none
How to disable "Open in Immersive Browser" in IE 11 RRS feed

  • Question

  • Hello,<o:p></o:p>

    I am trying to stop our users from using the Immersive Browser in Windows 8.1 and IE11, as our filtering is done by a local application using a plugin. This BHO does not work in immersive view, and therefore bypasses all of our black lists and filtering.<o:p></o:p>

    Initially I thought setting Internet Explorer to "Always open links in Internet Explorer in the desktop" in GP would disabled the Immersive Brower, however there is an option under File called "Open in Immersive Browser" which overrides this setting and load the App version.<o:p></o:p>

    I used Group Policy to disable the toolbar which worked, however it turns out if you right click on an open Tab you get the same option, thus bypassing our security again.<o:p></o:p>

    I would ideally like a GPO setting to remove the "Open in Immersive Browser" option full stop, but as there doesn't appear to be one the next best thing would be a registry fix.<o:p></o:p>

    After some investigation I found these keys:<o:p></o:p>

    HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice<o:p></o:p>

    HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice<o:p></o:p>

    If I change the value "ProgID" to anything other "IE.HTTP" it causes the "Open in Immersive Browser” link to open in a new tab, and not the Immersive Browser ..perfect! So within GP I set “Don’t check if IE is the default browser”, and “don’t inform user if IE is not the default browser” and changed the registry keys “ProgID” to “DisableImmersive” <o:p></o:p>

    Unfortunately once again there is a quick and easy work around for our would be hackers. The ” it appears nothing happens. The truth is, behind the scenes IE is overwriting the As such if you select Open in Immersive Browser a second time, it opens and I am back to square one.

    We have mandatory profiles for some users, and I have edited the ntuser.man files for those profiles by loading the hive offline, and removing all permissions to those particular registry keys. To do this I disabled inheritance and deleting all the remaining permissions. This has worked and as such, this is now my goal for our roaming profiles.<o:p></o:p>

    I have looked at RegIni, ICACLS, CACLS, subinacl and SetACL but none seem to allow me to remove inheritance of registry key permissions, or deny access. I am unfamiliar with VB scripts and Power Shell, but wondered if these would give me the power
    to remove access to these keys as part of our logon scripts?<o:p></o:p>

    If anyone can help me out with a script to deny access to these keys, or a custom ADM that can remove the link to “Open in Immersive Browser” completely I would be extremely grateful.<o:p></o:p>

    Regards
    Mr..D<o:p></o:p>

    Wednesday, March 19, 2014 9:02 AM

Answers

  • That's not quite right Bill, if I understood him well enough.

    Whether it's wise or not, he asked for how to use scripting to change permissions on a registry object.

    Well ... given that he received all his advice against it and appears to have done quite some research on his problem, if not necessarily scripting, I'll just write a little something he may find useful. Use with brains though, after all it's messing with the registry ...

    $acl = Get-Acl "HKCU:\Software\ABCDE"
    $rule = New-Object System.Security.AccessControl.RegistryAccessRule("DomainName\GroupName","FullControl", "ContainerInherit, ObjectInherit", "None", "Deny")
    $acl.SetAccessRule($rule)
    $acl | Set-Acl "HKCU:\Software\ABCDE"

    Not saying this will perfectly fit your needs, you may want to consider what permissions are needed (and what permissions need to be retracted ...). Use "$acl | Get-Member" to find out, what $acl can do for you ...

    Cheers,
    Fred

    Edit: Do consider going jrv's path, please. Doing this by script isn't exactly among the "best practices". Probably doesn't even make it up to "mediocre", really.


    There's no place like 127.0.0.1


    • Edited by FWN Wednesday, March 19, 2014 4:28 PM
    • Marked as answer by Mr..D Thursday, March 20, 2014 1:22 PM
    Wednesday, March 19, 2014 4:24 PM

All replies

  • Hi Mr. D,

    I'm sure there's a way to do this using Powershell, however ... how do you prevent your users from using other tools like Firefox? (There are versions that require no installation)

    I somehow fail to see where a black-/white-listing in a Browser Addon makes a lot of sense: Think about all the work you have spent so far on this, when setting this at firewall/proxy level would have enforced it globally for all applications as desired.

