Monday, September 01, 2008

Blocking IE 8 "InPrivate" Mode

The latest release of Internet Explorer 8 (beta 2) introduced an awesome new feature set.

Porn-mode "InPrivate" browsing

For details see this IEBlog : IE8 and Privacy post.

Basically what "InPrivate" mode does is the following:

While InPrivate Browsing is active, the following takes place:

  • New cookies are not stored
    • All new cookies become “session” cookies
    • Existing cookies can still be read
    • The new DOM storage feature behaves the same way
  • New history entries will not be recorded
  • New temporary Internet files will be deleted after the Private Browsing window is closed
  • Form data is not stored
  • Passwords are not stored
  • Addresses typed into the address bar are not stored
  • Queries entered into the search box are not stored
  • Visited links will not be stored

Sounds great for employees, students, spouses, and teens looking to surf the net without fear of leaving evidence of their activity for curious eyes (or evidence of prohibited behavior).

But what if you are a system administrator or parent and really don't like the idea of having just such a feature enabled?  Is all lost?

Not really.  In fact, it appears to be relatively simple to disable the "InPrivate" feature.

Blocking IE 8 "InPrivate Mode"

Ed Bott and BetaNews posts on IE 8 beta 2 teased a bit that it would be possible to block this feature, but didn't really give any guidance on how that was to be accomplished.

So Claus decided to do some detective work and found it is easier that one would expect.

I had IE 8 beta 1 already loaded in a Virtual XP Pro VHD file.

Since it was XP Pro, I was able to launch the Group Policy (gpedit.msc) editor and peek around.  Because IE 8 beta 1 didn't have "InPrivate" features there were no clues, but it did give me a chance to become acquainted with the location and settings offered in IE 8 for setting policy control on the browser.

I then downloaded and installed IE 8 beta 2 on the system.

Then I went back in to the Group Policy editor and quickly found the control key that will block "InPrivate" mode.

2008-08-30_142022

Great!

Playing with the options finds that the values can be set to "Not Configured" which leave "InPrivate" working by default and looking to a registry control key for it's status, "Enabled" which turns off "InPrivate" mode, or "Disabled" which turns on "InPrivate" mode.

This setting is present both at the "Computer Configuration" level as well as the individual user level.

By toggling it back and forth and then searching the registry, I was able to locate the actual registry key and setting that controls the behavior.

InPrivate-enabled

"InPrivate" Enabled

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy]
"EnableInPrivateBrowsing"=dword:00000001

InPrivate-disabled

"InPrivate" Disabled

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy]
"EnableInPrivateBrowsing"=dword:00000000

In case it isn't clear, I exported the "Computer Configuration" registry key as shown above to indicate the specific key and value needed.

I also found that if you use the Group Policy editor itself as noted to make the change(s) then an additional key is created and set under the specific user registry location.  On my test machine it was located as follows:

Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-578183920-2422754242-1423928655-1035\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{BA0C8A29-F3B4-4FC9-A2E6-3D224CF50A60}Machine\Software\Policies\Microsoft\Internet Explorer\Privacy]
"EnableInPrivateBrowsing"=dword:00000000

Yours might differ slightly.

And these were on an XP Pro system.  The setting in Vista builds might be slightly different (though I suspect not by much).  When I get the chance to test it on a virtual Vista build, I will post an update if significantly different.

Finally, as XP Home does not have the Group Policy editor as in XP Pro, it seems possible that a parent (or employer) could copy the corresponding IE 8 "InPrivate" mode registry key value they want to as above into Notepad, save it as "InPrivate-disabled.reg" and then run it to put the setting into the registry to prevent "InPrivate" mode.  Also, clever Google fans might find this post and realize they might be able to do the same thing and create a "InPrivate-enabled.reg" key and run it to re-enable the thing.

Ed Bott notes in his post that "...parents will be relieved to note that the feature can be disabled completely (and in fact is disabled by default if Parental Controls are turned on)." So there is some additional override going on which may or may not be related to the registry key setting I located.

As this is still a beta product, your mileage and future effectiveness may vary.

Final Thoughts

While "InPrivate" does bring some nice security and benefits to users, it is not a magic bullet for web-surfing; either at work, at a public (kiosk) computer, or even at home.  This should not be confused with "anonymous" web-surfing.

First off, while "tracks" of the surfing might not be left on the local pc, the network traffic generated by the page-retrievals can still be sniffed and captured by an ISP, employer on their own network, etc.  This might be sufficient to effectively rebuild/recreate a browsing session forensically. This all depends on the network configuration and any appliances an employer may run on their network, but is clearly not 100% browsing in-private.

Second, this doesn't prevent any web-master, ISP, or server administrator from collecting information on IP addresses used to access pages might be logged and obtained under court-order.

So while "InPrivate" sounds good, it is far from being truly anonymous in scope.  More like "Locally InPrivate" might be a better (but less catchy) description.

For true anonymous browsing you need to to look elsewhere like the xB Browser, DemocraKey, or OperaTor to name a few.  These use both specialized browser configuration and tweaks along with Tor to improve effective (but still not necessarily 100% bulletproof) anonymous web browsing.

Lastly, I have no doubt that real computer forensic experts like Harlan Carvey and gang will be hard at work looking at IE 8 loaded systems to uncover techniques to spot when "InPrivate" mode has been used, when registry keys that enable/disable it have be changed, and maybe even additional clues as to browsing session activity or tracks.

From an end user side, IE 8's Porn-mode "InPrivate" browsing feature looks pretty nice and exciting.

From a system-administrator, it looks to bring yet one more headache into keeping workforce Internet Usage and security under firm control.

I'd welcome any comments on this feature, blocking/unblocking corrections to my initial findings, additional "InPrivate" system administration tips, and any discussions or leads on how forensics can be applied to monitor this new "feature" of IE.

Let's get the discussion going!

--Claus

25 comments:

Anonymous said...

so can you list step by step intructions on how you can turn on the in-private feature. I'm a little confused on what you'r saying.

thanks Claus

Claus said...

@ Jessie - It depends on your perspective and "computing enviroment".

For most home-users of Vista/XP who upgrade to IE 8 when finally released, "InPrivate" mode should be enabled and accessible automatically. You don't have to "enable" it.

In most cases, you will just use IE 8 like you always do as you will likely want to save most of your browsing history, cookies, cached files, etc.

However there may be times when you need to do some research or other web activity and don't want to "save the evidence" so to speak.

That's what InPrivate mode is for.

To use it you will access the "Tools" item on the menu bar of the IE8 browser, then select the "InPrivate Browsing" item. (Or just press "Ctrl+Shift+P" keys)

This puts you in the special private-browsing mode that will not save your history, cookies, cache items, etc to the local system drive when your session is over.

When done, close out that browser window and IE8 deletes the captures data then returns you to the normal IE8 browsing mode we are all accustomed to.

My post was from the perspective of a corporate/enterprise system administrator who (for security or policy reasons) may NOT want the employees to be able to use this feature.

I was looking at the methods that could be done to DISABLE access to this feature and prevent it from being available. (Or maybe a parent on their teen's pc...whatever...)

So, Home User? Good to go, no changes needed!

Corporate Sysadmin? Good to go, or you can block it if you want. Choice is up to the policy makers, figuratively and literally!

Does that help?

--Cheers!

Anonymous said...

Acually Claus, my IE8 browser will not allow me to click on the in-private option, the button is gray exactly like the first picture you have on this page, i was wondering how to turn it back on so i can use it. Can you help??
Thanks, Jess

Claus said...

@ Jessie - OK. This should work if you have "administrator" rights to your system and profile settings.

You didn't mention what type of system you have Vista/XP and if it is a Home or Professional version.

Since it is there (but unselectable), I am assuming you are running the latest IE 8 Beta 2 version Windows Internet Explorer 8: Home page.

On some systems the Registry key I mentioned might not exist. So here is the quick and (fairly) safe way to do it. I wrote and tested these on XP Pro but should work the same for all versions (XP/Vista).

Right-click on your desktop and select "New"..."Text Document".

You should see one appear on your desktop.

Rename it to something like "IE8SafeMode.reg"

Note I changed the file extension from .txt to .reg

Save the change and tell Windows you know you changed the file extension name. OK.

Right-click on the file you just made and select "Edit".

It should open in notepad.

Copy the following text (all three lines) and paste it into that Notepad file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy]
"EnableInPrivateBrowsing"=dword:00000001

Save the file and then close it.

When you double-click the file it will ask you if you want to add those changes into the Registry. Select Yes.

Then reopen IE8 and you should now have InPrivate mode enabled.

To disable it again, just re-modify your file so the last number on the last line is a "1" and not a "0".

Save the file and run it and say "Yes" to add the info to the registry again.

If this doesn't work, then it is likely your account doesn't have sufficient administrator level permissions to make those changes...

As always, making changes in the Windows Registry carries risks, up to and including nuking your system. However these steps do works on my system fine. Proceed at your own descretion.

Claus said...

Sorry, minor but important correction.

I meant to say:

To disable it again, just re-modify your file so the last number on the last line is a "0" and not a "1".

--Claus

Anonymous said...

Um hi, Jessie again, wut you told me to do did not work, i check into the registry and found that there is no Internet Explorer folder after i go to :
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\...(This is where IE is supposed to be right?)
It isnt uder the folder it is supposed to be....can it possibly be somewhere else???
Thanks, Jess

Claus said...

@ Jessie - You have me stumped now.

I wouldn't be surprised if the location folder mentioned didn't exist to start off. It didn't on my test system either.

However once I did the steps and made the changes it was and IE InPrivate mode could be enabled/disabled by changing the key that was created.

Just for kicks I fired up a new test system session and repeated the steps on it fresh and it again worked just fine for me.

If you are experienced, you could use regedit to manually attempt trying to create the Internet Explorer, then the Privacy "folders" in the registry. Then finally add the correct dword key and value.

If the steps I listed don't work then there might be some other possibilities, 1) your user account is restricted and won't allow setting of these keys (possible but unlikely), 2) a security program is preventing the key from taking (possible), 3) maybe the IE 8 beta version is corrupted somehow (not likely).

I found this interesting tidbit.

"InPrivate browsing is disabled by default on systems where Windows One-Care or Windows Family One-Care has been installed."

You might want to try posting your question in the Microsoft Discussions community group forums:

Discussions in microsoft.public.internetexplorer.beta

Chances are someone there could assist you as well.

Please drop back in and share what you found out!

I'm sorry to not have been a better help.

--Claus

Anonymous said...

ONG wow!!!!!!!!! i do have Windows live Family care on my computer!!!!! wow yu are a super genius!!!!!!!! tahnk you very much!!!!! i owe u one lol!!!!!!!!!

THanks a million!!!!!!
Jess!

Anonymous said...

Hi Claus, we use Vista Home Premium 32 bit and I cannot locate group policy. If I want to disable Inprivate browsing, can I do that by editing thw Windows Registry alone?

Claus said...

@ Anonymous - Good news.

I just tested the same Reg keys on a Vista system mentioned above for XP and were provided in my post.

I did not see them at all in the registry on the Vista system I was working on.

I verified IE 8 was working, and showing the InPrivate mode option on the Vista system.

I added the "disabled" registry key exactly as noted to the registry.

I then relaunched IE 8 and the InPrivate mode was removed, just as posted in the XP example above.

I then added the "enabled" registry key back in.

Retested IE 8 and it showed back up again.

You should be good to go! Just be very careful when adding them into the registry.

Great question! I'll need to do an updated post!

Cheers!

--Claus V.

Anonymous said...

Hi Claus
How do you prevent this using IE7.
Don't want our system administrator viewing where I go.
Is there a way of blocking my internet history etc form him?

Thanks a million!
Vareez

Claus said...

@ Vareez - Windows IE 7 and earlier do not have true "InPrivate" mode features. So you can't use them in the way the IE 8 offers it.

Yes you could delete your cache files and history and web cookies after each browsing session, that wouldn't likely be quite sufficient.

You would have to either use another web-browser that does have true "private-mode" browsing feature, or use a third-party browsing session "cleaner" application.

That said, as a sysadmin, I wouldn't recommend doing that. Stick to the work-rules while at work.

Even the best "InPrivate" mode browsing session or "cleaner" application will leave stuff behind that can (to some degree) be recovered by skilled persons to rebuild a measure of your browsing activity. A trained forensics investigator or sysadmin will likely be able to produce more than enough material to rebuild your activity.

In addition, many corporate networks are configured to log Internet traffic. So even if you were to completely wipe your system, your IP address and page visits might be recorded somewhere on a company server.

So, IMHO, save any "private" web-browsing needs you might have for your home pc and Internet connection.

And if you don't want your boss and system administrator to know where you are surfing at work, don't go there in the first place!

--Cheers!

Anonymous said...

Hi Claus,
I have a work laptop that I can take home and use anytime. If I connect to my home network (ISP) and use the 'InPrivate' mode, will there be any information stored on the computer?

I will eventually have to return the laptop and I am just wondering if the 'InPrivate' mode will safeguard my home web browsing.

Thanks

Claus said...

@ Anonymous - In theory, yes, InPrivate mode use at home would keep your employer from seeing MOST of what you browsed.

However, I'm still waiting for a forensic-expert's evaluation of just how truely "private" these private mode browsing sessions are.

I suspect that private-mode browsing sessions will still leave some degree of remnants on a system that a skilled forensic-examiner could recover. It likely wouldn't be near as much as would be left in a normal-mode browsing session, but still would be some.

If this is a concern to you but your are set on using your work laptop, I would recommend going with a USB-flash-drive based "portable" browser build instead of using a browser installed on your laptop directly. This way (in theory) any write-activity even in private-mode would be more likely saved to your personal USB stick and not the PC itself.

If you like Firefox I'd recommend: Mozilla Firefox, Portable Edition as it is Firefox 3.5 which supports a Private-Mode browsing. Then there is Portable Chrome which also has a Private mode browsing. Finally there is DemocraKey which is a similar product (+TOR) but I don't think it has been updated in a while.

Great question!

Cheers! Claus V.

Anonymous said...

I am just a random housewife who is constantly fighting the fight to protect our home. We downloaded internet explorer 8 without researching its capabilities and were shocked to discover private browsing. As we googled we were even more appaled at how accepted this is and how many people are excited about this option. Of course we found no way to disable it and were so greatful to find your instructions which worked perfectly for us. Thanks for taking the time to care about people who do not want to be trapped in the wake that pornography leaves in a home.

Claus said...

@ anonomyous housewife - Glad we could be of assistance. Yep. It can be a real challenge having both a computer connected to the Internet and trying to raise children at the same time; depending on your moral compass.

If it wasn't clear from the post, this "trick" to block "InPrivate" mode can be reversed. Might not be an issue when the little-ones are little, but as they get older I have found kids get more clever.

You might find this follow-up post I did to this one informative as well:

IE 8’s “InPrivate” mode blocked by OneCare products - GSD Blog post

And in particular this section:

If you have Windows Live Family Safety (see also Family Safety - Windows Live OneCare) then IE 8’s InPrivate mode will be disabled by default configuration and protected from change, even with these registry tweaks."

So hard lock-downs of “InPrivate” are possible, at least for the home users (parents) and likely might be as well with proper configuration of security permissions (or Active Directory settings) that prevent that particular registry key location from being changed by unauthorized users (employee’s and/or children).

Thank you for leaving a kind comment.

Cheers!

--CV

Anonymous said...

Can you tell me how to find what information has been searched on my home pc eventho inprivate was used?

ProtectiveMomWife said...

Howdy! Housewife/Mom here...I'm using Windows Vista and when I manually search through the pc registry, I can follow you all the way up to the Internet Explorer/Privacy folder...under my IE folders, there aren't any named "Privacy" and I manually searched through all of the files/folders looking for the 'InPrivate' options to no avail...help! thanks so much!

Claus said...

@ProtectiveMomWife - It is very possible they don't exist by default on your system. You may need to either create the key manually (if you are brave enough) or follow the steps to do the "registry file" method where you copy/paste then run the .reg file.

See this follow-up post: grand stream dreams: Blocking IE 8 " InPrivate " Mode – Updated

It should create the registry location when executed.

Cheers!

--Claus V.

Unknown said...

hi ive tried the step by step thing and didnt work, and i tried making that folder on the desk top typed in the code you wrote but it didnt ask me the question you said it would. please help me, this thing is irriating me looked everywhere and you seem to know the most about it.

Claus said...

@ lou - I'm sorry you and a few others are having some issues with this. I guess it's a familiarity thing with the way Windows Registry "reg" files are structured and work.

I've tried to make it as simple as possible.

Try this:

I've created the registry keys myself and uploaded them to a shared folder on box.net. http://www.box.net/shared/b0fr5x0qg2

Click that link (or copy/paste it into your browser address bar) then download the "IE8InPrivateMode-Disabled.reg" file directly to your PC.

Depending on your anti-virus application it may complain as .reg files could be malicious. If you want to check, simply open it in Notepad to see that it matches what I have listed on my blog post.

Once you have it download it, right-click on the file and select the "Merge" option.

Depending on your version of Windows and the user-rights of your profile, you may have to confirm some warnings. If all goes well it should be added to the registry and when you re-launch IE8, you should see the option grayed out.

The other registry key in that folder re-enables the option. Follow the same steps and it will allow InPrivate Mode option to work again, unless blocked differently by one of Microsoft's Family Safety programs...

I've just tested them before uploading on my Windows 7 Home Premium system and they work as advertised.

However, your results may vary depending on your particular system so proceed at your own discretion

I really try hard to avoid offering files this way as I want and hope for folks to understand what they are doing, and to not get comfortable just downloading and running stuff (.reg files particularly) off the net as it could be dangerous.

However, these are "simple" files that you can review in notepad and make sure they match against my blog post descriptions.

I hope this helps.

If this doesn't work then the security permissions on your system and/or user profile may be blocking you from merging them into your registry.

Cheers.

--Claus V.

Unknown said...

Hello Claus, I just got neww laptop acer aspire with windows 7 home and IE8 on. I tried to disable Iprivate browsing with your instructions but it doesn't work for me. Any ideas?

Claus said...

@ wayra -- Did you do it the "manual" method or did you just try to use one of the pre-done files?

Try this:

I've created the registry keys myself and uploaded them to a shared folder on box.net. http://www.box.net/shared/b0fr5x0qg2

Click that link (or copy/paste it into your browser address bar) then download the "IE8InPrivateMode-Disabled.reg" file directly to your PC.

Depending on your anti-virus application it may complain as .reg files could be malicious. If you want to check, simply open it in Notepad to see that it matches what I have listed on my blog post.

Read the comment just above yours on this post to see the full gist.

Hopefully that will get you going. I also know that if Live OneCare/Family Safety is loaded/installed it might also lock the preferences for changing this value...but on a new system I would think that would be more unlikely.

You will also probably need to run the reg key fix noted above under an administrator account or "as administrator" to get it to actually apply in the registry.

Cheers!

--Claus V.

LoveMy2Sons said...

I am trying to disable as well as I don't want my child to use this option. When I try to run gpedit.msc, i get a message that windows cannot find it. I am the admin on both my laptop and home PC - same issue with both. I'm running Windows 7 with IE 8. Thoughts?

Thank you!

Claus said...

@LoveMy2Sons,

You probably are running a "Home" version of Windows 7 which doesn't include this feature. I believe it is located in the Professional or Ultimate versions.

Instead you should be able to look a comment or two up in this post from here and find the links to a a file that has the registry keys instead.

Download and merge the correct one into your registry and you should be good.

Or if you want a "second opinion" you could try a very similar reg key from this location Windows 7 - Internet Explorer InPrivate Browsing Enable or Disable - WindowsSeven Forums..

Either way this should work around the missing gpedit.msc issue.

Cheers!

--Claus V.