Vista - Logging into hotmail will circumvent Windows Messenger GPO restriction

Hi,

A customer of ours showed a way to circumvent the applied Domain-GPO which
prevents use of Windows Messenger for some of their domain users and
computers. They have also applied software restrictions on certain files
that MSN or Windows Live Messenger make use of to tighten this even further.

But when a user logs on to to their hotmail on the web to view their
personal e-mails using their ownWindows Live ID, this somehow triggers the
installed MSN/Windows Live Messenger application to execute and get started
though there is a GPO applied that should prevent this!

How can this be, is it a bug? Is it because there are certain settings in
the messenger application (under tools/options/security settings) that may
trigger this behaviour? How can we prevent this form happening so it won't
execute when an user logs on to hotmail? We still want the MSN/Windows Live
Messenger to be installed on the local computer. Is there any special .adm
template available to tighten messenger usage even further?

Thanks in advance for any help and assistance
Regards,
Richard

Greetings Richard,

I guess it depends what they're using in these GPOs. As I'm sure you know, there's no
special Messenger GPOs for anything beyond Windows Messenger (and MSN Messenger/Windows Live
Messenger just ignore the Windows Messenger ones).

The reason why this might work is because Messenger is called in Hotmail by its COM control,
which automatically starts it up. This might circumvent the normal execution process (note
I'm not in a position to test this thoroughly at the moment) and software restriction
policies (I'm guessing that's the GPO setting you're referring to).

Fortunately you can actually block Hotmail (any other related Microsoft site) from starting
Messenger. Pop open IE on any machine with Messenger, choose the Tools menu, Manage Add-ons
and Enable or Disable Add-ons. Show the entries that run without requiring permission and
the specific entry you'll want to disable is "Windows Live", which corresponds to the
"MSGSC1~1.DLL" file which in the latest 2009 release will correspond to \Program
Files\Windows Live\msgsc.14.0.8050.1202.dll and CLSID is
{E1771B7F-98BE-407F-BA67-AA16ADA5D0C5}.

Now beyond this UI to disable this in IE, there's registry entries and GPOs, The GPO can be
found in the policy editor at: Computer Configuration or User Configuration, expand
Administrative Templates, expand Windows Components, expand Internet Explorer, expand
Security Features, and then click Add-on Management.

There's a KB article that goes into detail:
http://support.microsoft.com/kb/883256

If you need more help, post back.

--
Jonathan Kay
Microsoft MVP - Windows Live Messenger
MSN Messenger/Windows Messenger
MessengerGeek Blog: http://www.messengergeek.com
Messenger Resources: http://messenger.jonathankay.com
(c) 2009 Jonathan Kay - If redistributing, you must include this signature or citation
--

"RRE" <coolblue@xxxxxx> wrote in message
news:44C364F7-7211-4F5E-B016-6AD4AE5A06A9@xxxxxx