Is there a way in Classic Shell to disable the double click on the word
Programs? I want to use this with students, but do not want them to be able to
gain access to explorer by double clicking on the word "Programs"
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
What is to stop them from pressing Win+E? Or right-click on Programs and pick
"Open"? Or double-click on any other folder, like Control Panel or
Programs\Accessories?
Plugging arbitrary ways to access Explorer is not a substitution for proper
security. If you want to prevent a user from accessing certain resource, set
the access right accordingly.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I hope I don't come off rude here, but I feel I have very strong security.
All of these other areas you listed are not an issue. Those are all blocked
exactly the way I want them to be. They can't right click on the Programs,
Win+E does nothing. The "ONLY" issue I still have is the ability for them to
doube-click on Programs in Classic Shell. In the built-in start menu, this can
be disabled with a registry entry. I have tried that with Classic Shell, but
that doesn't work.
Since you say "If you want to prevent a user from accessing certain resource,
set the access right accordingly" what do you recommend I set...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
OK, fair enough.
I'm still trying to understand what you are after. Do you want to prevent
opening any folder from the start menu, or just "Programs"? So are you looking
for a global setting or a per-item setting?
Also if you tell me what registry entry you tweaked, I can look at what it
does.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If you open the start menu and double click on the word programs, it will open
up an explorer window. I'm just trying to keep that from happening. I still
want them to be able to single click on Programs and it will open up the
programs menu.
This is what we have done in the past that worked.
@="c:\Windows\system32\net.exe"
If they double-clicked on Programs a "command prompt window" displays for less
than a second and closes.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
OK, but don't you have other folders in the start menu? Like Programs ->
Accessories? They can just double-click on Accessories and still access
Explorer.
I'm trying to understand why you are asking for "Programs" in particular, and
not "any folder".
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks xpclient -- That is the regedit tweak we have always used....It just
doesn't seem to work with Classic Shell. As for disabling all forms of running
Explorer -- that I don't know and the blog entry that is referenced doesn't
seem to exist anymore.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
OK, so basically you don't care if the option disables clicking on any folder,
or specifically on Programs. I will think about it and decide which variant
makes more sense.
BTW, what are you doing for the start button? I can right-click on the start
button and select "Open". I can Shift+right-click on the start button and
select "Open Windows Explorer".
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
When I right click and choose Open or Open All Users I get the quick
open/close of the command prompt window -- so maybe that regedit works for
that part of things.
I hadn't tried the Shift Right Click until now. That does allow me to open the
windows explorer..... so I guess I don't have a solution for that.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2010-10-25
Explorer can be run in some way or the other so adding the ability to prevent
double click from opening Explorer won't serve its purpose IMHO. You are
better off setting permissions on the Start menu folders in %userprofile% and
%allusersprofile%.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The bad news is that I decided not to add an option to disable double-click. I
don't think that's the right way to do security, because there are still ways
to launch Explorer - for example right-click on the start button. Even if I
disable the right-click (which I can), you can still focus the start button
and press the Menu key on the keyboard to bring up the context menu (which I
can't stop).
The good news is that after some experimentation I found a way to prevent
double-click to work. Go to HKCR\Folder\shell and rename (or delete) the open key. Don't forget that in 64-bit systems there are separate registry
keys for 32-bit applications. You may need to patch those as well.
Other than that, I still believe the proper way to secure the system is to
deny access to resources (like files and folders). For example you can deny
access to the whole file system except the Documents folder (so the users can
save their files). This way even if they manage to open an Explorer window
they won't be able to do anything bad with it. Otherwise there will always be
a way to get around your defenses.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
BTW, using net.exe for a placeholder is bad. It is a console application, so
it pops up a console window. Try using something that doesn't need a console,
like C:\Windows\hh.exe.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2011-04-12
Ok - good a bad news again from my side.
We use a redirected start menu for all the students and we also have
everything as secure as possible.
As cpk244 says - it is not really a matter of security but trying to prevent
what if scenarios and in our case to minimise the risk of the students poking
around too much. we have used the
@="c:\Windows\system32\net.exe"
trick for several years now as without it a double click of the programs
folder will open up explorer and allow them to navigate the network EVEN
though gpo resrict it by typing in a URL in the explorer shell.
ibeltchev suggestion on the HKCR\Folder works as suggested to remove the open
option from the Classic Start Menu button and alo the double click on the
programs folder - HOWEVER - it does not prevent a double click on the submenu
of programs (in this case the redirected folder) and again it opens up the UNC
path in explorer.
This is opposite to XP and in fact opposite to the Windows 7 menu which does
not open up explorer when double clicking.
I initially looked at the classic menu to fix the issue of the start menu
being so BIG and EMPTY when you use redirected start menu in Win7 (anyone got
a fix for that pinning items to a redirected menu???) - but may need to go
that way if we are unable to resolve this double click issue. (and heh -
remember - what is important to you may be trivial to others - but we need
this to work!!).
Cheers
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Double-click executes the default verb from the context menu. You can run
process monitor to see which registry keys get used for that.
I still think this is a losing battle. You can't secure all systems this way.
The more you tighten your grip, the more systems will slip through your
fingers. A determined student with time on his hands will always find a
workaround.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Is there a way in Classic Shell to disable the double click on the word
Programs? I want to use this with students, but do not want them to be able to
gain access to explorer by double clicking on the word "Programs"
What is to stop them from pressing Win+E? Or right-click on Programs and pick
"Open"? Or double-click on any other folder, like Control Panel or
Programs\Accessories?
