Configuration

From URL Lock
Jump to navigation Jump to search

This page documents the meaning of each configuration value in URL Lock.

General Information

  • By default, the IE URL Lock will prevent navigation to all http: and https: web sites, excluding WebDAV folder views. If that is your desired behavior, then no configuration is necessary. Typically, however, at least one or two sites may need to get added to the permitted location regular expression list.
  • IE URL Lock automatically detects configuration changes in the registry. As a result, restarting Internet Explorer is not necessary to apply a change.
  • At this time, only the Microsoft Group Policy Editor is supported. A new configuration user interface will be released on or before July 2007.

Enable User-Specific Configurations

  • When enabled, which is the default when it is not specified, IEURLLock will apply a user's IEURLLock registry settings after applying the local machine's IEURLLock registry settings to the running configuration
  • When disabled, users' IEURLLock registry settings are ignored by IEURLLock, permitting IEURLLock to use only the local machine's IEURLLock configuration

Debugging

  • When enabled, IEURLLock writes its activities and internal states to a console window that appears when IEURLLock is active
  • When this setting is enabled, it controls how verbose IEURLLock will be when it writes messages to the console window
  • Each debugging level includes all messages in that debugging level as well as all messages from the debugging levels that are less than the selected debugging level
  • When Debugging is disabled, which is the default when it is not configured or when the debugging level is zero, IEURLLock does not create a console window
  • If you are simply trying to see the results of regular expression comparisons, set the debugging level to 1 or higher for matches or 2 or higher for non-matches

Debugging Level

The following lists the possible values for debugging levels:

  • 0 No debugging
  • 1 Errors
  • 2 Warnings
  • 3 Important Information
  • 4 All Information
  • 5 Minutiae

Access Denial Location

  • URL, UNC, or File Path
  • By default, IEURLLock redirects denied locations to res://webhost.exe/nonavigate.htm. If you want to use a custom access denial location, then specify the URL, UNC, or file path to that location in this setting. This location will not get blocked by IEURLLock
  • Note that this path should ideally not redirect to another location unless if that location is permitted via the Permitted Location Regular Expression List
  • Important: If you want to set this to the root path on a web server, then you MUST include the trailing slash or else an access denial will result in an infinite redirect loop if the location with the trailing slash is not in the Permitted Location Regular Expression List (that is, use "http://www.microsoft.com/" instead of "http://www.microsoft.com", as an example)
  • A blank path is equivalent to the default access denial location
  • If the access denial location specified does not exist, the user will get redirected to Internet Explorer's default access denial page. If this happens when the "Restrict Only Web Locations" setting is explicitly disabled and Internet Explorer's default access denial page is not in the Permitted Location Regular Expression List, the browser window may give up or, if the browser window was being created with the new location, the browser window may not appear at all

Enable IEURLLock

  • When enabled, which is the default setting when not configured, IEURLLock blocks locations that are not explicitly allowed in the Permitted Location Regular Expression List
  • When disabled, IEURLLock does not block any locations

Restrict Only Web Locations

  • When enabled, which is the default when this is not configured, IEURLLock only blocks locations that begin with http: or https:. As an exception, WebDAV locations are not blocked when opened as a web folder. Once IEURLLock encounters a navigation to a folder-based view, it delays its blocking decision on each navigation until that navigation's view gets created to ensure the proper operation of the Back button to a folder-based view, which causes the browser to contact remote web servers and begin to download the navigated site before being blocked. Fortunately, the blocking decision takes place before scripts are run, so this behavior should be safe, but is not as safe as blocking the location before contacting the remote server
  • IEURLLock will make its blocking decisions before the browser contacts the remote web server on browser windows that have not shown a folder-based view yet. As an exception, however, if a permitted site redirects to a denied site, then the blocking decision takes place after the web server serving the blocked location gets contacted but before any scripts are run
  • When this setting is disabled, IEURLLock will restrict ALL locations, not just http: and https:. This means that locations such as "Control Panel", C:\, \\server\sharename, res:, and the rest will get blocked unless if they are permitted through the Permitted Location Regular Expression List. No special considerations for folder-based views to accommodate WebDAV are enabled when this setting is Disabled, meaning that all blocking decisions except for the special redirection case mentioned in the previous paragraph happen once the location is known and before any remote servers are contacted. This option grants IT administrators the greatest level of control and security, though one should note that this does not affect the Explorer view within the Common File Open and Save As dialog boxes, which do not load Browser Helper Objects, so there are still some ways around this, though Explorer itself can be locked down."

Permitted Location Regular Expression List

  • Locations that the user navigates to will get checked against the regular expressions in this list, permitting the navigation as soon as it finds a regular expression that matches the location. If none of the regular expressions match, IEURLLock blocks access to that location
  • IEURLLock uses Perl-Compatible Regular Expressions through the PCRE library. More information on this library and how to construct regular expressions exists at http://www.pcre.org/ and http://gnuwin32.sourceforge.net/packages/pcre.htm
  • Put descriptive names for each regular expression into the Value Name field and put each corresponding regular expression into the Value field
  • If any regular expression compilation errors arise when IEURLLock loads its configuration, IEURLLock will display the descriptive name from the Value Name field in the error message. Other than that, IEURLLock does not care what you put into the Value Name field
  • If your policy editor does not let you edit the regular expressions that you previously added, then, if you want to, open the Registry Editor and browse to HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER and open up Software\Policies\Steven Lawrance\IEURLLock\AllowList to edit previously-added items. Note that this only works on the local machine. When editing policies in an ActiveDirectory, this workaround will not work
  • Example:
Value Name: Microsoft
Value: ^http://(www\.)?microsoft\.com(/%7C$)
  • Case-Insensitive Example:
Value Name: Force.com Sites
Value: (?i)^http(s)://([-a-zA-Z0-9])+\.(secure\.)?force\.com(/|$)