How to Limit User Access to Local Computer or Hard Disks with Internet Explorer 4.01 (179221)


The information in this article applies to:

  • Microsoft Internet Explorer 4.01 for Windows NT 4.0 SP 1
  • Microsoft Internet Explorer 4.01 for Windows 95 SP 1
  • the operating system: Microsoft Windows 98
  • Microsoft Internet Explorer 4.0 for Windows 98
  • Microsoft Internet Explorer 4.01 for Windows 98
  • Microsoft Internet Explorer 5.0 for Windows 98
  • Microsoft Internet Explorer 5.01 for Windows 98
This article was previously published under Q179221
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

This article describes how to limit access to hard disks on computers running Internet Explorer 4.01 Service Pack 1 (SP1) or Internet Explorer 5 with Microsoft Windows 95, Windows 95 Service Pack 1, Windows 95 OEM Service Release version 1 or 2, Microsoft Windows NT 4.0, or running Windows 98.

MORE INFORMATION

You can limit access to local hard disks without obtaining an updated Internet Explorer file. Or, you can obtain an updated file that also allows you to apply additional restrictions that are listed later in this article.

How to Limit Local Access Without Additional Files

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To limit access to the local workstation, set the data value of the NoRun DWORD value to 0x1 in the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Setting this value disables viewing local files by typing a file address or URL (for example, "file://c:\") in the Address box, and also disables the Run command on the Start menu.

Setting this value also disables the ability to browse to the local file system using an embedded HTML link. For example, you cannot browse a file by clicking the HTML link provided by the <a href="file://c:\">My File System</a> tag when this registry setting is used.

If you want to disable access to a drive altogether, set the data value of the NoDrives DWORD value as indicated: 
   Drive   DWORD value
   -------------------
   A       0x1
   B       0x2
   C       0x4
   D       0x8
Set this DWORD value in the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

NOTE: Internet Explorer checks both HKEY_LOCAL_MACHINE (HKLM) and HKEY_CURRENT_USER (HKCU) for restrictions. The browser first checks HKLM. If it finds the restriction there, it does not check HKCU for the restriction. Typically, you use HKCU for restrictions. The keys and values may already exist in HKCU for this purpose too. However, if you want to use HKLM, you can. You may need to create the appropriate keys and values to make this work. For example, on most computers, the following key exists:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

However, the following key does not exist:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Only the following key exists:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies

You need to add the Explorer key and then the approprate values to have the browser read them from this location rather than HKCU.

NOTE: All values are in hexadecimal.

This logic uses a bitwise left shift to decide which drive to use. For example, if you want to disable viewing drive C, set the DWORD value to binary 0100. The code takes the return value from the function, subtracts "A" from the value, and shifts the binary value left by that number of bits.

For example, drive C - drive A = 2. 0001 shifted to the left twice is 0100. Binary 0100 has the hexadecimal equivalent of 0x4. This is how you calculate the drive to disable.

As another example, if you want to disable drive N, use the following method to calculate the hexadecimal value to place in the registry:
  1. Determine the numerical placement value for the letter N. If A=1, B=2, C=3, and so on, then N=14.
  2. Subtract the numerical placement value for A from N (14-1=13).
  3. Left shift binary 0001 by 13. This becomes a binary number with 13 zeros following a 1 (0010 0000 0000 0000).
  4. Convert to hexadecimal: 0x2000.
To disable multiple drives, take each of the individual hexadecimal drive values and add them together for a composite hexadecimal value for the registry. For example, to disable drives C, D, and N, add 0x4 + 0x8 + 0x2000 to equal 0x200C. NOTE: Microsoft has changed the behavior of the registry keys discussed in this article for the various versions of Internet Explorer 4.01. These changes are as follows:

  • A new key, NoFileUrl, is used to disable the ability to browse the local file system using "//file:" links on a Web page.
  • Internet Explorer 4.0: Setting the NoRun value to 1 disables the Run command on the Start menu, and prevents you from being able to gain access to any local files using the Address box.
  • Internet Explorer 4.01: Setting the NoRun value to 1 provides the same results as with Internet Explorer 4.0, along with browsing the local file system using "file://" links on a Web page.
  • Internet Explorer 4.01 Service Pack 1: Setting the NoRun value to 1 disables the Run command on Start menu, and prevents you from being able to gain access to any local files using the Address box.
  • With Internet Explorer 4.01, you must use the new registry setting NoFileUrl, and set it to a DWORD value of 1 to disable the ability to browse the local file system using "file://" links on a Web page.
Therefore, to reproduce the Internet Explorer 4.01 (non-SP1) behavior, both the NoRun and NoFileUrl keys need to be set. With the release of Internet Explorer 4.01 SP1, you must include the new registry value NoFileUrl to disable the ability to browse the local file system using "file://" links on a Web page.

How to Limit Local Access with Additional Update File

Obtain an updated Shdocvw.dll file by installing Internet Explorer 4.01 Service Pack 2. You can obtain Internet Explorer 4.01 Service Pack 2 from the following Microsoft Web site:

http://www.microsoft.com/windows/ie/downloads/default.mspx



The following tables list additional restrictions provided by this updated file. You must manually edit the registry of each computer using the updated Shdocvw.dll file and add the corresponding registry value and setting for each restriction.

Note that these restrictions also apply when you are using Kiosk mode.

Restrictions under HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions: Each DWORD value must be set to 1 to be enabled. To disable the restriction, set the value to 0. 
   Restriction            Description
   ----------------------------------------------------------------------
   NoFileOpen             Disables Open command on File menu, CTRL+O, and
                          CTRL+L.
   NoFileNew              Disables CTRL+N
   NoBrowserSaveAs        Disables Save and Save As on the File menu.
   NoBrowserOptions       Disables Internet Options on the View menu
                          (disables changing browser settings).
   NoFavorites            No Favorites menu, adding to
                          favorites, or organizing favorites.
   NoSelectDownloadDir    Prevents user from being able to select
                          download folder by not displaying the
                          Save As dialog box when a file is downloaded.
   NoBrowserContextMenu   Disables HTML context menu.
   NoBrowserClose         Disable ALT+F4.
   NoFindFiles            Disables the F3 key.
   NoTheaterMode          Disables the F11 key.
NOTE: When you install Internet Explorer 4.01 Service Pack 2, NoFindFiles and NoTheaterMode are automatically set to a BINARY 01 00 00 00 value in the registry. This setting properly enables these restrictions and is set as a BINARY value because of .inf file limitations. A DWORD value of 1 also enables those restrictions.

The following additional restriction must be added in the following registry location:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\ Toolbars\Restrictions 

   Restriction            Description
   ---------------------------------------------------------------------
   NoToolbarOptions       Disables adding, removing, or moving toolbars.
Modification Type:MinorLast Reviewed:11/15/2005
Keywords:kbHotfixServer kbQFE kbenv kbhowto kbui KB179221
©2004 Microsoft Corporation. All rights reserved.