Controlling Internet Access using a Pac File - Directing Users to your PAC File
(Page 4 of 4 )
Now that you have your PAC file, you need to get your users to start using it. There are a couple of ways you can accomplish this, apart from the obvious one of getting them to do it themselves.
Please note that all the options discussed below are for use with Internet Explorer; they won't affect FireFox, Opera, Safari etc. If you have any way of setting up these browsers send them to me and I'll attach them as a comment to this article.
Hacking the Registry
The IE home page is just a simple setting in the registry. It is specific for each user profile on the machine and lives in
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsAutoConfigURL
So if you use VBS login scripts you could have a function in them that writes down your config file, something like this:
'Create shell objext
Set objwsh = WScript.CreateObject("WScript.Shell")
'Assign the PAC file
Const PROXY_LOC = "http://webserver1/proxy.pac"
objwsh.RegWrite "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsAutoConfigURL", PROXY_LOC, "REG_SZ"
Using a Group Policy
If you are running in an active directory domain, this is probably the best way to control it. By using this method you can not only set the location of the PAC file, but disable the option in Internet Explorer so that the user can't go in and change it.
Open up (or create) a Policy file that will hold the settings for your users. The options you need are all in the USER section under Windows Settings/Internet Explorer Maintenance/Connection. To use your PAC file, open up the Automatic Browser Configuration option.
In here tick the Enable Automatic Configuration box, and then in the bottom text area named Auto-proxy URL, put the address of your PAC file in. For example, http://webserver1/proxy.pac.
You can also set a time in minutes that will reload the PAC file. If you leave this blank the PAC file is just re-read every time you reload the browser.
Going Forward
As the language of the PAC file is JavaScript-based, there are a lot more functions you could build into it, such as re-directing the user to one site if they try to visit a page they shouldn't be visiting. There are also various other options for distributing the PAC file. One of the most interesting is using DNS and DHCP to implement the Web Proxy Autodiscovery (WPAD) protocol.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
