can i just delete iexplore

[McBunny]

we have a few users that are persisting to find ways around everything ive tried so far to block the net on 2 machines in the factory
they only run one small application that doesnt use the net i dont care about windows updates on them really


will it affect the general running of the machine though as i know its used for more than just the internet

 

[Pedro]

Why dont you just block the permissions on the firewall? Assuming you have one?

 

[Tom]

Just disable it in;

Set Program Access and Defaults

or point it to a fake proxy

 

[DMS]

Or uninstall it via Add/Remove Windows Components.

Other options include putting those computers into their own OU and applying a software restriction policy preventing iexplore.exe from running, block ports 80 and 443 somehow (firewall, packet filter on the client machine etc), pointing to a fake proxy (we use 1.1.1.1 for some reason) or simply cutting their fingers off if they do it again.

 

[McBunny]

fake proxy isnt any good they have already figured that out i fear they may be running it with elevated privilege's by logging in as a normal user

 

[McBunny]

Or uninstall it via Add/Remove Windows Components.

you cant uninstall it that way it still stays on the machine

 

[Tom]

You cant remove it.

 

[McBunny]

Why dont you just block the permissions on the firewall? Assuming you have one?

block what permissions ?
im using an asa 5510

 

[Magic Johnson]

Add these keys:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"=""
"ProxyEnable"=dword:00000001
"ProxyServer"="0.0.0.0:80"

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"Proxy"=dword:00000001

Note: Blocking iexplorer.exe won't work, as people will just explorer.exe to browse the net. This ^ will work though.

 

[DMS]

fake proxy isnt any good they have already figured that out i fear they may be running it with elevated privilege's by logging in as a normal user

Set the proxy settings via Group Policy. The user won't be able to change them then.

EDIT: That basically does what MJ says above - the ProxyOverride key should prevent the user from being able to change the settings. That is what Group Policy does after all - it just changes registry settings.

 

[Magic Johnson]

Unfortunately they can just untick the box, this will work until the computer picks up it's settings again.

EDIT: Unless you can prevent them doing so via GP?

 

[Revels]

Don't be so horrible. Let them play online.

 

[DMS]

@ MJ:

The idea of Group Policy is that you can enforce settings on your computers / users. This means that most settings configured through Group Policy cannot be changed by the end user unless they're a local admin on the machine, a domain admin, or they've been delegated permissions to do so. They'd also need to know HOW to make the change in the first place (gpedit.msc or knowing where to look in the registry editor).

By default if you configure proxy settings through Group Policy, the options in Tools > Internet Options > Connections > LAN Settings will be greyed out and can't be unchecked.

You could also block access to gpedit.msc, regedit, Internet Options, command prompt, notepad etc at the same time. Every tool a user could use to change the proxy settings back can be blocked through Group Policy.

 

[Magic Johnson]

Ours is configured via GP but you can still untick the box. It reverts back if you untick it when it gets its settings again.

 

[Cookie]

Just put the fear of god in all of them by getting HR to make everyone sign a fair usage internets policy

Underline the parts about gross misconduct

 

[McBunny]

i just deleted it from the directory and from dllcache as if you dont it just pops it back in

 

[McBunny]

Just put the fear of god in all of them by getting HR to make everyone sign a fair usage internets policy

Underline the parts about gross misconduct

this came from HR they are making a bunch of blokes redundant and ones just said oh by the way they spend all day on the net on these 2 pc's

 

[DMS]

Ours is configured via GP but you can still untick the box. It reverts back if you untick it when it gets its settings again.

You need to disable changing the proxy settings then.

User Configuration > Administrative Templates > Windows Components > Internet Explorer > Disable Changing Proxy Settings (as below).



Yo' daddy - I am he.

 

[Magic Johnson]

LOL! I didn't set up the GP so I'm not fully aware of all the settings yet!

It's not a setting we really need to know, as everyone knows if they abuse the net they'll be dire consequences (we monitor it heavily). We don't ban the net, we ban the user.

 

[Gally]

So they use the net all day but still have a job, even though the work knows about it?

 

[DMS]

Go ahead and have a play. You might learn something and perhaps even more importantly you'll get to annoy folks by overriding their fluffy kittens screen savers and desktop backgrounds containing their children.
What really pisses them off is when you enforce the standard mouse pointer so their animated "monkey taking a s**t" cursor is no more.

 

[McBunny]

You need to disable changing the proxy settings then.

User Configuration > Administrative Templates > Windows Components > Internet Explorer > Disable Changing Proxy Settings (as below).

View attachment 42344



Yo' daddy - I am he.

it was already done like i said i think they were running ie as another use that does have the privilage of been able to change proxy but i have just gone through their GP and disabled more stuff now too

 

[Magic Johnson]

Go ahead and have a play. You might learn something and perhaps even more importantly you'll get to annoy folks by overriding their fluffy kittens screen savers and desktop backgrounds containing their children.
What really pisses them off is when you enforce the standard mouse pointer so their animated "monkey taking a s**t" cursor is no more.

Wish I could. This company is so 'professional' I'd get probably the sack if I had a bit of fun. Total s**t.

 

[DMS]

Meh. Blame it on a virus.

 

[Cookie]

Go ahead and have a play. You might learn something and perhaps even more importantly you'll get to annoy folks by overriding their fluffy kittens screen savers and desktop backgrounds containing their children.
What really pisses them off is when you enforce the standard mouse pointer so their animated "monkey taking a s**t" cursor is no more.

