Disable Shell: commands

  hyte1 09:18 20 Dec 05
Locked

Hello, We are trying to lock down some computers to prevent users from accessing options such as changing the desktop wallpaper, changing settings, access to the C drive etc. So far we seem to have been fairly successful using either Windows Configuration or Group Policy. However the one security hole im unable to block is the ability to simply type "shell:systemx86" into the Internet explorer address bar. After looking into it, it appears there are a vast number of these shell: commands , each one bypasses the Group Policy setting which is blocking access to the C drive and takes the user straight to the corresponding folder. Does anyone know a way of blocking these?

Complete list of shell: commands I know of:

shell:Common Administrative Tools
shell:Administrative Tools
shell:SystemX86
shell:My Pictures
shell:Profile
shell:CommonProgramFiles
shell:ProgramFiles shell:System
shell:Windows shell:History
shell:Cookies
shell:Local AppData
shell:AppData
shell:Common Documents
shell:Common Templates
shell:Common AppData
shell:Common Favorites
shell:Common Desktop
shell:Common Menu
shell:Common Programs
shell:Common Startup
shell:Templates
shell:PrintHood
shell:NetHood
shell:Favorites
shell:Personal
shell:SendTo
shell:Recent
shell:Menu
shell:Programs
shell:Startup
shell:Desktop
shell:Fonts
shell:ConnectionsFolder
shell:RecycleBinFolder
shell:PrintersFolder
shell:ControlPanelFolder
shell:InternetFolder
shell:DriveFolder
shell:NetworkFolder
shell:DesktopFolder

Note, these can also be typed into the run bar (Although we have removed that from the start menu so thats not a problem. We cannot removed the IE address bar as internet access is required)
Thanks.

  BurrWalnut 14:38 20 Dec 05

The approved shell extenstions are defined under the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved.

There is also a coresponding CURRENT_USER key.

Hope this helps.

  BurrWalnut 14:39 20 Dec 05

Whoops, I meant corresponding.

  hyte1 14:44 20 Dec 05

Hi, thanks for your input, unfortunately the functions Im looking to disable are not called shell extensions. Shell extensions are extensions to the windows shell (Such as when you install winzip for instance it integrates some of winzips functions into the windows shell. EG, right click in explorer and click on add to zip file)

Its a real tough one this but there must be a way to disable their use, especially as the current policy's applied to the computer disallow them.

Thanks again.

  BurrWalnut 15:14 20 Dec 05

Couldn't you just make the top-level 'Windows' folder private and/or give it administrator only access?

Or am I 'up the wrong tree' again?

  hyte1 08:34 21 Dec 05

Currently the Hard drive has two partitions, c: drive and d: drive. The C drive is hidden in group policy, therefore when you go into windows explorer when logged in as a user you cannot see the c: at all. Same if you were in word for instance and went to open/save a document, they only have access to the D: partition. Which is great, until we found out that by simply typing any of the shell: commands as lised above into the IE address bar, it opens up the relevant folder on the C drive, from which there you can navigate to where ever you want.

Cheers for the input tho mate, I will get to the bottom of this!

This thread is now locked and can not be replied to.

Surface Pro (2017) vs Surface Pro 4

20 groundbreaking 3D animation techniques

How to mine Bitcoin on Mac