Hello,<o:p></o:p>
I am trying to stop our users from using the Immersive Browser in Windows 8.1 and IE11, as our filtering is done by a local application using a plugin. This BHO does not work in immersive view, and therefore bypasses all of our black lists and filtering.<o:p></o:p>
Initially I thought setting Internet Explorer to "Always open links in Internet Explorer in the desktop" in GP would disabled the Immersive Brower, however there is an option under File called "Open in Immersive Browser" which overrides this setting and load the App version.<o:p></o:p>
I used Group Policy to disable the toolbar which worked, however it turns out if you right click on an open Tab you get the same option, thus bypassing our security again.<o:p></o:p>
I would ideally like a GPO setting to remove the "Open in Immersive Browser" option full stop, but as there doesn't appear to be one the next best thing would be a registry fix.<o:p></o:p>
After some investigation I found these keys:<o:p></o:p>
HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice<o:p></o:p>
HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice<o:p></o:p>
If I change the value "ProgID" to anything other "IE.HTTP" it causes the "Open in Immersive Browser” link to open in a new tab, and not the Immersive Browser ..perfect! So within GP I set “Don’t check if IE is the default browser”, and “don’t inform user if IE is not the default browser” and changed the registry keys “ProgID” to “DisableImmersive” <o:p></o:p>
Unfortunately once again there is a quick and easy work around for our would be hackers. The ” it appears nothing happens. The truth is, behind the scenes IE is overwriting the As such if you select Open in Immersive Browser a second time, it opens and I am back to square one.
We have mandatory profiles for some users, and I have edited the ntuser.man files for those profiles by loading the hive offline, and removing all permissions to those particular registry keys. To do this I disabled inheritance and deleting all the remaining permissions. This has worked and as such, this is now my goal for our roaming profiles.<o:p></o:p>
I have looked at RegIni, ICACLS, CACLS, subinacl and SetACL but none seem to allow me to remove inheritance of registry key permissions, or deny access. I am unfamiliar with VB scripts and Power
Shell, but wondered if these would give me the power
to remove access to these keys as part of our logon scripts?<o:p></o:p>
If anyone can help me out with a script to deny access to these keys, or a custom ADM that can remove the link to “Open in Immersive Browser” completely I would be extremely grateful.<o:p></o:p>
Regards
Mr..D<o:p></o:p>