    Anyway, if you're set in your ways, the ACL Powershell Module will likely serve your needs (don't get your hopes up, though; Your users likely will find a way around this one too)

    Cheers,
    Fred


    There's no place like 127.0.0.1


    • Edited by FWN Wednesday, March 19, 2014 11:13 AM
    Wednesday, March 19, 2014 9:27 AM
  • Hello there,

    The software is actually very good and allows us to do far more than just filtering. It runs as a client on each workstation, and has proven very successful over several years. To my knowledge this is the first time anyone has managed to get round it, and it is still only the filtering, and due to a new Immersive Browser that I can't seem to disable. The BHO Is enabled via group policy so even if a portable browser is used (which is unlikely due to the restrictions in place) the filtering still works. Anyway, all that is by the by. I accept your point, but am happy with the current system.

    What I would really like to know if anyone knows of a registry key that completely disabled the immersive browser, so when "Open in Immersive Browser" is clicked it does nothing or opens a new tab.

    Failing that I need to deny access to the registry keys as mentioned above, and would be grateful if anyone has experience of doing this.

    I don't think it can be achieved using RegIni, ICACLS, CACLS, subinacl or SetACL, and having never used Power Shell, I am not getting very far. An example script, or any other suggestion on how to add "deny" permissions to a registry key would be very helpful.

    Thanks,

    Mr..D

     

    Wednesday, March 19, 2014 10:31 AM
  • This really isn't a scripting question, is it, but some sort of security related or GPO question?

    -- Bill Stewart [Bill_Stewart]


    Wednesday, March 19, 2014 2:19 PM
    Moderator
  • You can only force IE to open in desktop only mode.  That can be done in GP but IE will always open in desktop mode.  You cannot have both.

    As noted, you add-in has issues.  Contact the vendor for a fix.  We cannot help you with that.

    Post in GP forum for assistance with setting GP correctly.


    ¯\_(ツ)_/¯

    Wednesday, March 19, 2014 2:26 PM
  • I would also respectfully suggest that client-side filtering isn't the right approach to begin with. With enough knowledge, a local administrator can always bypass it. In some jurisdictions, client-side only filtering would be insufficient, legally speaking, to prove an employee accessed an inappropriate web site.


    -- Bill Stewart [Bill_Stewart]

    Wednesday, March 19, 2014 2:36 PM
    Moderator
  • The issue is one of security, but I believe the solution is a script.

    My request therefore is could somebody please help me write a script that will deny access to the following registry keys.

    HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

    HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice

    I apologise if my post was misleading, but I wanted people to understand my issue and why I need help with a script.

    Regards Mr..D

    Wednesday, March 19, 2014 2:49 PM
  • The issue is one of security, but I believe the solution is a script.

    My request therefore is could somebody please help me write a script that will deny access to the following registry keys.

    HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

    HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice

    I apologise if my post was misleading, but I wanted people to understand my issue and why I need help with a script.

    Regards Mr..D


    That is exactly what Group Policy does.  It altering the user registry keys to prevent the browser from running anywhere but on the desktop.  Altering those keys will not do what you want.

    ¯\_(ツ)_/¯

    Wednesday, March 19, 2014 2:51 PM
  • Here:

    In Group Policy -

    -Expand Administrative Templates
    -Expand Windows Components
    -Select Internet Explorer 
    -On the right hand side you will find the list of the settings, search for "Turn on menu bar by default", Double click to open, select "Disable" and "Apply".
    -Once the group policy is updated on the clients, open Internet Explorer browser and you should not be able to see the menu bar.


    ¯\_(ツ)_/¯

    Wednesday, March 19, 2014 2:53 PM
  • You can't deny access to those because they're in HKEY_CURRENT_USER. A user can simply go in and change the permissions. A user implicitly has full control over their own section of the registry.

    Your real problem isn't IE or registry permissions but rather how to filter web traffic. To do this correctly requires an appliance or proxy server at the network gateway that can do this for you. Client side is not the proper way to do this because you can't prove the filter hasn't been bypassed or that the logs haven't been tampered with.


    -- Bill Stewart [Bill_Stewart]

    Wednesday, March 19, 2014 2:54 PM
    Moderator
  • OK to cover the points raised so far.

    I don't want both. I want the users to be able to use IE in desktop mode only.

    As I explained in my original post I have already disabled the GP setting that disables the Taskbar, hence preventing them from using ALT 'F' and then 'w' to open the immersive browser. However, if you right click on any open tab in IE 11 the same option is available which again opens the Immersive Browser.

    Altering the keys I have mentioned does do exactly what I want. When they are modified using the "Open in Immersive Browser" opens a new Tab in Desktop mode. I am yet to find any other registry key that does this.

