Need to stop students from opening Firefox

[PJack]

I need to prevent students from using Firefox. I have prevented it in group policy by not allowing them to run an .exe from jump drives or their student folders (Software Restrictions) and by putting firefox.exe on the "Don't run specified Windows applications" (System). The C drive is also hidden via GPO. All this is working.
Now they have discovered that if they click on Start | All Programs | and double click on StartUp a Windows Explorer window will be opened and they can use the Up Button to navigate to Program Files\Mozilla, copy firefox.exe and paste it right back in the same folder and boom, they can double-click and run the setup which does not pick up any proxy and off to Facebook they go.
I cannot get rid of the Standard Buttons bar (to get rid the Up button) because it gets rid of it in IE, too and they must have access to the File menu.

I know this is a long post but I cannot find the answer to this anywhere and thought others here might have faced this one.

TIA!
Pam

[Gatt]

Why not create an SRP Hash Rule for firefox.exe - this will then ensure that FF cannot be run anywhere, even if renamed (eg to FF.exe)

[Andrew_C]

Why not embrace a standards compliant browser and then deal with Farcebook via either a technological fix (Firewall, Smoothwall etc) or make it a classroom management (ie someone else's) problem?

[srochford]

Might be a daft question, but why do you have it installed if you don't want it to be used?

If it's there because some groups need it but most don't then change the permissions on the .exe so that instead of allowing "users" read/execute you only allow "firefox_users" permissions on the file

If it needs to be there for everyone but only at certain times of the day then set scheduled tasks to remove the users read permission at (say) 09:00 and restore it at (say) 15:00

[rvdmast]

Or, instead of using a "blacklisting" approach, whereby executing from every location is allowed by default, except from the locations you specify,
use a "whitelisting" approach, where everything is denyed by default except specified locations. you then allow certain locations such as the windows folder,
the %programfiles% folder and any network path's where your applications arre installed.

As a general security rule of thumb: do not allow execute where users have read/write access, and do not allow write access where users have execute rights.
They should have one or the other but never both.

[Gatt]

If it needs to be there for everyone but only at certain times of the day then set scheduled tasks to remove the users read permission at (say) 09:00 and restore it at (say) 15:00

How do you do that!?

[box_l]

Would it not be better if there was no way out of the network other than the proxy?
That way, even if they ran firefox, they would still have to use your proxy, and therefore be filtered/blocked the way you want.
Default gateway aet in DHCP and so on.

BoX

[srochford]

How do you do that!?

In a machine startup script:

Code:

if exist %windir%\ff_allow.cmd goto got_allow
echo cacls "c:\program files\mozilla firefox\firefox.exe" /e /g users:r > %windir%\ff_allow.cmd
at 15:00 /every:m,t,w,th,f %windir%\ff_allow.cmd

:got_allow
if exist %windir%\ff_deny.cmd goto end
echo cacls "c:\program files\mozilla firefox\firefox.exe" /e /r users: > %windir%\ff_deny.cmd
at 09:00 /every:m,t,w,th,f %windir%\ff_deny.cmd

:end

first chunk checks to see if the "allow" script exists; if not, it creates the script and schedules it at 15:00

second chunk checks for the "deny" script; if not, it creates it and schedules it for 09:00

It's not perfect - if the machine is switched off at 09:00 or 15:00 then it won't run. You could have a more complex script to run every time the machine starts up and checks the time and sets permission appropriately or you could just have a script which runs every 5 minutes and checks the time and sets perms.

[link470]

they can double-click and run the setup which does not pick up any proxy and off to Facebook they go.

Wait, they can run the Setup file for Firefox? Or the Firefox executable itself? If they can run the Setup and successfully install it, that may be another issue. I like to start at most secure, rather than most convenient when doing Software Restrictions. I start at everything restricted, and then only allow locations like Program Files to allow executables to be ran. I then just have to make sure that none of the places I allow to run executables allow users to write, because then they can place an exe of their choice into the folder that has execute permissions and run whatever they like. rvdmast covered this 4 posts up.

[James2k]

If you use sophos enterprise console you can stop firefox loading from anywhere.

Just have a look at the application control.

[Gibbo]

I think you can do the same with NOD32.