Moving to IE 4.0 and NS 4.0 - Locking Down?

[Robert Sullivan]

>Our library system is researching a move to IE 4.0 and/or NS 4.0 for our
>patrons.  (We are currently using NS 3.0 only with IKIOSK) We would like to
>know if any of you are able to lock down the new browser versions
>sufficiently to prevent the patron from doing the following:

I am nearing the end of my own quest in this area, and I am relieved (since I
didn't plan to buy extra software) that under Windows NT/SP3 it is possible to
do all of the things you specified for free.  (If you're using Win 95/98 and
security software, some of the issues should be similar.)

I have used a modified version of a batch file from the MS Zero Administration
Kit to secure MSIE 3.02.  My setup is partly documented at:

http://www.scpl.org/publicnt

and Real Soon Now I will have time to update the page to include the KiXtart
scripts I use to perform the registry modifications.

I was able to use the same settings for MSIE 4.01 as I have for 3.02, except
that 4.01 wants to have access to LOADWC.EXE.  Research in the Registry and the
MSIE Resource Kit suggests this is used for subscriptions and could be deleted
from the "Run" Registry key.  Not wanting to add extra variables, I chose to
unlock that file.

MSIE 4.01 also was unhappy with my custom of removing Execute privileges from
the download directory, something Office 97 and IE 3.02 handled without a peep. 
It is, however, a fault also shared by MS Works, a program which I am beginning
to despise because of its neuroses.  The Event Viewer suggested it was an
"Execute/Traverse" problem.  Since I have "Bypass Traverse Checking" set to its
default of Everyone, I'm not sure where to go with this, except to set that
folder to Change access.  Any suggestions would be gratefully accepted.

Otherwise...

>*	accessing menus
>*	accessing the pc's hard drive (except c:\temp)
>*	adding/removing bookmarks
>*	changing preferences (options in IE)

No problem.  Frankly, I'm not sure which security setting actually blocks the
View/Internet Options menu, but it works...  Note that you will need to freeze
the entire Explorer Registry key to prevent changes to the toolbars from
sticking (because I'm not sure where the settings are stored; just setting the
base key to read-only didn't work).

>*   	right-clicking

When I first tried this, I was intrigued that the Registry modifications which
disable the right mouse button for general use (getting to the Task Manager,
Display properties, etc.) don't get in the way of allowing you to right-click
on an image to download it.  We think this is a good thing.

Now the only problem I have (was just about to post it to LIBNT-L) is blocking
out the history.  I can set it to 0 days and (by deleting the Typed URLs
Registry key) prevent users from seeing what other users typed into the address
bar, but I haven't been able to delete the day's URLs.  This is a pain.  We'd
definitely like to fingure this out.  I am aware that it's stored in an
index.dat file, but setting the profile to read-only didn't seem to affect the
history accumulation.

This wasn't a problem in IE 3.02, because the History option was blocked out
with the rest.  In 4.01, you have the History button, and my other settings
don't block that.  I tried setting the HistoryCache value in the Registry to 0
(default is 0x2000), but IE had a major hissy fit and wouldn't start at all.  I
guess I'll have to go back to the MSIE Resource Kit.

Hope this helps.

>"Now, here, you see, it takes all the running you can do, to keep in the
>same place.  If you want to get somwhere else, you must run at least twice
>as fast."
>~Lewis Carrol, Through the Looking Glass

All in favor of declaring this the official sig line of most of the people on
this list, raise your hands. :-)

Bob Sullivan                               scp_sulli at sals.edu
Schenectady County Public Library (NY)     http://www.scpl.org