Controlling Internet Access with ZENworks
Novell Cool Solutions: Trench
By Guy Baker
Digg This -
Posted: 1 Mar 2000
Current Version: ZENworks 2
- Comments About this Article
- Ray Larson's Question
- Dennis Bradley's Question Posted July 19, 2000
We use ZENworks to enable or disable the proxy settings in Internet Explorer 4.x and 5. Basically if you are a member of the IEAUTH Group, you get the settings for the firewall, if not you don't. If you login behind someone who was authorized, it removes the settings.
You can't change the Internet Options, because we disable this feature. You can't bypass login prompts, because we require authentication.
We run Windows 95/98 with IE 4.01 SP2, but the registry settings work with IE5.
- Obtain an updated Shdocvw.dll file by installing Internet Explorer 4.01 Service Pack You can obtain Internet Explorer 4.01 Service Pack 2 from the Microsoft Web site.
The following tables list additional restrictions provided by this updated file. You must manually edit the registry of each computer using the updated Shdocvw.dll file and add the corresponding registry value and setting for each restriction.
Note that these restrictions also apply when you are using Kiosk mode.
Restrictions under HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions: Each DWORD value must be set to 1 to be enabled. To disable the restriction, set the value to 0.
Disables Open command on File menu, CTRL+O, and CTRL+L.
Disables Save and Save As on the File menu.
Disables Internet Options on the View menu. (Disables changing browser settings).
No Favorites menu, adding to favorites, or organizing favorites.
Prevents user from being able to select download folder by not displaying the Save As dialog box when a file is downloaded.
Disables HTML context menu.
Disables the F3 key.
Disables the F11 key.
- Create a group. (We call ours IEAuth.)
- In the system login script, prior to NALEXLDR.EXE running, add
IF MEMBER OF "IEAUTH" THEN BEGIN
DOS SET AUTH = YES
DOS SET AUTH = NO
- Create one ZEN snAppShot configuring IE with the Proxy Settings or Firewall Settings you use.
- Copy the above AOT to another ZEN app, and call it UnAuth.
- Now if you add a user to the IEAuth Group, they should get the settings for accessing the Internet. If not, it should erase the settings in Internet Explorer.
We'll call this "Authorized."
In this app, set the SYSTEM REQUIREMENTS to an Environment Variable.
The Value Name = AUTH
The Value Data = contains YES
DISTRIBUTION is set to Distribute Always.
ASSOCIATIONS is set to the IEAUTH Group created earlier, with FORCE RUN.
Add the Registry Entry:
Add the DWORD Value: NoBrowserOptions Set it to: 1
You can also set any additional settings from above you see fit. This one disables the Internet Options tab on Internet Explorer.
Also if you are running Windows 98 (I'm not sure if it works on 95) you can add:
HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\ Policies\Explorer
This will disable the user's ability to right-click the mouse on the desktop and get to IE properties there.
In the SYSTEM REQUREMENTS, change the Environment Variable "AUTH" to contains NO.
ASSOCIATIONS is set to EVERYONE and FORCE RUN.
We leave the Registry Entries that disable IE Features and Right-click on the desktop.
Find the Registry Entries that set the Firewall/Proxy info and remove any values that configure IE.
DON'T DELETE THE DWORD VALUE, just remove any setting associated with it.
I read the tip by Guy Baker about how to control internet access using ZENworks. We use a similar method which I think is a bit more straightforward. It goes like this:
At the container level we have made an application object (Startup) which is set to 'Force Run', 'Distribute Always' and 'Install only (no executable needed)'. One of the things we have put in is a section of registry settings which sets the proxy settings. The crucial part - in REGEDIT style - is:
[HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\ Internet Settings]
"ProxyServer"="ftp=0.0.0.0:80; gopher=0.0.0.0:80; http=0.0.0.0:80;https=0.0.0.0:80"
[HKEY_CURRENT_USER\Software\ Policies\Microsoft\Internet Explorer\Control Panel]
Because we have specified 0.0.0.0 as the proxy server, any internet access will be immediately rejected. By specifying this address for every type of protocol, the proxy address will not be displayed in the Proxy Settings tab. The last entry in the registry file prevents users from accessing the 'Advanced' button in Internet Explorer.
This way the proxy settings will be initially set to 'no internet access' every time a user logs in to the network.
Next we have created a similar application object (Internet) which is also 'Force Run', 'Distribute Always' and 'Install only'. The only thing it contains is the same piece of registry as above, but this time with the proper proxy addresses instead of 0.0.0.0.
All users who should be able to surf the internet are associated with this object.
And presto! The user logs in, first gets the 'no internet access' settings, and then immediately after that he gets the 'internet access' settings.
If you have any questions you may contact Ruud at firstname.lastname@example.org
In regards to Controlling Internet Access with ZENworks. We control the proxy address also, but instead use an extensible policy. Copy the following code into Notepad and save it as proxy.adm. We created two policy packages, one associated to allowed internet users, and the other to the rest of the office. We then added the proxy server info in each policy, using 0.0.0.0 for the general office users, and the correct address for the allowed users. It's also a lot easier to maintain and view.
