Geek Answers Handbook

How to bypass Internet Explorer Enhanced Security when using the built-in WebBrowser control?

I have my own Windows application in which WebBrowser is embedded, i.e.

  • CLSID_WebBrowser
  • 8856F961-340A-11D0-A96B-00C04FD705A2
  • Shell.Explorer.2

Unfortunately, when working on Windows servers, Internet Explorer Enhanced Security mode interferes with WebBrowser , as a result of which it will not be displayed at all:

enter image description here

In this case, the software user interface is managed as a WebBrowser , which renders the software unusable.

I could disable Internet Explorer Advanced Security mode , but this is not practical.

How can I instruct Internet Explorer to allow rendering of the embedded browser without a security dialog?

Note: I would suggest adding about:security_Application.exe to the list of trusted zones "

enter image description here

Unfortunately, to make this change, you will need to perform DRP / FRP authorization, an ISO security assessment, and a security group. In addition, it will be necessary to establish an RFC so that KPMG does not conduct an audit in accordance with its sequence. I was hoping for a "good" solution.

see also

+4
source share
2 answers

You can specify a different URL. For example, you can extract the contents to a temp file and navigate to it. This does not put your content in a trusted zone, but it is better than the Internet zone that you get for the protocol.

If you do not want to save the content, you can first go to: blank and then to DocumentComplete , QI is the document for IPersistMoniker and call Load with TInterfacedObject, which basically mimics the nickname url.

There is a third way, write the security manager of the whole process , which puts your URL in a trusted zone.

The solution is to implement your own Internet Security Manager service, which creates an object that implements IInternetSecurityManager (see MSDN: Implementing Custom Security Manager ). There are five security zones:

  • Local: URLZONE_LOCAL_MACHINE (0)
  • Intranet: URLZONE_INTRANET (1)
  • Reliability: URLZONE_TRUSTED (2)
  • Internet: URLZONE_INTERNET (3)
  • Limited: URLZONE_UNTRUSTED (4)

The only way you really need to worry about is MapUrlToZone :

 TEmbeddedSecurityManager = class(TInterfacedObject, IInternetSecurityManager) public //... function MapUrlToZone(pwszUrl: LPCWSTR; out dwZone: DWORD; dwFlags: DWORD): HResult; virtual; stdcall; //... end;

This method checks if Url starts with about: security

about: security_Contoso.exe

and if so, then returns that the zone should be Local :

 function TEmbeddedSecurityManager.MapUrlToZone(pwszUrl: LPCWSTR; out dwZone: DWORD; dwFlags: DWORD): HResult; var url: UnicodeString; begin Result := INET_E_DEFAULT_ACTION; { https://msdn.microsoft.com/en-us/library/ms537133(v=vs.85).aspx } url := pwszUrl; { When IE Enchanced Security is enabled, the url goes from about:blank_xxxx to about:security_xxxx In that case we will put the page in the "Local" zone } if url.StartsWith('about:security') then begin dwZone := URLZONE_LOCAL_MACHINE; //Local Result := S_OK; end; end;

Every other method should return INET_E_DEFAULT_ACTION (i.e. not S_OK and E_NOTIMPL), for example:

 function TEmbeddedSecurityManager.SetSecuritySite(Site: IInternetSecurityMgrSite): HResult; begin Result := INET_E_DEFAULT_ACTION; end;

You provide the built-in WebBrowser this service when it calls IServiceProvider.QueryService. In the case of Delphi TEmbeddedWB control, it is displayed in the OnQueryService event:

 function TForm1.EmbeddedWBQueryService(const rsid, iid: TGUID; out Obj: IInterface): HRESULT; var sam: IInternetSecurityManager; begin Result := E_NOINTERFACE; //rsid ==> Service Identifier //iid ==> Interface identifier if IsEqualGUID(rsid, IInternetSecurityManager) and IsEqualGUID(iid, IInternetSecurityManager) then begin sam := TEmbeddedSecurityManager.Create; Obj := sam; Result := S_OK; end; end;
+1
source

Perhaps you might consider downloading another built-in browser. Exist:

0
source

More articles:


All Articles