Saturday, March 28, 2009

Blocking IE 8 "InPrivate" Mode – Updated

It’s been a while since my post Blocking IE 8 "InPrivate" Mode.

In that post I looked at how IE’8 “InPrivate” web-browsing mode could be blocked or disabled.

It could either via Active Directory policy, or via a registry key.

The registry key technique should work fine for both home and business users interested in it.

I had tested it with a beta version of IE8 in XP, and surmised it should work on Vista, but never got around to validating.

Then a got the following comment the other week on that post:

Hi Claus, we use Vista Home Premium 32 bit and I cannot locate group policy. If I want to disable Inprivate browsing, can I do that by editing thw Windows Registry alone?

Yes.  This registry key “fix” does successfully work on Windows Vista as well as Windows 7 just fine to prevent access (block) InPrivate mode in Internet Explorer 8.

InPrivate-enabled

"InPrivate" Enabled

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy]
"EnableInPrivateBrowsing"=dword:00000001

InPrivate-disabled

"InPrivate" Disabled

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy]
"EnableInPrivateBrowsing"=dword:00000000

In case it isn't clear, I exported the "Computer Configuration" registry key as shown above to indicate the specific key and value needed.

Note that on most home systems the Registry key I mentioned might not exist. So here is the quick and (fairly) safe way to do it.

Right-click on your desktop and select "New"..."Text Document".

You should see one appear on your desktop.

Rename it to something like "IE8SafeMode.reg"  (Note I changed the file extension from .txt to .reg)

Save the change and tell Windows you know you changed the file extension name. OK.

Right-click on the file you just made and select "Edit".

It should open in notepad.

Copy the following text (all three lines) and paste it into that Notepad file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy]
"EnableInPrivateBrowsing"=dword:00000000

Save the file and then close it.

When you double-click the file it will ask you if you want to add those changes into the Registry. Select Yes.

Then reopen IE8 and you should now have InPrivate mode disabled.

To enable it again, just re-modify your file so the last number on the last line is a "1" and not a "0".

Save the file and run it and say "Yes" to add the info to the registry again.

If this doesn't work, then it is likely your account doesn't have sufficient administrator level permissions to make those changes...

As always, making changes in the Windows Registry carries risks, up to and including nuking your system. However these steps do works on my system fine. Proceed at your own discretion.

Note that InPrivate browsing is disabled by default on systems where Windows One-Care or Windows Family One-Care has been installed.  Or if application of “Parental Controls” settings have been applied to the account.  In those cases, use of the registry keys to “enable” blocked InPrivate mode will be ignored and InPrivate mode can not be enabled.  Conversely, parents wanted to harden the blocking of this mode in IE8 may want to look into those products.

--Claus V.

22 comments:

Chrissy said...

Thanks so much for posting what registry key to change in XP Home. I spent quite awhile looking for a solution like this. The majority of the websites just tell you how to exit the InPrivate browsing session by closing out the window -- not how to block it entirely. Very thankful for this solution.

Anonymous said...

I have windows 7 home permium windows IE8 and i want to block inprivate browsing entirley, please help

Claus said...

@ Anonymous - I have Windows 7 Home Premium with IE 8 also!

As I said in this post, the steps listed here with the registry "hack" worked for XP and as I then tested, both Vista and Windows 7 Beta/RC versions.

I am happy to say that I just got done testing this on my "Final" version of Windows 7 right now and it worked like a champ. It should work both for x32 and x64-bit versions just fine (mine is a x64 bit load by the way). And no, I didn't see these keys in place in the registry until I created them above for the first time.

However, to really effectively disable InPrivate browsing and prevent someone from just following these steps to do a "reverse" of the registry key value, you will have to do some more work:

Install with Windows Live Family Safety application and properly configure it and your user accounts, or Configure Parental Controls in Windows 7 and use password enabled user-accounts for each child you want to block.

If the kids aren't too old and Windows sophisticated you can probably get away with the registry hack I mention here just fine. However if they are older and/or smarter, you will almost certainly need to do the later.

And for teens they could work around it pretty simply by using Chrome/Firefox or other browsers that also have this feature and don't have their settings control by the Windows Registry like IE 8. Even if you configure the parental controls to keep such apps from running on the local machine under their account, they still might be able to run them from a "portable" mode off a USB stick....

I hope this helps you for now and I don't want to sound discouraging. There are things that can be done, but to be truly effective, they will take some monitoring and more advanced configuration work on your part.

Good luck!

--Claus V.

Anonymous said...

Oh My goodness thank you so much!!!!! Love it it worked wonderful!!!!!!!

Anonymous said...

i followed the instructions and everything seemed to work like it was supposed to i created the new file changed it from txt to reg. copied the lines and when my computer warned me about changing the registry i continued. It said the changes would be made in the registry,but the in private browsing is still active, any ideas?

Claus said...