Plugging arbitrary ways to access Explorer is not a substitution for proper
security. If you want to prevent a user from accessing certain resource, set
the access right accordingly.
I hope I don't come off rude here, but I feel I have very strong security.
All of these other areas you listed are not an issue. Those are all blocked
exactly the way I want them to be. They can't right click on the Programs,
Win+E does nothing. The "ONLY" issue I still have is the ability for them to
doube-click on Programs in Classic Shell. In the built-in start menu, this can
be disabled with a registry entry. I have tried that with Classic Shell, but
that doesn't work.
Since you say "If you want to prevent a user from accessing certain resource,
set the access right accordingly" what do you recommend I set...
OK, fair enough.
I'm still trying to understand what you are after. Do you want to prevent
opening any folder from the start menu, or just "Programs"? So are you looking
for a global setting or a per-item setting?
Also if you tell me what registry entry you tweaked, I can look at what it
does.
If you open the start menu and double click on the word programs, it will open
up an explorer window. I'm just trying to keep that from happening. I still
want them to be able to single click on Programs and it will open up the
programs menu.
This is what we have done in the past that worked.
@="c:\Windows\system32\net.exe"
If they double-clicked on Programs a "command prompt window" displays for less
than a second and closes.
OK, but don't you have other folders in the start menu? Like Programs ->
Accessories? They can just double-click on Accessories and still access
Explorer.
I'm trying to understand why you are asking for "Programs" in particular, and
not "any folder".
I've stripped out all the folders. And on the start meu, I used the .ini files
to hide everything but programs, logoff, and shutdown.
@cpk244, see http://www.tomshardware.com/forum/136535-45-disable-double-
click-start-menu and http://techrepublic.com.com/5206-6230-0.html;jsessionid
=79F6CCB03D99BC26475B5C84F4698C65?forumID=101&threadID=231910&start=0. Is it really possible to disable
all forms of running Explorer.exe?
Thanks xpclient -- That is the regedit tweak we have always used....It just
doesn't seem to work with Classic Shell. As for disabling all forms of running
Explorer -- that I don't know and the blog entry that is referenced doesn't
seem to exist anymore.
OK, so basically you don't care if the option disables clicking on any folder,
or specifically on Programs. I will think about it and decide which variant
makes more sense.
BTW, what are you doing for the start button? I can right-click on the start
button and select "Open". I can Shift+right-click on the start button and
select "Open Windows Explorer".
When I right click and choose Open or Open All Users I get the quick
open/close of the command prompt window -- so maybe that regedit works for
that part of things.
I hadn't tried the Shift Right Click until now. That does allow me to open the
windows explorer..... so I guess I don't have a solution for that.
Explorer can be run in some way or the other so adding the ability to prevent
double click from opening Explorer won't serve its purpose IMHO. You are
better off setting permissions on the Start menu folders in %userprofile% and
%allusersprofile%.
I have some bad news and some good news:
The bad news is that I decided not to add an option to disable double-click. I
don't think that's the right way to do security, because there are still ways
to launch Explorer - for example right-click on the start button. Even if I
disable the right-click (which I can), you can still focus the start button
and press the Menu key on the keyboard to bring up the context menu (which I
can't stop).
The good news is that after some experimentation I found a way to prevent
double-click to work. Go to HKCR\Folder\shell and rename (or delete) the
open key. Don't forget that in 64-bit systems there are separate registry
keys for 32-bit applications. You may need to patch those as well.
Other than that, I still believe the proper way to secure the system is to
deny access to resources (like files and folders). For example you can deny
access to the whole file system except the Documents folder (so the users can
save their files). This way even if they manage to open an Explorer window
they won't be able to do anything bad with it. Otherwise there will always be
a way to get around your defenses.
BTW, using net.exe for a placeholder is bad. It is a console application, so
it pops up a console window. Try using something that doesn't need a console,
like C:\Windows\hh.exe.
Ok - good a bad news again from my side.
We use a redirected start menu for all the students and we also have
everything as secure as possible.
As cpk244 says - it is not really a matter of security but trying to prevent
what if scenarios and in our case to minimise the risk of the students poking
around too much. we have used the
@="c:\Windows\system32\net.exe"
trick for several years now as without it a double click of the programs
folder will open up explorer and allow them to navigate the network EVEN
though gpo resrict it by typing in a URL in the explorer shell.
ibeltchev suggestion on the HKCR\Folder works as suggested to remove the open
option from the Classic Start Menu button and alo the double click on the
programs folder - HOWEVER - it does not prevent a double click on the submenu
of programs (in this case the redirected folder) and again it opens up the UNC
path in explorer.
This is opposite to XP and in fact opposite to the Windows 7 menu which does
not open up explorer when double clicking.
I initially looked at the classic menu to fix the issue of the start menu
being so BIG and EMPTY when you use redirected start menu in Win7 (anyone got
a fix for that pinning items to a redirected menu???) - but may need to go
that way if we are unable to resolve this double click issue. (and heh -
remember - what is important to you may be trivial to others - but we need
this to work!!).
Cheers
Double-click executes the default verb from the context menu. You can run
process monitor to see which registry keys get used for that.
I still think this is a losing battle. You can't secure all systems this way.
The more you tighten your grip, the more systems will slip through your
fingers. A determined student with time on his hands will always find a
workaround.