Contents of Proxy.adm:
KEYNAME "Software\Microsoft\Windows\ CurrentVersion\Internet Settings"
PART !!ProxyEnable CHECKBOX
%09 VALUENAME "ProxyEnable"
%09 END PART
PART !!ProxyText EDITTEXT REQUIRED
%09 VALUENAME "ProxyServer"
%09 END PART
%09 PART !!ProxyOverride EDITTEXT
%09 VALUENAME "ProxyOverride"
%09 END PART
%09 PART !!ProxyOverrideText TEXT
%09 END PART
PART !!RestrictProxy CHECKBOX
KEYNAME "Software\Policies\Microsoft\ Internet Explorer\Control Panel"
ProxyText="Enter, IP address ":" port number"
ProxyEnable="Enable proxy server"
ProxyOverrideText="Seperate multiple addresses with a semi-colon."
ProxyOverride="Do not use proxy server for addresses beginning with:"
RestrictProxy="Disable changing proxy settings"
If you have any ideas about these, fire away...
I am trying to figure out a way to stop users from downloading software from the internet, but still leave them the ability to surf the net. I have seen your tips on controlling Internet Explorer. The problem is we don't use proxy servers. I have tried the registry setting to prevent the "Save This program to disk" function on the File Download screen, but if the user chooses to "Run this program from current location" it comes back with the Explorer window where they can save the file anyway. We are running Win95 machines with IE5, & Novell ZfD2.
There is a document on the Microsoft support web site that details information about the registry keys used with Internet Explorer's "Security Zones" - one feature of which is to restrict downloads. The document ID is Q182569.
Since we are a school, we have setup an application object assigned to students that will load the restrict download registry key to the computer before it launches Internet Explorer. And since many of our staff members need to download things from the Internet, they have their own application object that will reverse those settings before NAL launches IE when they are logged in.
We also utilize Microsoft TID Q179221 which details how to restrict many of Internet Explorer's user interface features.
The download restrictions have a few little quirks with them, but in the course of the past year that we have been using them, they have worked great.
Here are our AOT files used to set this up in our environment.
If you have any questions you may contact Chris at email@example.com
I have a partial solution to Ray Larson's question.
There is an option in the Internet Security settings to prevent the file download option. Have you tried that?
Also, while this next solution will not prevent all downloads, it can give you some control of where info can be downloaded from and saved via IE5, and this has been used successfully in one of our offices.
If you use the IEAK (Internet Explorer Administartion Kit), deploy IE5 to all desktops so that they can ONLY download from trusted sites.
Via a NAL object you can periodically add new sites to the Trusted Sites as you see necessary for your staff. For instance we are a government agency, and any sites ending in ".state.nc.us" are considered trusted sites. We have a need for accessing a lot of the info on the EPA site, so epa.gov is a trusted site, etc.
The registry location for the trusted sites is:
[HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\ Internet Settings\ZoneMap\Domains\epa.gov]
Basically, add domains as deemed necessary and increment the distribution number so that it will add new domains similar to the registry edit in the above example.
If you have any questions you may contact Jeff at Jeff.Sawdy@ncmail.net
In regard to stopping users downloading from the internet, here is the way we accomplish this. This may be out of the scope of the original posted question but I scouted for ages before having someone point me to this tid. It requires that you are using Border Manager Proxy.
The TID is #2954488 there is also a newer one that explains this process better in #2954664. Basically you setup access rules on the proxy of URL type for example http://*/*.exe to stop executables being downloaded.
There are a lot of suggestions about controlling internetaccess using IE. Now here is a simple solution when using the Netscape browser.
Create one install script using the proxy server's address, then create two NDS application objects, using for both apps the same NAL script. Name one app. as internet access denied, delete one application file, called PREFUI32.DLL (this DLL enables the menu item EDIT/PREFERENCES, get rid of it and now preferences can be edited).
Edit the PREFS.JS and delete the proxy server's address, which holds p.a. the Automatic Configuration File.
When you've done this, users can only gain access to the INTRANET and other IP devices within the LAN/WAN.
So, you can prevent users going out to the INTERNET.
If you have any questions you may contact Gwanito at firstname.lastname@example.org
Pertaining to the suggestions about Internet Explorer. With Windows 98 and IE5 I have found the run command must be enabled to browse the internet which was supported by a TID. Therefore changing the registry to point to the correct proxies is easily changed back by running regedit at the workstation. I have set the policy to only allow listed windows programs, and not added regedit but then the force run of my application changing the proxy settings will not run. Anyone else?
Answer for the question of Dennis Bradley: You can set an ACL for the regini.exe, then create a NAL File for the users who need that application. Let a batch file for execution run which updates the ACL for the regini.exe so that the user which has the NAL icon can start the application.
If you have any questions you may contact Oliver at email@example.com
To Dennis Bradley: Change the filename of REGEDIT.EXE to something bland like SYSTEM.EXE and do your proxy settings change using that name. If your students figure out that name, change it regularly. It seems to run no matter what the filename is. I've used this trick since DOS days any time I needed to "hide" an executable, including changing .BAT filenames to .COM to discourage editing.
If you have any questions you may contact Becky at BeckyF@dcccd.edu