@ Anonymous - two thoughts come to mind without additional information.

1) was the account you used set with "administrator" level permissions? If not you might have to execute the reg file as administrator to get the registry change to take.

2) did you go into "regedit" and trace out the path noted in the registry key to see if the key was actually created/changed?

If you don't see it, again I'd wonder if there was a permissions issue going on.

You could also try running regedit as administrator, then manually creating the key. That might work as well.

If you do find it and it was created but In Private mode is still active, then likely another security program is protecting the key from going into effect. I'd be interested to know which one if that ended up being the case since generally (Family Safety from MS) they work to keep Private mode browser from being enabled...not disabled.

Please let me know what you find out.

--Claus V.

Anonymous said...

Hi!
I have completed most of the steps, but I've come to a problem. In the registry there was a new internet explorer folder made then a new one named privacy. From what I've read, under that should be an "EnableInPrivateBrowsing" folder, but there isn't one.

I'm not sure what I've done wrong. Please help :)

Claus said...

@ Anonymous - I'm wondering if you ran the reg file as "administrator" if not you might not have sufficient rights to make the actual key value.

Can you manually create the key value as noted in the post in the folder that was created? Give that a try as well.

--Claus V.

Anonymous said...

I tried creating new text file and copy pasted the text. I reopened it and NOTHING happend. It did not ask me if I wanted to add the info to the registry. What am I doing wrong? I'm using Vista. Please HELP!

Claus said...

@ Anonymous - I'm not certain but many folks who first try to follow steps for making a registry key file "manually" have some initial problems as they aren't familiar with the process.

Copy the following text (all three lines) and paste it into that Notepad file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy]
"EnableInPrivateBrowsing"=dword:00000000

Now open "Notepad" application in Windows.

Paste the copied text into the blank notepad file.

From the file menu select save.

It will ask you what to name it.

type the following exactly, including quote-symbol" into the File Name field.

"IE8SafeMode.reg"

The quotes ensure that the file will be saved with the .reg extension rather than the default txt extension name.

You can then go to the location where you saved the file (I prefer the desktop as it is easy to find) and either right-click on the file and select "Merge" or double-click the file. It will ask you if you want to add those changes into the Registry. Select Yes.

Then reopen IE8 and you should now have InPrivate mode disabled.

I think you may be running into a Windows 7 thing if you right-click the desktop and create a new text document and name it on the desktop to "whatever.reg"

If you do it that way in Windows 7 even though you call it whatever.reg with the "reg" extension, Windows 7 still is sneaking a .txt at the end of it tricking you to think it is a .reg file when it is really whatever.reg.txt Windows is still seeing it as a text file, not a registry file command.

If you do it by opening Windows 7 notepad first, then copy the text in, then save it with the (again, with both quotations as well...) "whatever.reg" in the file name field, you should be good to go.

I know it's confusing...it's a Windows thing...

I hope this makes better sense. You described the issue perfectly.

Cheers!

--Claus V.

theway22 said...

hey claus, will it work on a spanish computer, where the windows is in spanish and not english?

Claus said...

@ theway22 - I don't have access to such a Spanish system, but I don't see why it shouldn't work, assuming you got the registry items/values correctly "translated".

I would assume you have to make some allowances if the Windows Registry also keeps its keys in a Spanish-Language format.

I would think the locations would be the same across regional/language versions. The principles would hold, you would just have to work out what the system was expecting when passing the key locations and values.

If you get it down, please let us know!

Cheers!
--Claus V.

agottsch said...

I have tried this repeatedly and I can't get it to work. I am on home computer. Windows XP Home Ed. 2002 SP3. I checked and I am logged on as the acct. that is 'admin.' rights. I right click on desktop, new text doc., name it what you list, - it doesn't ask anything about the file extension - it just saves. Open, copy & paste the 3 lines, save. Tried the right click and tried the double click (on the icon on the desktop). Neither asks me to merge or if I want to save changes to registry. It seems to save it as .reg.txt' or '.reg.rar'. I tried resaving with the quotes and that is when it said '.reg.rar' (?-am I messing up?) I tried looking through the registry - using the screen shots you posted to find it, and I couldn't find a file listed like the one you show - to change it that way. We have 'Safe Eyes' installed on this computer - that wouldn't make it so it wouldn't change, would it? I tried doing this before we installed Safe Eyes and the same thing happened - nothing basically. I REALLY want this off of my computer; causing great issues in my home. I am hoping you can help. I am obviously not very 'computer-smart' but I know enough to know I will do anything to make this InPrivate thing stop working. Thank you for any help you can give. -A

Claus said...

@ agottsch - No worries. This making of the reg file from "scratch" has befuddled a few other folks as well.

Please see the following comment I left previous at IE InPrivate Mode block reg file link for another related post.

I never heard back from that person after offering it, but it worked fine on all three of my systems with no fuss.

Let me know if this works.