    The users cannot simply go in and change the permissions as they do not have access to edit the registry. Hence if I remove all permissions, or add deny permissions the issue is resolved. This has worked for our mandatory profiles, as I can edit the ntuser.man offline and there are only a dozen profiles covering 800 users. Unfortunately, there are too many users with a roaming profiles for this to be a workable solution for them, hence I need a script I can apply to GP or their logon.

    I appreciate that you believe filtering the internet with a proxy is a better solution, however a solution that would offer the flexibility and granularity we require get from our client software, is more so much more expensive that it is not feasible. The software works extremely well, and offers significantly more than just web filtering.

    Your point that this is the vendors issue is true. But I would have the same issue if I was running IE in Kiosk mode, which Group Policy does cater for. In this scenario, the user could escape Kiosk mode by using the immersive browser.  would suggest Microsoft should have provided a means to uninstall the Immersive Browser, or disable it completely in GP.

    I therefore still need to know how deny access to a registry key using power shell, or how to fully disable the Immersive Browser using GP.

    Thanks Mr..D 

    Wednesday, March 19, 2014 3:50 PM
  • This isn't really a scripting question, as noted. Please ask about it in a more appropriate forum, such as Group Policy or Internet Explorer. You should also ask your vendor for further guidance on how to prevent users from bypassing their software.


    -- Bill Stewart [Bill_Stewart]

    Wednesday, March 19, 2014 4:06 PM
    Moderator
  • Again - Group Policy can set registry permissions on user keys if that is what you are after.  This is part of GP enforcement.  Post in GP forum to learn how.

    Don't let yourself get stuck in a technical rut by insisting on a non-starter solution.  You have an idea stuck in your mind.  Many hear with more experience have pointed out alternate methods to your goal.  YOu are blinding yourself by insisting that you know the correct method and yet you do not know it or you would have implemented it.

    You can also use the IEAK  to alter many of the IE behaviors and tool bars/menus.  Post in IE forum for directions on how to use IEAK.

    The simplest rep[air is to have the users run a REG file with correct permissions set.


    ¯\_(ツ)_/¯

    Wednesday, March 19, 2014 4:23 PM
  • That's not quite right Bill, if I understood him well enough.

    Whether it's wise or not, he asked for how to use scripting to change permissions on a registry object.

    Well ... given that he received all his advice against it and appears to have done quite some research on his problem, if not necessarily scripting, I'll just write a little something he may find useful. Use with brains though, after all it's messing with the registry ...

    $acl = Get-Acl "HKCU:\Software\ABCDE"
    $rule = New-Object System.Security.AccessControl.RegistryAccessRule("DomainName\GroupName","FullControl", "ContainerInherit, ObjectInherit", "None", "Deny")
    $acl.SetAccessRule($rule)
    $acl | Set-Acl "HKCU:\Software\ABCDE"

    Not saying this will perfectly fit your needs, you may want to consider what permissions are needed (and what permissions need to be retracted ...). Use "$acl | Get-Member" to find out, what $acl can do for you ...

    Cheers,
    Fred

    Edit: Do consider going jrv's path, please. Doing this by script isn't exactly among the "best practices". Probably doesn't even make it up to "mediocre", really.


    There's no place like 127.0.0.1


    • Edited by FWN Wednesday, March 19, 2014 4:28 PM
    • Marked as answer by Mr..D Thursday, March 20, 2014 1:22 PM
    Wednesday, March 19, 2014 4:24 PM
  • This question is misdirected in the first place. If the OP really wants to do client-side filtering, then go ahead, but if it was me, I would not rely on this solution. Changing IE configuration can be done with Group Policy. In any case, the OP really needs to ask the vendor of this software how to fix the issue. Asking how to change registry permissions to fix this problem using a script is a good example of the XY problem.

    -- Bill Stewart [Bill_Stewart]

    Wednesday, March 19, 2014 4:35 PM
    Moderator
  • Hello again,

    I am sorry this post has raised so many hackles, and that you believe it was posted in the wrong forum. I still don't believe that is the case, as I don't think IE or GP hold the solution.

    OK to respond to the last few posts:

    I honestly don't believe that Immersive Browser can be fully disabled using group policy, however I will happily try any settings that you think I may have over looked, and report back, as I cannot be the only administrator who would rather it wasn't used. It would also be a more eloquent solution. I have however already set:

    Do not check if IE is the Default Browser

    Do not inform user if IE is not the default user.

    Open all link in Desktop Mode

    Disable the Toolbar.

    The issue is the user can still right click on an open tab (on the tab itself) and select open in Immersive Browser.

