#186311 - 2008-03-17 08:21 AM
A tough one: removing IE address bar
|
ddady
Getting the hang of it
Registered: 2006-09-03
Posts: 98
|
Hi all,
I'm managing a network of 20 branches i would like to remove the address bar from the IE so the users wont be able to type down any URL's. I want them to use only the URL's i have configured through the GPO in the favorits.
Any help will be appreciated.
|
|
Top
|
|
|
|
|
#186317 - 2008-03-17 10:13 AM
Re: A tough one: removing IE address bar
[Re: NTDOC]
|
ddady
Getting the hang of it
Registered: 2006-09-03
Posts: 98
|
Thnks for the responses.
Richard & NTDOC; as for the other possibilities to open new window or to type in the URL in the windows explorer, you are right but how can i say it in gentle words. 99% of the users in the branches are "dumb" as it goes for manipulating or using Windows OS. They are suffering from a great lack of using the OS, they only now what they have been taught. So in my case disabling the address bar will work quite well [i hope]:-)
Anyway, i will try MART link and the Content Advisor, worst come to worst i'll go for the FW which i know i can do it over there but it's quite complicated since in every branch there is a manager computer which should be allowed to surf all sites.
|
|
Top
|
|
|
|
|
#186323 - 2008-03-17 04:31 PM
Re: A tough one: removing IE address bar
[Re: Gargoyle]
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
I know there have been a number of posts here on how to launch IE with no toolbar, addressbar, as KIOSK, etc.
Kent
|
|
Top
|
|
|
|
|
#186330 - 2008-03-18 07:13 AM
Re: A tough one: removing IE address bar
[Re: NTDOC]
|
ddady
Getting the hang of it
Registered: 2006-09-03
Posts: 98
|
Well, the reg configuration didn't work at all  I guess Microsofot don't realy know their own OS's. According to the guide there should be some keys whicg can't be found and even though i added them it doesn't work. Could be because i have tried it on IE7 and the article refers to IE6 SP1.
So i'm guessing i will have to do it through the FW which is Check Point NG3. It will be a little hard cause i will have to gather all ip's from all computers and build a couple of rules and groups, but that's what they are paying me for, isn't? 
|
|
Top
|
|
|
|
|
#186332 - 2008-03-18 09:41 AM
Re: A tough one: removing IE address bar
[Re: ddady]
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
It will be a little hard cause i will have to gather all ip's from all computers and build a couple of rules and groups, but that's what they are paying me for, isn't?
There are a couple of ways to simplify your task.
Method 1 (if your firewall allows it)
- Set the firewall to block access to your entire subnet.
- Add an exception to allow everyone to access the "allowed" sites.
- Add an exception to allow specific hosts (managers, servers) unrestricted access
Doing it this way means that there are a lot less hosts to worry about, and when a new computer comes along it is automatically barred.
There are a lot of problems with this method though.
- It is difficult to manage for sites using DHCP
- If your managers need to use a machine other than their normal one they will get blocked.
- If anyone uses your managers machine they will be allowed access.
- Managing URLs or IPs for allowed sites on a router is difficult, and means that you have to make a change on what is usually a high profile bit of kit. In my organisation such a change hhas to wait until a pre-determined maintenance period.
- It is very hard to determine if there are any problems, or if anyone is bypassing your restrictions, and if they are, who they are.
Method 2 - The Proxy
Most people go with the proxy method because of the problems detailed above. You can use also use a product like Websense if your firewall supports HTTP authorisation referalls (we use Websense in my organisation) but it is extremely expensive and I get the impression that it would be over-complicated in your scenario. It is also a bit kludgy in various areas.
The proxy method is very simple.
- Choose a proxy which will intergrate into Windows authentication (it doesn't need to be a Windows device, LDAP authentication will do)
- Even better is if the proxy will take pass-through authentication (aka Windows Integrated Authentication).
- On your firewall, deny access to all hardware *except* your servers and your proxy.
- On your proxy configure the users and groups who will have access, and define the sites that they will have access to.
- On your clients set the connection target to the proxy, either by GPO or by using one of the proxy auto-discovery techniques
Doing it this way gives you many benefits:
- Because everyone except the firewall computer is blocked there is no way to bypass the security from the client.
- You can now authorise / authenticate using Windows users and groups.
- You don't need to worry about machine IP addresses changing (DHCP).
- You now have the option of tracking Internet usage - useful for things like compliance and capacity planning.
- The tools for updating authorisation rules are likely to be much more easy to use than changing a firewall configuration
- You no longer change the firewall config when you need to update authorisation rules
Your firewall may be able to do some of these, but I wasn't able to find any information on an "NG3" to check.
|
|
Top
|
|
|
|
|
#186333 - 2008-03-18 10:23 AM
Re: A tough one: removing IE address bar
[Re: Richard H.]
|
ddady
Getting the hang of it
Registered: 2006-09-03
Posts: 98
|
Thanks for all the suggestions and the full explanation [Richard]. As for now i don't think they will allow purchasing more Hardware for the Proxy [this company was about to bankrupt and just now is starting to get back on its feet] so financially it's impossible.
I'll try the FW.
Thanks again for all comments and help.
|
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
0 registered
and 1045 anonymous users online.
|
|
|
