Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

IE8 Virtual Layer - Custom IE Settings

Created: 16 May 2012 | 8 comments

Hey Folks,

I have a virtual IE8 layer that works perfect on Windows XP with IE7 installed.

For a POC that i'm working on am I trying to restrict the IE8 experience to prevent users from navigating away from a predetermined URL that i have set with the virtual layer.

I have added the following registry entries to the virtual layer

HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions\NoCommandBar DWORD(1)

HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions\NoNavBar DWORD (1)

HKEY_USERS\Software\Policies\Microsoft\Internet Explorer\Main\AlwaysShowMenus DWORD (0)

HKEY_USERS\Software\Policies\Microsoft\Internet Explorer\Main\Start Page (http://www.symantec.com)

On opening the IE8 layer I get the effect I'm after. The layer opens with the start page and no address bar or menu system.

Problem is when I open up my base install of IE7 some of the effects from the restrictions on IE8 layer have been applied to the IE7 session.

On inspection of my registry I can see the above regkeys within HKLM\_SWV_Layer_1 as expected. But the first 2 registry entries have "bled" through to the OS registry, ie HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions which are obviously been applied when IE7 opens.

I tried moving the 2 HKLM regkeys into the HKEY_USERS portion of the virtual layer registry and, although I get the desired outcome within my IE8 virtual layer the toolbar restrictions are applied within the OS again, albeit within the HKCU portion.

Any pointers would be massively appreciated.

PS I am aware of the Browser Selection Object but looking as options without this atm.

thanks

Jim

Comments 8 CommentsJump to latest comment

EdT's picture

There is no such registry key path as:

HKEY_USERS\Software\Policies\Microsoft\Internet Explorer\Main\

You can have this path under HKCU, but if writing under HKU, you need to include the security SID of the user account you need to target, eg HKU\<SID>\Software\Policies, etc.

So have you stated what you are doing accurately, because if you have, then that is most likely where your problem lies.

Does the "bleed through" of the HKLM value persist even when the IE8 layer is deactivated?

If your issue has been solved, please use the "Mark as Solution" link on the most relevant thread.

Jsmith73's picture

Hi EdT.

On the attached screenshot under

HKEY_USERS\USER_TEMPLATE\Software\Policies\Microsoft\Internet Explorer

I have two more keys. The key "Main" does not "bleed" through to

HKEY_USERS\{My SID}\Software\Policies\Microsoft\Internet Explorer

but the ones under "toolbar" do.

regkeys.PNG
Jsmith73's picture

Oh and when I deactivate the IE8 layer all bleed through registry keys are removed from the OS registry.

EdT's picture

I know that some special work was done to get different versions of IE to co-exist under windows, but from what I recall of the way that the layers work is that each layer, as well as the base, are assigned a "priority" (this may not be the correct term), so that in the event of a clash of registry values between the base operating system and the layer, the app running under the highest priority setting would be the one whose registry keys would win out. I believe the base operating system is given a priority of 75 and thus you can adjust the levels at which layers run with respect to this setting.

Whether or not this can be addressed by putting both IE versions into separate layers is something you would have to test for yourself, as I've not tried this.

If your issue has been solved, please use the "Mark as Solution" link on the most relevant thread.

Pablo Yabo's picture

It looks like the isolation rule specified in the LDF is not working. Do you see this isolation rule in the LDF?

<IsolationRules><![CDATA[*\Internet Explorer\iexplore.exe BASE 0x0002 \REGISTRY\* * %layerguid%]]></IsolationRules>

If you see the isolation rule tell me the Agent version you are using.
 
Regards,
-Pablo
Jsmith73's picture

I haven't done anything with an LDF but after checking Connect articles I have installed the Symantec Workspace Layer Definition Tool and extracted the following info from the created LDF file.

<IsolationRules><![CDATA[* BASE 0x0002 \Registry\*\{* * %layerguid%]]></IsolationRules>

When I change the rule to be as above and I try to modify the existing layer I keep getting errors from the SWVLDF.exe

6041   Missing destination layer attribute.
 

Even more confused now!

thanks

Jim

Pablo Yabo's picture

Jim,

You aren't using last IE8 for XP from connect:

https://www-secure.symantec.com/connect/downloads/internet-explorer-8-windows-xp-layer-definition-file

Your isolation rules should look like this:

<IsolationRules-entries valuetype="REG_MULTI_SZ" valuename="IsolationRules">
    <IsolationRules><![CDATA[*<tab>BASE<tab>0x0002<tab>\Registry\*<tab>*<tab>%layerguid%]]></IsolationRules>
</IsolationRules-entries>
 

If you change the isolation rules you have to be careful because you must keep the <tab>. Otherwise, you will get an error.

The isolation rule that your layer only isolates the CLSIDs, Interfaces and Typelibs. Current layer isolates registry layer from the base. It should solve that issue if you are using last Agent.

Jsmith73's picture

Info from generated log file

[11:51:13.000] [INFO] [DEF2LAYER] [Initializing] :
[11:51:13.000] [INFO] [DEF2LAYER] [Initializing] :Using definition file: c:\TP.ldf
[11:51:13.015] [INFO] [DEF2LAYER] [Creating File Repository] :
[11:51:13.015] [INFO] [DEF2LAYER] [Modifying Layer] :3e5b1d97-3ce9-4bda-a524-670d65c7bdda
[11:51:13.140] [INFO] [DEF2LAYER] [Modifying Layer Registry] :
[11:51:13.140] [ERROR] [DEF2LAYER] [Modifying Layer Registry] :
[11:51:13.484] [INFO] [DEF2LAYER] [Operation Complete] :