I have a locked down environment where users are prohibited from doing, well, basically anything but run the specific programs we specify.
We just switched a program from using the venerable "WinHELP" help format to HTML help (CHM) but that seem to have an unwanted and rather dangerous side effect: when a user click on a hyperlink inside the HTML help, a new internet explorer window is opened and the user is free to browse and do terrible things to my server (well, not that much, but still...)
I have checked the session in this case and the IE window is actually hosted within the help engine: there is no iexplore.exe process running in the user session (and it cannot: it's explicitly prohibited).
We have disable all help right now until we find a solution. I'm working with the help team to have all external URLs removed from the help file but that is going to be a long and error-prone task. Meanwhile, I've checked all the group policies option but I have to say that I was unable to find anything that would prevent a standalone IE window hosted in a random process from running.
I don't want to disable WinHTTP or the IE rendering engine or anything of the sort. But I need to prevent all users members of a specific AD user group from ever having an IE window displayed to them.
The servers are running Windows 2003 and Citrix metaframe 4.5.
Thanks in advance
What's the process name when it runs as a help file? You can use the local firewall to deny it internet access.
You can also write a simple Autohotkey script to watch for that window to appear and kill the task by window name.
I don't think you can. If its not running as IEXPLORE.exe the only option available is to continue blocking the help application from starting.