Richard Parmiter

Virtualisation blog and Knowledge Base

  • You are here: 
  • Home
  • Restricting some sites in Internet Explorer

Restricting some sites in Internet Explorer

Posted on April 14th, 2009

When it comes to providing Internet Explorer access from a Citrix Server, trying to lock it down can be tricky.

Sure, there are various Group Policy settings that can be applied to lockdown the application, but the most common question is providing some kind of lockdown to where users are able to browse to. You may want to allow external Internet browsing, for example, but block some sites. The same may happen for internal Intranet sites and block some sites that rely heavily on plug ins or whatever other reason supplied.

In the past the only real way to provide this type of lockdown would be have a dedicated proxy server or rule base that would provide a white and black list of sites. Depending on the availablity of such a process, this may or may not be possible in the environment you are working in. You may also have a different white and black list for different Citrix application silos so this would need a seperate proxy or rule base for each environment.

Another way to lockdown some access is to add sites to the trusted sites or the Restricted Sites list. This can be set up by Group Policy but is a hastle to maintain because adding or removing sites from the list relies on other factors; such as editing the Group Policy from a machine that is already configured with the right settings as it will try and suck in local machine settings as soon as you try and edit it. From experience, this is a real pain and can easily become mis-configured with the wrong settings if someone edits it from the wrong computer. This also doesn’t full block the site, it only blocks the execution of scripts from the site in question. So, if the site runs a script on page launch it will be blocked from running and access to the site will be denied. This clearly doesn’t apply to all sites so even adding a site to the Restricted Sites zone doesn’t guarantee it being blocked.

There is a third way

Internet Explorer can use an automatic configuration script or a .pac file to provide it with configuration options. Typically this is used to supply IE with the proxy server address automatically. With a bit of additional programing this can be used to provide the exact result required.

The .pac file is just a text file with Javascript functions and can be configured to provide this lockdown. The configuration can be set to return different Proxy server addresses based on the URL being accessed. So, for example, if a site is ‘blocked’ the .pac file can be configured to return a non-existent proxy server address (or no proxy address at all) and then the site can not be accessed.

The following expressions are useful.

This is the expression required for this to work:

function FindProxyForURL(url, host)

To match the URL and return a direct Proxy method. This would be the same as adding the site to the ‘do not use proxy server for addresses beginning with:’ option. In the case of external sites, returning a direct method of access is great because the browser will never find the site and time-out very quickly.

if (shExpMatch(url, “**”)) return “DIRECT”;

In the case of a blocked internal site, returning a direct method of access is of no use as all computers are on the same network and the browser will still find the site. Instead you will need to return a fake Proxy server that does not exist on the network. The browser will time-out while trying to find this procy and IE will not find the site. The browser will not time-out immediately, however, and it will appear to take 30secs.

if (shExpMatch(url, “*://Intranet/*”)) return “PROXY”;

The first wild card will lock down http and https access.The second wild card is deliberately placed after the "/" otherwise it can lockdown too many sites. Placing the second wild-card here would, however, mean that you would need to enter the URL twice – once as just the name and once for the fqdn also.

These can all be combined to provide the lockdown required.

Here is a sample ie.pac file.

// Restricted sites list
// v1.0
// Richard Parmiter
function FindProxyForURL(url, host)
  //set the ip address of the proxy into a variable named proxy
  var proxy = "PROXY proxyserver.fqdn.local:80";
//list of all restricted sites as shown
//return "DIRECT" for external sites as is quicker for the browser to time out
if (shExpMatch(url, "**")) return "DIRECT";
if (shExpMatch(url, "**")) return "DIRECT";
//return "PROXY" for internal sites
if (shExpMatch(url, "*://internalsite1/*")) return "PROXY";
if (shExpMatch(url, "*://internalsite1.fqdn.local/*")) return "PROXY";
if (shExpMatch(url, "*://*")) return "PROXY";
if (shExpMatch(url, "*://*")) return "PROXY";
//Bypass proxy for local addresses
if (isPlainHostName(host)) return "DIRECT";
return proxy;

This file is setting a variable above of the correct server address and has a catch all statement at the end ot return this variable if the URL doesn’t match any of the above statements.

The ‘is PlainHostName’ varibale is applied to any URL that does not include a “.” in it. This is the same as ticking the option “Bypass proxy server for local addresses”.

This ie.pac file can be referenced in two ways. Either configure the relevant Group Policy entry to point to it or poke in the relevant Registry setting at logon using logon scripts, as shown:

RegWrite Array(“HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings”,”AutoConfigURL”,”http://Internalwebsite.fqdn.local/restrictedsites/ie.pac”,”REG_SZ”)

In this case the ie.pac file is located on an internal web site, but it can also be referenced by a file share or local file (i.e. \\uncpath\ie.pac or c:\ie.pac)

Voila..  Happy URL restricting..

  • Digg
  • StumbleUpon
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks
  • Add to favorites
  • FriendFeed
  • Google Buzz
  • LinkedIn
  • Live
  • MySpace
  • Reddit
  • RSS

Tags: , , , , , , , , ,
Filed under Windows 2003 |

3 Responses to “Restricting some sites in Internet Explorer”

  1. Seanna Says:
    April 22nd, 2009 at 5:06 pm

    Thanks for writing this.

  2. how to learn a language Says:
    June 7th, 2009 at 4:56 pm

    Very well written post however, I would recommend that you turn the No Follow off in your comment section.

    Keep up the good work.

  3. Claude Yarish Says:
    June 2nd, 2010 at 2:47 am

    hey,just found your Post when i google something and wonder what hosting do you use for your wordpress,the speed is more faster than my wordpress, i really need it.will back to check it out,many thanks!

Leave a Reply