Just read that post comment, download the file(s) as needed, and see if that helps.

Please let me know if the file(s) work if you don't mind.

--Claus V.

agottsch said...

Thank you! I think it worked. InPrivate does not show up when I click on the Safety drop down arrow; it isn't greyed out - it is just not there. The InPrivate filtering options are still there - but not browsing. I tried using the shortcut - control shift P - nothing happend - so I am assuming that means it is disabled? If there is anywhere or anyway else to look for it, please let me know. Thanks so much. If this works, it will ease a lot of stress around here!

Claus said...

@ agottsch - Yep. Sounds like you are good to go! (or not go into InPrivate mode as the case may be...).

The fact that the option no longer is accessible is evidence you are in good shape.

If you want to "really" lock it down, then you will have to deploy a more robust solution: Windows Live Family Safety. And if you are using Windows 7 or Vista, I believe that the Parental Controls options under the Control Panel may also let you lock InPrivate down as well.

These seem to "trump" the reg hack method that might work for some users but would not be very strong against clever kids or adults who could just use the other reg-key to re-enable it. These registry hacks are not honored if policy is set by Family Safety or Parental Controls (as I understand it).

Thanks for coming back and posting your results. I really appreciate that.

--Claus V.

Anonymous said...

WHEN i GO TO THE REGISTRY IT ONLY TAKES ME AS FAR AS HKEY...\SOFTWARE\POLICIES\MICROSOFT I DO NOT HAVE "\INTERNETEXPLORER\PRIVACY. DO I NEED TO ADD THESE WORDS AND HOW DO I DO IT. COULD YOU EXPLAIN IN DETAIL. THANK YOU SO MUCH IN ADVANCE!!!

Claus said...

@ Anonymous - yes. You would have to create the registry key noted as it typically isn't there by default.

Try this:

I've created the registry keys myself and uploaded them to a shared folder on box.net. http://www.box.net/shared/b0fr5x0qg2

Click that link (or copy/paste it into your browser address bar) then download the "IE8InPrivateMode-Disabled.reg" file directly to your PC.

Depending on your anti-virus application it may complain as .reg files could be malicious. If you want to check, simply open it in Notepad to see that it matches what I have listed on my blog post.

Once you have it download it, right-click on the file and select the "Merge" option.

Depending on your version of Windows and the user-rights of your profile, you may have to confirm some warnings. If all goes well it should be added to the registry and when you re-launch IE8, you should see the option grayed out.

The other registry key in that folder re-enables the option. Follow the same steps and it will allow InPrivate Mode option to work again, unless blocked differently by one of Microsoft's Family Safety programs...

I've just tested them before uploading on my Windows 7 Home Premium system and they work as advertised.

However, your results may vary depending on your particular system so proceed at your own discretion

I really try hard to avoid offering files this way as I want and hope for folks to understand what they are doing, and to not get comfortable just downloading and running stuff (.reg files particularly) off the net as it could be dangerous.

However, these are "simple" files that you can review in notepad and make sure they match against my blog post descriptions.

I hope this helps.

If this doesn't work then the security permissions on your system and/or user profile may be blocking you from merging them into your registry.

Cheers.

Anonymous said...

This does not work for IE9. I have windows 7 with registry version 6.1 and cannot get it to work! Is there a different key i need to create? thanks!

Claus said...

Hi Anonymous...

I just retried them again on my system (Windows 7 Home Premium x64) running IE9 and they both still work to disable and re-enable InPrivate function.

Are you running them from an "Administrator" level account or rights?

You might also want to have a look at this post. It has some similar REG files you can download, they do each have an extra registry location that mine do not.

Windows 7 - Internet Explorer InPrivate Browsing Enable or Disable - WindowsSevenForums

It also has an alternative method you can use as well.

I hope this helps.

Cheers.

--Claus V.

Anonymous said...

For some reason when i open the 'windows' folder in regedit there is no Internet Explorer folder, i've tried heaps of times and looked all over the place and can't fine the 'enableinprivatebrowsing'
folder

i made sure i ran as administrator and checked i followed the right path but its not there please help, i've got windows 7 and have ie8

Claus said...

Hi Anonymous...

It's quite possible you can't find it because it isn't there by default on your system.

If you are comfortable, just create the "missing" folder and then create the sub-key accordingly.

You might also want to have a look at this post. It has some similar REG files you can download, they do each have an extra registry location that mine do not, but that shouldn't matter at all. If you aren't comfortable following my direct regedit method, this is an easy-peasy way to accomplish the same thing. Highly recommended.

Windows 7 - Internet Explorer InPrivate Browsing Enable or Disable - WindowsSevenForums

It also has an alternative method you can use as well.

If you go with these, it should make all the needed sub-folders (like "Internet Explorer" folder) for you automatically.

Give it a whirl.

I hope this helps.

Cheers.

--Claus V.