Classic Shell
http://classicshell.net/forum/

Restrict the programs / settings search results?
http://classicshell.net/forum/viewtopic.php?f=7&t=1504		 Page 1 of 1
Author:  The DON [ Mon Oct 21, 2013 7:39 am ]
Post subject:  Restrict the programs / settings search results?
Dear all,We're evaluating Classic Shell in a corporate environment.
At the moment we're struggling with the following issue:

- We want to allow the users to search for the programs and settings, but only those who have been assigned to his user profile by our profile management solution.

If we do that with the normal start menu, we can enable two GPOs to achieve this:

"Remove common program groups from start menu"
http://gpsearch.azurewebsites.net/default.aspx?ref=1#4636

"Show only specified control panel items"
http://gpsearch.azurewebsites.net/default.aspx?ref=1#4697

Like that, only what has been populeted in "HIS" profile start menu is listed back, when you search.
Also, the second policy will only return CPLs and settings of Apps that have "NOT" been restricted.

We therefore don't want that users can type something like "regedit" or "cmd" and be able to run whatever we don't want.
I know that we can even restrict these apps from running. But that's not the only thing we want.
As said, the users should only be able to search the elements that he has been entitled.

So my very simple question now :-)

Is it possible to achieve this also with CSM??

Thanks a lot guys for your efforts!!
All answers are much appreciated!

Best regards,
Don
Author:  Gaurav [ Mon Oct 21, 2013 7:55 am ]
Post subject:  Re: Restrict the programs / settings search results?
I tried enabling those 2 policies just now.

After enabling 'Show only specified control panel items' policy, Classic Start Menu respected it for both browsing Control Panel and search results.

After enabling the 'Remove common program groups from start menu' policy, the items from All Users Start Menu were hidden while browsing All Programs but showed up in search results under "Files". So I guess this part needs fixing.

As for restricting 'regedit' or 'cmd', that can be done by uncheck the option from the Search tab in Start Menu settings called 'Search the system path'
Author:  Gaurav [ Mon Oct 21, 2013 11:47 pm ]
Post subject:  Re: Restrict the programs / settings search results?
There is also the 'Remove user's folders from the Start Menu' policy which Classic Start Menu could support as it's not something it's own settings include.
Author:  The DON [ Fri Oct 25, 2013 6:40 am ]
Post subject:  Re: Restrict the programs / settings search results?
Hello GauravK!

Thanks a lot for your quick check and verification!

Sorry for the delayed answer but I only had a new customer visit planned for today afternoon...

Anyway, I re-checked using a vanilla Win7SP1x64 Installation, where I just added CSM and...
I'm sorry but I get the same result:

Native Start Menu:
Applies all policies fine and I have the settings that I want.

CSM:
Keeps showing everything and continues to lookup also for system apps from the %path% variable even if I have unchecked it.

Attached the screenshot that proves the results.


Btw this GPO also needs to be enabled to avoid the lookup for system files. Sorry, I forgot to mention:

"Remove run menu from start menu"
http://gpsearch.azurewebsites.net/default.aspx?ref=1#4649

Any suggestions on how to fix this properly in CSM?
Also, what platform did you use to replicate the issue?

Thanks,
Don

Attachments:
Settings_and_Results.zip [276.24 KiB]
Downloaded 1161 times
Author:  Gaurav [ Fri Oct 25, 2013 7:49 am ]
Post subject:  Re: Restrict the programs / settings search results?
Ah right. I tested with the cascading menu of Windows 7 style. In the Windows 7 style inline treeview, with the GPOs you mentioned enabled, it doesn't hide the All Users Start Menu folder. Also, turning off "Search the system path" does turn it off if only the first few letters are typed but it shows it again if the exact and full EXE name is typed. Both confirmed.

I guess some Group Policies will have to be revisited for version 4.0.
Author:  Ivo [ Fri Oct 25, 2013 8:32 am ]
Post subject:  Re: Restrict the programs / settings search results?
Hiding the common start menu folders will be fixed.

Typing the entire name of the exe and then running it is not "search". It is just executing whatever you typed.

The "Remove run menu from start menu" does remove the Run command from the menu, does it not? Nowhere in the description it says that it has to disable running commands from the start menu.
Author:  The DON [ Fri Oct 25, 2013 9:58 am ]
Post subject:  Re: Restrict the programs / settings search results?
Dear Guys,

First of all let me tell you that your support is just gorgeous!! :o I greatly appreciate it!

