Allow Cookies but Not Other Web Site Content
Using a .reg file, a batch file, and Group Policy, you can allow cookies but prevent users from downloading unwanted and possibly malicious files and ActiveX objects.
June 27, 2007
At my workplace, users regularly visit some Web sites in which they have to register. These sites require users to enable cookies in Microsoft Internet Explorer (IE) so that they can sign in. However, we use Group Policy, and our domain's default policy disables all cookies.
Because cookies from Web sites in IE's Local intranet and Trusted sites zones are accepted, you can typically enable cookies for certain Web sites by using Group Policy to add those sites to one of those zones. But what if you want to allow cookies but not all the other content that goes along with trusting a site? For example, you might want users to be able to log on to a site that requires registration (and therefore allow cookies), but you don't want users to be able to download files or install ActiveX objects from the site. This was the case at my company.
Because adding Web sites to the Localintranet or Trusted sites zone wasn't an option,I looked into whether I could use a GroupPolicy setting to centrally define exceptions forcookies. I was unable to find such a setting.
Not wanting to have to teach each user how to define exceptions in IE, I decided to come up with my own solution. I used RegMon (http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx) to track where IE stores cookie settings. I found that the settings are under the HKEY_CURRENT_USERSoftwareMicrosoftWindows CurrentVersionInternet SettingsP3P History registry key.
To accept cookies from a domain, I created a new subkey and gave it a default DWORD value of 1. For example, to accept cookies from the microsoft.com domain, I created the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion Internet SettingsP3PHistorymicrosoft. com subkey and gave it a default DWORD value of 1.
You can't use regedit to create a subkey with a default DWORD. (When you create a subkey, regedit automatically creates a default REG_SZ value.) So, I used .reg files to create the subkeys. For example, Figure 1 shows the .reg file for creating the microsoft. com subkey.
I then wrote a batch file that uses the reg. exe utility to read and apply the .reg files. (Reg .exe is built into Windows Server 2003 and is part of the Windows 2000 Support Tools.)
I inserted the batch file in a Group PolicyObject (GPO) under User ConfigurationWindow SettingsScriptLogon Scripts.
With this solution, I can allow cookies butprevent users from downloading unwantedand possibly malicious files and ActiveXobjects. Because the solution uses GroupPolicy, it's easy and quick to implement.
See Associated Figure
About the Author
You May Also Like