Sunday, October 26, 2008

IE 8’s “InPrivate” mode blocked by OneCare products

In a fairly recent GSD post Blocking IE 8 "InPrivate" Mode I examined how IE 8’s “InPrivate” mode could be toggled on/off via setting of some registry keys

It could also be controlled in a corporate environment with Group Policy settings.  Very nice.

“Jessie” left a comment on that post asking for assistance as he (?) found that on his system that had IE 8 loaded, that “InPrivate” mode was grayed out and could not be toggled on.

I re-walked Jessie through what I did and despite my best attempts, he continued to report those steps did not work at all.

I tested it a few more times on some additional systems with great success, but not to any help with Jessie’s configuration.

So I responded as follows:

@ Jessie - You have me stumped now.

I wouldn't be surprised if the location folder mentioned didn't exist to start off. It didn't on my test system either.

However once I did the steps and made the changes it was and IE InPrivate mode could be enabled/disabled by changing the key that was created.

Just for kicks I fired up a new test system session and repeated the steps on it fresh and it again worked just fine for me.

If you are experienced, you could use regedit to manually attempt trying to create the Internet Explorer, then the Privacy "folders" in the registry. Then finally add the correct dword key and value.

If the steps I listed don't work then there might be some other possibilities, 1) your user account is restricted and won't allow setting of these keys (possible but unlikely), 2) a security program is preventing the key from taking (possible), 3) maybe the IE 8 beta version is corrupted somehow (not likely).

I was really feeling like #2 was the issue, but wanted to do a bit more research for Jessie and dropped over to the Microsoft Discussions community group forums which is always a good source of strong Microsoft-staff and MSVP offered information.  In this case I located the IE 8 Beta group

Discussions in microsoft.public.internetexplorer.beta

Searching around I uncovered this interesting tidbit.

"InPrivate browsing is disabled by default on systems where Windows One-Care or Windows Family One-Care has been installed."

I asked Jessie to drop back if he found a solution as I was really curious as well.

He did:

ONG [sic] wow!!!!!!!!! i do have Windows live Family care on my computer!!!!! wow yu are a super genius!!!!!!!! tahnk you very much!!!!! i owe u one lol!!!!!!!!!
THanks a million!!!!!!

So there you go; one more curious piece of the IE 8 and “InPrivate” puzzle.  Stated and confirmed.

If you have either Windows Live OneCare or Windows Live OneCare Family Safety (see also Family Safety - Windows Live OneCare) then IE 8’s InPrivate mode will be disabled by default configuration and protected from change, even with these registry tweaks.

So hard lock-downs of “InPrivate” are possible, at least for the home users (parents) and likely might be as well with proper configuration of Active Directory settings that prevent that particular registry key location from being changed by unauthorized users (employee’s).

I’d be interested in any Active Directory professionals out there who could leave suggestions on just how to accomplish the prevention of adding/setting/changing a particular registry key by a user.  We don’t (yet) use AD to manage our user desktop settings quite yet.  It would be valuable information to know.

Cheers! and a special Thanks! to Jessie for leading down this path.

--Claus V.

No comments: