Using group policy I am able to prevent a user group from browsing the hard drive of my Windows XP clients. However, I noticed that using the “file://” protocol within firefox, you can bypass this security and download files from the hard drive via hyperlinks. Preventing this would very useful in a lab setting or for a kiosk. Here is how you do it. (Note in step 3 that multiple protocols are blocked)

1. Make sure you have Java and the Java bin in your PATH variable and unjar the comm.jar in /mozilla/chrome with jar -xf browser.jar
2. This will give you a directory called “content”; open “/content/browser/browser.js” in an editor.
3. Search for the function declaration “function BrowserLoadURL(aTriggeringEvent)” and insert the following lines of code into the position specified below (Approx line 1980).
   if (url.match(/^file:/) || url.match(/^\//) || url.match(/^resource:/) || url.match(/^about:/))
{
alert("Access to this protocol has been disabled!");
exit
}
   Where to insert the code:
   function BrowserLoadURL(aTriggeringEvent)
{
var url = gURLBar.value;
   (**** INSERT CODE HERE *****)
   if (url.match(/^view-source:/)) {
4. Save navigator.js and create a new browser.jar with jar -cf browser.jar content
5. Replace the original browser.jar with the new browser.jar.
6. Fire up mozilla and test it out.

The user can however still type “c:\” an access the hard drive contents. There must be some other function that translates “c:” to “file:///c:/”, which works and bypasses this rule. If anyone finds an easy solution to this let me know.