[WEB4LIB] RE: Internet Explorer question

Andrew Mutch amutch at waterford.lib.mi.us
Tue Apr 23 15:41:06 EDT 2002


I've worked quite a bit with versions of IEAK for IE 5 and 6 and I never was
able to build a version of IE that was completely secure along the lines of
PWB. As Bob Sullivan alluded to, there are some "features" in IE for which
there are no documented registry settings that would allow you to disable
the use of the feature.  Some of these security holes are mearly annoyances
while others can be real problems. In either case, it's really frustrating
to go through the process of custom building IE only to come out with an end
product that is "mostly" secure. That's just not good enough in public
settings where patrons will find every little last hole that you leave
behind.

Currently, on our public Internet computers, I use the following
combination:

* Windows2000/SP2 automatically logging into an account with "User" (very
restrictive) permissions
* PWB with many of its built-in restrictions enabled (download only to
floppy, no access to hard drive, etc.)
* StormWindows desktop security (StormWindows is a glorified registry
editor)
* A dozen or so registry hacks to lock out items in Windows that PWB and
StormWindows don't cover
* Additional restrictions on the Desktop folder to stop downloading to the
Desktop

In the future, I'm looking to replace StormWindows with Windows2000 Group
Policy. That should also allow me to reduce or eliminate the number of
registry hacks that I have to do.  The nice thing about the arrangement is
that I haven't had to purchase any additional software or hardware to lock
down the PCs beyond what was spent on the StormWindows site license several
years ago.

I've currently had this arrangement running for several weeks and it has
been far and away more stable and secure than running IE 5/6 on Windows98
with StormWindows and various registry hacks. Windows2000 and PWB get equal
credit for the improved security.

I run a very similar arrangement on my OPACs but in that case, I use
K-Meleon for my browser. Because of the limited use of those computers, I
can lock K-Meleon down even tighter than I do PWB.  I also run K-Meleon with
AutoRestart to restart the browser when patrons close it. I've had that
arrangement running for about a year and I don't think I've ever had a
problem with security on those computers.

Andrew Mutch
Library Systems Technician
Waterford Township Public Library
Waterford, MI




"Bosman, Don" wrote:

> While you can use the IEAK (Internet Explorer Administration Kit)
> to create a fully customized version for your specific needs, I'd
> suggest that something like Fortres would be simpler to install and
> keep up. It is easier to make changes to when a resource changes.
>
> Neither is a breeze, but a default Fortres install will take care
> of lots of problems while you will have to spend or invest several
> real hours studying IEAK to do the same job. IEAK is a free download
> from Microsoft.
>




More information about the Web4lib mailing list