning with:"
RestrictProxy="Disable changing proxy settings"


Q&A

If you have any ideas about these, fire away...

Question 1: Ray Larson

I am trying to figure out a way to stop users from downloading software from the internet, but still leave them the ability to surf the net. I have seen your tips on controlling Internet Explorer. The problem is we don't use proxy servers. I have tried the registry setting to prevent the "Save This program to disk" function on the File Download screen, but if the user chooses to "Run this program from current location" it comes back with the Explorer window where they can save the file anyway. We are running Win95 machines with IE5, & Novell ZfD2.

A: Chris Bailey NEW

There is a document on the Microsoft support web site that details information about the registry keys used with Internet Explorer's "Security Zones" - one feature of which is to restrict downloads. The document ID is Q182569.

Since we are a school, we have setup an application object assigned to students that will load the restrict download registry key to the computer before it launches Internet Explorer. And since many of our staff members need to download things from the Internet, they have their own application object that will reverse those settings before NAL launches IE when they are logged in.

We also utilize Microsoft TID Q179221 which details how to restrict many of Internet Explorer's user interface features.

The download restrictions have a few little quirks with them, but in the course of the past year that we have been using them, they have worked great.

Here are our AOT files used to set this up in our environment.

If you have any questions you may contact Chris at baileyc@carthage.k12.mo.us

A: Jeff Sawdy NEW

I have a partial solution to Ray Larson's question.

There is an option in the Internet Security settings to prevent the file download option. Have you tried that?

Also, while this next solution will not prevent all downloads, it can give you some control of where info can be downloaded from and saved via IE5, and this has been used successfully in one of our offices.

If you use the IEAK (Internet Explorer Administartion Kit), deploy IE5 to all desktops so that they can ONLY download from trusted sites.

Via a NAL object you can periodically add new sites to the Trusted Sites as you see necessary for your staff. For instance we are a government agency, and any sites ending in ".state.nc.us" are considered trusted sites. We have a need for accessing a lot of the info on the EPA site, so epa.gov is a trusted site, etc.

The registry location for the trusted sites is:

[HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\ Internet Settings\ZoneMap\Domains\epa.gov]
"*"=dword:00000002

Basically, add domains as deemed necessary and increment the distribution number so that it will add new domains similar to the registry edit in the above example.

If you have any questions you may contact Jeff at Jeff.Sawdy@ncmail.net

A: Mark L. NEW

In regard to stopping users downloading from the internet, here is the way we accomplish this. This may be out of the scope of the original posted question but I scouted for ages before having someone point me to this tid. It requires that you are using Border Manager Proxy.

The TID is #2954488 there is also a newer one that explains this process better in #2954664. Basically you setup access rules on the proxy of URL type for example http://*/*.exe to stop executables being downloaded.

A: Gwanito van den Berg NEW

There are a lot of suggestions about controlling internetaccess using IE. Now here is a simple solution when using the Netscape browser.

Create one install script using the proxy server's address, then create two NDS application objects, using for both apps the same NAL script. Name one app. as internet access denied, delete one application file, called PREFUI32.DLL (this DLL enables the menu item EDIT/PREFERENCES, get rid of it and now preferences can be edited).

Edit the PREFS.JS and delete the proxy server's address, which holds p.a. the Automatic Configuration File.

When you've done this, users can only gain access to the INTRANET and other IP devices within the LAN/WAN.

So, you can prevent users going out to the INTERNET.

If you have any questions you may contact Gwanito at gwanito.van.den.berg@flygt.com


Question 2: Dennis Bradley

Pertaining to the suggestions about Internet Explorer. With Windows 98 and IE5 I have found the run command must be enabled to browse the internet which was supported by a TID. Therefore changing the registry to point to the correct proxies is easily changed back by running regedit at the workstation. I have set the policy to only allow listed windows programs, and not added regedit but then the force run of my application changing the proxy settings will not run. Anyone else?

Oliver Martin's Answer NEW

Answer for the question of Dennis Bradley: You can set an ACL for the regini.exe, then create a NAL File for the users who need that application. Let a batch file for execution run which updates the ACL for the regini.exe so that the user which has the NAL icon can start the application.

If you have any questions you may contact Oliver at oliver_martin@hybpovbg.at

Becky Ferguson's Answer NEW

To Dennis Bradley: Change the filename of REGEDIT.EXE to something bland like SYSTEM.EXE and do your proxy settings change using that name. If your students figure out that name, change it regularly. It seems to run no matter what the filename is. I've used this trick since DOS days any time I needed to "hide" an executable, including changing .BAT filenames to .COM to discourage editing.

If you have any questions you may contact Becky at BeckyF@dcccd.edu


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell