Vanguard said:
The idea works when using shortcuts to start the application because the
command line used to start the application can use psexec to load the
application in a more restricted security environment. However, it won't
help when clicking on URL links unless you also change the filetype
association to also use psexec to load the browser. However, the URL
filetype (Internet shortcut) doesn't run iexplore.exe but instead runs
"rundll32.exe shdocvw.dll,OpenURL %l". I don't know if psexec works with
rundll32 which calls a function from within a dynamic linked library file.
Have you tested it?
Forgot to also mention that the normal icon of IE that is on the desktop is
*not* a shortcut but instead a namespace extension. That means the user
that uses the desktop icon for IE won't be running it under a limited
account environment. I suppose the user could dig into the registry looking
for the namespace extension or use a utility (providing it allows editing
rather than just listing) but the URL filetype and this extension show that
there are other ways that IE gets loaded other than just by using shortcuts,
so psexec has very limited protective value.
A better suggestion would be to have the user go into the Security tab in
Internet Options and up the settings (make more restrictive) for the
Internet security zone which would apply regardless of how IE was started.
Also, users of Microsoft e-mail clients should definitely ensure that they
are using the Restricted Sites security zone (at its default High setting)
for the security setting in the e-mail program.
