Disable Shell: commands

  hyte1 09:18 20 Dec 2005

Hello, We are trying to lock down some computers to prevent users from accessing options such as changing the desktop wallpaper, changing settings, access to the C drive etc. So far we seem to have been fairly successful using either Windows Configuration or Group Policy. However the one security hole im unable to block is the ability to simply type "shell:systemx86" into the Internet explorer address bar. After looking into it, it appears there are a vast number of these shell: commands , each one bypasses the Group Policy setting which is blocking access to the C drive and takes the user straight to the corresponding folder. Does anyone know a way of blocking these?

Complete list of shell: commands I know of:

shell:Common Administrative Tools
shell:Administrative Tools
shell:My Pictures
shell:ProgramFiles shell:System
shell:Windows shell:History
shell:Local AppData
shell:Common Documents
shell:Common Templates
shell:Common AppData
shell:Common Favorites
shell:Common Desktop
shell:Common Menu
shell:Common Programs
shell:Common Startup

Note, these can also be typed into the run bar (Although we have removed that from the start menu so thats not a problem. We cannot removed the IE address bar as internet access is required)

  BurrWalnut 14:38 20 Dec 2005

The approved shell extenstions are defined under the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved.

There is also a coresponding CURRENT_USER key.

Hope this helps.

  BurrWalnut 14:39 20 Dec 2005

Whoops, I meant corresponding.

  hyte1 14:44 20 Dec 2005

Hi, thanks for your input, unfortunately the functions Im looking to disable are not called shell extensions. Shell extensions are extensions to the windows shell (Such as when you install winzip for instance it integrates some of winzips functions into the windows shell. EG, right click in explorer and click on add to zip file)

Its a real tough one this but there must be a way to disable their use, especially as the current policy's applied to the computer disallow them.

Thanks again.

  BurrWalnut 15:14 20 Dec 2005

Couldn't you just make the top-level 'Windows' folder private and/or give it administrator only access?

Or am I 'up the wrong tree' again?

  hyte1 08:34 21 Dec 2005

Currently the Hard drive has two partitions, c: drive and d: drive. The C drive is hidden in group policy, therefore when you go into windows explorer when logged in as a user you cannot see the c: at all. Same if you were in word for instance and went to open/save a document, they only have access to the D: partition. Which is great, until we found out that by simply typing any of the shell: commands as lised above into the IE address bar, it opens up the relevant folder on the C drive, from which there you can navigate to where ever you want.

Cheers for the input tho mate, I will get to the bottom of this!

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

WPA2 hack: How secure is your Wi-Fi?

Microsoft Surface Book 2 hands-on review – bigger and 5x faster

Best kids apps for iPhone & iPad

Que faire si son iPhone ou iPad est tombé dans de l'eau ?