OK to follow up here:

Thanks for having confirmed that it's not just me! :-P

And to respond to you Ivo:
No, it does not just that! :-D Well... get used to it! That's Microsoft! ;-)

So here's the official explanation for this policy:

Quote:
Allows you to remove theruncommand from thestartmenu, Internet Explorer, and Task Manager.

If you enable this setting, the following changes occur:

(1) Theruncommand is removed from thestartmenu.

(2) The New Task (run) command is removed from Task Manager.

(3) The user will be blocked from entering the following into the Internet Explorer Address Bar:

--- A UNC path: \\\

---Accessing local drives: e.g., C:

--- Accessing local folders: e.g., \temp>

Also, users with extended keyboards will no longer be able to display the run dialog box by pressing the Application key (the key with the Windows logo) + R.

If you disable or do not configure this setting, users will be able to access the run command in the start menu and in Task Manager and use the Internet Explorer Address Bar.

Source: http://gpsearch.azurewebsites.net/#4649


So as you can see... It removes quite a bunch of things! And even if it does not state that command residing under %windir% and %windir%\system32 are not processed anymore... Well, that happens as well!
--> This is a very important policy as you can see to restrict users from "Type'n'run" any command that they may know.

Hope this helps..
Do you think these issues can be fixed soon? I mean: What timeframe do you see for implementing these functions?

If you need help in any way to what belongs to GPOs or whatever, don't hesitate to ask! I'm more than glad to help!

Thanks a lot and have a very good weekend,
Don
Author:  Ivo [ Sat Oct 26, 2013 8:30 am ]
Post subject:  Re: Restrict the programs / settings search results?
The DON wrote:
So as you can see... It removes quite a bunch of things! And even if it does not state that command residing under %windir% and %windir%\system32 are not processed anymore... Well, that happens as well!

I don't understand. What does %windir% have to do with anything?
Author:  Jcee [ Sat Oct 26, 2013 1:45 pm ]
Post subject:  Re: Restrict the programs / settings search results?
%windir% is the default location for the run command, if you type cmd it automatically runs command prompt, ect
Author:  Ivo [ Sat Oct 26, 2013 3:13 pm ]
Post subject:  Re: Restrict the programs / settings search results?
Well, ok, but the issue is related to any program found on the %PATH%, not just in %windir%. Does %windir% do something special?
Author:  The DON [ Mon Oct 28, 2013 5:25 am ]
Post subject:  Re: Restrict the programs / settings search results?
Hi Ivo,

Thanks for your interest on this issue!!

No, actually I think that if you can make sure that the %path% directory doesn't get parsed at all when it is unticked in the options, then we can forget about %windir% since %windir% is part of the %path% environment variable. ;-)

So to make the whole story short:

If the option to parse %path% is unticked, just lookup for what is defined in the start menu structure itself (while considering the GPOs mentioned in the first post).

If the option to parse %path% is ticked, lookup the start menu AND any path that is present in %path% (which include %windir% and %windir%\system32 by default).

Does this help?

And sorry if I get back to my previous question:
Do you think this can be achieved soon (timeframe?)?

Thanks and have a great day,
Don
Author:  Ivo [ Mon Oct 28, 2013 8:16 am ]
Post subject:  Re: Restrict the programs / settings search results?
No, the searching of the PATH is unrelated to running programs from the PATH. They are independent features.

At the moment there are no immediate plans to release a new version. It will be at least a month, if not more.
Author:  The DON [ Tue Oct 29, 2013 12:40 am ]
Post subject:  Re: Restrict the programs / settings search results?
Hi Ivo,

OK thank you very much for your feedback!

I'll see what the customer decides... If he can wait for the features to be implemented, good.
Otherwise we'll have to stick with the normal Start Menu.

Thanks again for your support and keep up the good work!!

Best,
Don
Author:  Gaurav [ Mon Jan 20, 2014 9:43 am ]
Post subject:  Re: Restrict the programs / settings search results?
In Classic Shell 4.0.4, the Group Policy settings: 'Remove common program groups from start menu' and 'Remove run menu from start menu' work as expected if they are enabled.
Page 1 of 1 All times are UTC - 8 hours [ DST ]
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/