IE URL Lock
By: Steven Lawrance <urllock@moonlightdesign.org>

The IE URL Lock Browser Helper Object prevents users from navigating to web sites in Internet Explorer and Windows Explorer while permitting URLs that match a Perl-compatible regular expression stored in a registry list.

Table of Contents

Introduction
Download
Example Scenarios
Compatibility
Configuration

Introduction

This browser helper object helps computer administrators enforce Internet Explorer usage policies through the group policy editor that ships with Windows 2000 and above.

IE URL Lock scales from single home computers running Windows XP to geographically disperse networks running Microsoft's Active Directory system. As an example, you can use it to prevent your parents from mistakingly using Internet Explorer on their home computer. You can also restrict web browsing activity in your Active Directory network to only the work-related sites that each user needs for their duties, which can be specified either for each user or based on group memberships. Other possibilities exist, too.

Download

Windows Installer (MSI) file for x86
Administrative template for group policy editor

Release notes and change log
Licenses

IE URL Lock: GNU Lesser General Public License
Perl-Compatible Regular Expressions Library: PCRE License

Source code
Build environment

Example Scenarios

Scenario	How IE URL Lock meets this scenario
Block users from accessing web sites using Internet Explorer and Windows Explorer except for a small set of web sites	By default, IE URL Lock will block all access to http: and https: URLs except for WebDAV folder views. Only those locations that match an entry in the set of permitted location regular expressions will allow the user to bring up that requested page in Internet Explorer or Windows Explorer. By storing its configuration information in the system and user policy registry trees and shipping with an Administrative Policy Template file for the Group Policy editor, the IE URL Lock permits IT administrators to centrally manage IE URL Lock's configurations across a network of computers on both a per-computer and a per-user basis when used in conjunction with Active Directory.
Prevent users from using Internet Explorer as part of a move to a safer browser such as Mozilla Firefox	Instead of using built-in technologies to block Internet Explorer access in ways that were not originally intended such as the proxy.pac approach or Microsoft's Ratings System lockdown suggestion, the IE URL Lock brings a fresh approach to locking down Internet Explorer by using the same interface that many spyware programs use -- install itself as a Browser Helper Object to gain full access to the Internet Explorer browser. When active, the IE URL Lock will prevent Internet Explorer from loading and executing web pages from unauthorized locations. When the user attempts to navigate to an unapproved location, an optional parameter lets IT administrators display a page, as an example, telling the user to contact their support department if the location that they tried to browse to does not work in Mozilla Firefox. If no page or web site location is specified in this setting, the user gets a standard Internet Explorer Navigation Canceled page. In this scenario, WebDAV access may be desirable while restricting Internet Explorer. By default, WebDAV folder views are not blocked by the IE URL Lock.
Prevent the Windows Explorer and Internet Explorer from navigating to all locations; including local and network paths such as C:\, \\server\sharename, "Control Panel," and ftp://mysite; except for those that are explicitly allowed	In addition to locking down Internet Explorer, the IE URL Lock can also lock down the Windows Explorer as it shares the same Browser Helper Object interface. Perfect for the all-controlling IT administrator, the IE URL Lock can optionally prevent users from navigating to folders on the computer, "My Computer," "Control Panel," and all other locations that either a Windows Explorer or an Internet Explorer window can view. In this mode, no special provisions are made for ensuring that all WebDAV folder views work, permitting IT administrators to lock down outbound WebDAV folder views, too.

Compatibility

IE URL Lock is known to work with the following configurations:

Without Active Directory

Microsoft Windows XP Professional SP2 with Internet Explorer 6
IE URL Lock deployment

Local

Double-click on the Windows Installer (MSI) file and follow the on-screen instructions

Remote

Copy an installed "\Program Files\IE URL Lock" folder to a target computer

Import the remote deployment registry file into that computer's registry

With Active Directory

Microsoft Windows XP Professional SP2 with Internet Explorer 6
Microsoft Windows Server 2003 SP1
IE URL Lock deployment

Computer-based policy (assigned): Installation and uninstallation when affected computers are rebooted
User-based policy

Assigned: Install at user logon is required. Uninstallation does not appear to always work when logging on as a user who does not have IE URL Lock in the user policy, even when the "Uninstall this application when it falls out of the scope of management" option is selected (am I doing something wrong? Please let me know :-)
Published: Installation and uninstallation via "Add New Programs" in "Add or Remove Programs" works properly

IE URL Lock should work with the following configurations:

Microsoft Windows 2000

Use the IEURLLock-2000.adm group policy template instead of IEURLLock.adm. The Windows 2000 version lacks built-in documentation, though you can refer to this web site for the parameter and value meanings

Microsoft Windows NT 4.0

Without Active Directory, of course

Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 7

IE URL Lock will not work with the following configurations:

Microsoft Windows 95, 98, 98SE, and ME
Microsoft Windows CE
Microsoft Internet Explorer 5.00 or below

Configuration

By default, the IE URL Lock will prevent navigation to all http: and https: web sites, excluding WebDAV folder views. If that is your desired behavior, then no configuration is necessary. Typically, however, at least one or two sites may need to get added to the permitted location regular expression list.

IE URL Lock automatically detects configuration changes in the registry. As a result, restarting Internet Explorer is not necessary to apply a change.

This web site is being renovated. The content that follows is old and has not been refined into the new structure yet!

Follow these steps to configure the IE URL Lock:

If you are using Active Directory:

Open the "Active Directory Users and Computers" menu item in "Administrative Tools" in the start menu
To be continued...

If you are not using Active Directory:

In the Start Menu, click on Run.
In the Run dialog box, type in gpedit.msc and press Enter or OK.

In either the Computer Configuration or the User Configuration, expand the Administrative Templates tree.
If the IE URL Lock category is not present under Administrative Templates, then right-click on Administrative Templates and select Add/Remove Templates. Otherwise, skip to step #7.
In the Add/Remove Templates window, click on the Add button.
Navigate to the folder that you installed the IE URL Lock to, which is usually "C:\Program Files\IE URL Lock". Select the IEURLLock.adm file and press Enter or Open. Press Close on the Add/Remove Templates window. Depending on the speed of your computer, a few seconds to almost half of a minute will pass as the Group Policy Editor parses all the administrative templates.
Edit the IE URL Lock configuration in the Group Policy Editor. All settings are thoroughly documented. Note that the "Enable User-Specific Configurations" and "Debugging" settings are only computer-specific and are not in the user-specific policies.

If you find this software to be useful to you, please feel free to let me know at urllock@moonlightdesign.org :-)! I love to hear from people who use my software and can also help answer any questions or problems that you have with it. Thanks!