    As for changing the Registry settings in GP, I agree you can. However it doesn't allow me to prevent them from being changed straight back by IE. 

    In my tests when a user logs on, Immersive Browser is indeed disabled. However if the user tries to open immersive browser IE immediately overwrites the reg keys back to IE.HPPT. If the user then selects "Open in Immersive Browser" a second time the Immersive Browser opens.

    This leads to I can change registry permissions in GP. Again yes I can, but not for User Configuration. If I could I would have exactly what I need, however to the best of my knowledge this can only be done for Computer Configuration and therefore HKLM.

    OK the next suggestion is to have the users run a REG file with correct permissions set. I absolutely agree, but do not know how to achieve this, hence asking for help with the script.  I have tried exporting the required reg keys and simply importing them into a users profile at logon. This changes the keys but not the permissions. I would be very interested to learn how to export a reg key with the permissions I want set so I can simply import via logon script. I know I can achieve this with files and folders using XCOPY etc, but I have no knowledge of how to do this with a registry key.

    Finally, Fred. Thank you for your script, it is good of you to point me in this direction when you don't entirely agree with my methods. What is really frustrating is I had looked into this and could not get the first command to work, which thwarted my progress. On comparing my work to yours, I wasn't completely there but was heading in the right direction. The issue was simply my Syntax. I had missed the : after HKCU ...Very frustrating!

    All that said I would still be interested to know if I have in fact overlooked a GP setting to fully disable the Immersive Browser. A way of setting Registry permissions under User Configuration in GP, and or a way of exporting Reg keys with permissions intact.

    I'm guessing the reality is I have outstayed my welcome and no further help will be forthcoming. If that is indeed the case thank you all for your advise and thank you Fred for the script which has got me sorted out.

    Regards Mr..D

    Thursday, March 20, 2014 1:21 PM
  • Hi Mr..D,

    glad to have been of assistance.

    About that overstaying your welcome however: That's not technically true. As jrv pointed out however, most of the open points aren't really scripting issues. Your best course for that would be to ask in technet forums dedicated to either IE or Group Policies.

    I think the primary reason you got so much advice against your cause, is that your solution as described violates plenty of good practices while none of us are in the same situation you are (it really is nigh impossible to give a full background of the limitations you work under to people who do not share the same experience right along with you).

    At least, my advice (and nagging) wasn't based on the quality of the question asked. It was my impression that you had done lots of research on the topic and tried to convey the steps as well as you were able to, which frankly isn't the case in many questions asked here.

    Sooo ... if another scripting issue arises, feel free to visit us here again :)

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Thursday, March 20, 2014 1:45 PM
  • Again - the IEAK is your pal.  Post in the IE developer forum for how to use it.

    For your issues with GP post in GP forum.

    To set registry security post in GP forum.  You cannot do this remotely with a script.

    The settings you are choosing for GP are not correct from what I can see.  You want to set IE to always open all links on desktop and to always open on desktop.  I run my IE 10/11 this way with no issues.  All links and all icons for IE always open on desktop and there are no menus offering other options except on the tab.   Tell vendor that their software does not work when this item is selected.

    Now you have options  for all methods you have asked for.  Just choose the one you like.

    Immersive Browsing is a fundamental requirement of Windows 8/2012.  Many features are implemented in the immersive browser.  To completely disable this would disable many Windows 8 Apps. The issue you have is one oc older application compatibility.  Who knows how many other issues exist with that application.  Have you run "App Verifier" on it.  It could be a bigger security leak than any protection it gives.

    As an admin your task is to fix issues.  You are not supposed to "hack" your way around software failure especially in the security arena.  Proceed with extreme caution.


    ¯\_(ツ)_/¯

    Thursday, March 20, 2014 1:54 PM
  • This solution can be bypassed by a knowledgeable user. Personally, I would not rely on it, particularly if/when a user is known to have violated terms of service but you can't prove it because they bypassed the filter.

    -- Bill Stewart [Bill_Stewart]

    Thursday, March 20, 2014 2:23 PM
    Moderator
  • Old thread but still; hope I can prevent a lot of frustration for some people looking for this option as mentioned in OP. 

    For my use-case I also wanted it to be removed from the file menu since I could not remove the file menu entirely (requirement). I had already tried all other suggestion from this post (and lots of other posts) like GPO, scripting, IEAK. After a lot of digging I found the following registry entry with procmon when launching the immersive browser;

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\BlockImmersiveBrowser, REG_SZ, Value 1.

    Worked as a charm so far. Hope it helps others.

    Tuesday, August 25, 2015 7:32 AM