Surface Pro (2017) vs Surface Pro 4
Hello, We are trying to lock down some computers to prevent users from accessing options such as changing the desktop wallpaper, changing settings, access to the C drive etc. So far we seem to have been fairly successful using either Windows Configuration or Group Policy. However the one security hole im unable to block is the ability to simply type "shell:systemx86" into the Internet explorer address bar. After looking into it, it appears there are a vast number of these shell: commands , each one bypasses the Group Policy setting which is blocking access to the C drive and takes the user straight to the corresponding folder. Does anyone know a way of blocking these?
Complete list of shell: commands I know of:
shell:Common Administrative Tools
Note, these can also be typed into the run bar (Although we have removed that from the start menu so thats not a problem. We cannot removed the IE address bar as internet access is required)
Whoops, I meant corresponding.
Hi, thanks for your input, unfortunately the functions Im looking to disable are not called shell extensions. Shell extensions are extensions to the windows shell (Such as when you install winzip for instance it integrates some of winzips functions into the windows shell. EG, right click in explorer and click on add to zip file)
Its a real tough one this but there must be a way to disable their use, especially as the current policy's applied to the computer disallow them.
Couldn't you just make the top-level 'Windows' folder private and/or give it administrator only access?
Or am I 'up the wrong tree' again?
Currently the Hard drive has two partitions, c: drive and d: drive. The C drive is hidden in group policy, therefore when you go into windows explorer when logged in as a user you cannot see the c: at all. Same if you were in word for instance and went to open/save a document, they only have access to the D: partition. Which is great, until we found out that by simply typing any of the shell: commands as lised above into the IE address bar, it opens up the relevant folder on the C drive, from which there you can navigate to where ever you want.
Cheers for the input tho mate, I will get to the bottom of this!
This thread is now locked and can not be replied to.