We have kiosk PC's in the kitchen like this, starting to fix the main build on their machines so it does it too.

Always good fun experimenting with those policy objects, I managed to get it to log on, and then show nothing at all, not even the taskbar

 

[Magic Johnson]

LOL! I might make a test group and just stick one of our training laptops in it, and a testuser group as well.

We've already disabled pretty much every customiaztion option anyway.

 

[DMS]

Our customers are mainly schools so we have to lock the machines down to an extent that most people would find them utterly useless. No right clicking, no saving to the desktop, redirected start menu, can't install stuff, locked down internet, locked down network configuration, add-ons disabled, screen resolution enforced, C: drive invisible, all administrative tools disabled etc...

 

[kerry-w]

Our customers are mainly schools so we have to lock the machines down to an extent that most people would find them utterly useless. No right clicking, no saving to the desktop, redirected start menu, can't install stuff, locked down internet, locked down network configuration, add-ons disabled, screen resolution enforced, C: drive invisible, all administrative tools disabled etc...

But if using windowx XP with normal login each and every security measure can be pretty much rendred useless. Logging in then unpluging ethernet cable logs usr into the machin itself and not to the network, then they can plug back in the ethernet t gain access to the net, no proxys blocking anything. They can also see the C:, format what they like, change what they like.

Can be right pain in the ass

Can download the admin toolpack from MS website, run the file and give themselves admin rights

Hell theres loads of loopholes around XP, used to love having a bash in school at them, I could access any users files by pointing a link from powerpoint to their user address on the server, open the link and I was free to jumble around. Our admin was never the wiser.

 

[PinkoCommie]

block what permissions ?
im using an asa 5510

access-list inside_out extended deny ip host a.b.c.d any

where:
inside_out is the name ofthe access list bound to your internal interface
a.b.c.d is the IP address of the computer

That'll stop them passing any traffic at all through the firewall.

If you just want to block http then use

access-list inside_out extended deny tcp host a.b.c.d any eq 80

edit: make sure you put the rule above the rule which allows your internet access out.

 

[BatFastard]

.

 

[Darren S]

Most users are like kids though. Tell them they can't do something and they will go out of their way to either prove you wrong or show that they can do it. In an ideal world, I'd have a stopwatch with me. When I piss-take unauthorised access has been detected, we walk up to the said user and blip the stopwatch. For every minute of our time to sort out your petty little action, you are having £10 docked off your wage.

They understand the concept of money. And the lack of it through being f**king stupid.

D.

 

[young_lew]

But if using windowx XP with normal login each and every security measure can be pretty much rendred useless. Logging in then unpluging ethernet cable logs usr into the machin itself and not to the network, then they can plug back in the ethernet t gain access to the net, no proxys blocking anything. They can also see the C:, format what they like, change what they like.

I wouldn't recommend using solely group policy to anyone, you have to combine it with local policys too.

I used to build all the computer and laptop images for a secondary school, and i always started with local policy first. As once a user logs onto a machine once their profile is always there. (that means your ethernet trick wouldn't work )

I do realise you can delete the local policys during log off's but that means future logon's take longer.

 

[iain187]

Our customers are mainly schools so we have to lock the machines down to an extent that most people would find them utterly useless. No right clicking, no saving to the desktop, redirected start menu, can't install stuff, locked down internet, locked down network configuration, add-ons disabled, screen resolution enforced, C: drive invisible, all administrative tools disabled etc...

our site is adults and we still have our network locked down like this.

it's good though


we had someone bring in a cmd.exe renamed to whatever the exe sticky keys is, so when he pressed shift 5 times he got a command prompt. quite cute that one

 

[Andy.]

Our machines are locked down. No personalisation is allowed at all, all internet traffic goes through the proxy, .exe's (and all variants) can only run from the C drive where the users have no write or modify rights.

Its amazing what some people can come up with, but these days, most attempts to do something interesting bring up a "Your administrator has disabled this" message.

The staff don't like it and are forever complaining about not being able to access their websites, or change a background picture but we have relaxed the policies a number of times in the past to see how things went, and each time, the majority of people took the piss and spent their days playing games or watching films on youtube, so they now have no option but to work.

 

[Rob]

I can't imagine having a job where this sort of stuff was enforced tbh.

I'd rather not have a job than be treated like a child.

I work solely on a laptop, that has never been touched by anybody with regards to locking anything down.

 

[Magic Johnson]

Exactly my thoughts, we're very laid back in the browsing sense, obviously nothing can be installed because that's a pain in the arse. I truly hate printing out internet usage reports and people getting in to trouble for 5 MINUTES of casual browsing. Fair enough, if they spend all day on the net (hai!) then fine but not 5 minutes. Most hilarious thing is, the boss of these people (the one who asks for the reports) uses the internet almost always MORE than the person they want the report on! Sucks.

 

[Sparky]

Can I just throw firefox into the mixer. If there is a USB port or even floppy they could just run firefox portable if all you do is block ie. You need to set up permission levels

 

[Andy.]

Me either, but I am in the right dept.

To be honest, most of our staff are travellers (not gypsies) and students. The last thing on their mind seems to be doing the work that they are paid for.

 

[Andy.]

Can I just throw firefox into the mixer. If there is a USB port or even floppy they could just run firefox portable if all you do is block ie. You need to set up permission levels

Ours can't. It is not possible to run a .exe from a USB.

 

[Sparky]

Ahh okay just though it was worth mensionong of the sods just beat all your hard work time and time again lol good luck m8