I've written an application that monitors Internet activity on
machines running Windows 2000 (SP4) and IE6. I thought it was working
well but have discovered a nasty security flaw. If users go directly
to a Windows Explorer window (for example, by double clicking MY
COMPUTER) they can type a web address into the address bar and this
will bring up the page in the Explorer window, making it equivalent to
Internet Explorer. The big problem is that this doesn't show up as
such - the window title is just the web page title, MINUS the
"Microsoft Internet Explorer". Even worse, IEXPLORE.EXE doesn't then
show up in the process list. The end result is that Internet Explorer
is running, but undetectably. I missed this problem initially because
Microsoft seems to have fixed it in Windows XP with IE7.

Any ideas how I can get round this in W2K/IE6? In essence, what I need
to do is to prevent users from accessing web pages via Explorer.exe.
Failing that, I would have to detect that the user was accessing a web
page via Windows Explorer rather than Internet Explorer. I have tried
to find details of DDE commands in Windows Explorer, to let me query
the address in the address bar. If I could see that this started with
"http:" or its variants I should be able to just close the window. I
drew a blank with this - no-one seems to list DDE commands any more.

Removing Windows Explorer title bars or MY COMPUTER doesn't seem to be
an option, as users would then be unable to get to their documents.
The PCs with the problem run Windows 2000 SP4 with IE6. I program in
Borland Delphi (Version 5) but didn't feel this was a Delphi specific
query.

I would be very grateful for any suggestions, as upgrading all our
machines to XP/Vista will take a long time.

For Internet Explorer questions not pertaining to Outlook Express, please
post to one of the following:

IE6 Specific Newsgroup:
news://msnews.microsoft.com/microsof...er.ie6.browser

IE General newsgroup, (For IE6 and IE7):
news://msnews.microsoft.com/microsof...plorer.general
--
Bruce Hagen
MS-MVP Outlook Express
Imperial Beach, CA

wrote in message
ups.com...
I've written an application that monitors Internet activity on
machines running Windows 2000 (SP4) and IE6. I thought it was working
well but have discovered a nasty security flaw. If users go directly
to a Windows Explorer window (for example, by double clicking MY
COMPUTER) they can type a web address into the address bar and this
will bring up the page in the Explorer window, making it equivalent to
Internet Explorer. The big problem is that this doesn't show up as
such - the window title is just the web page title, MINUS the
"Microsoft Internet Explorer". Even worse, IEXPLORE.EXE doesn't then
show up in the process list. The end result is that Internet Explorer
is running, but undetectably. I missed this problem initially because
Microsoft seems to have fixed it in Windows XP with IE7.

Any ideas how I can get round this in W2K/IE6? In essence, what I need
to do is to prevent users from accessing web pages via Explorer.exe.
Failing that, I would have to detect that the user was accessing a web
page via Windows Explorer rather than Internet Explorer. I have tried
to find details of DDE commands in Windows Explorer, to let me query
the address in the address bar. If I could see that this started with
"http:" or its variants I should be able to just close the window. I
drew a blank with this - no-one seems to list DDE commands any more.

Removing Windows Explorer title bars or MY COMPUTER doesn't seem to be
an option, as users would then be unable to get to their documents.
The PCs with the problem run Windows 2000 SP4 with IE6. I program in
Borland Delphi (Version 5) but didn't feel this was a Delphi specific
query.

I would be very grateful for any suggestions, as upgrading all our
machines to XP/Vista will take a long time.