Sometimes links open up in my default browser that I didn't do on purpose.

This happens when I install things sometimes for example. But it could also
happen if I accidentally click on links in my newsreader or in a MS Office
document or whatever.

That means I can't just turn off the network to prevent it from happening.

I want to set up my default browser so that the default browser doesn't go
to the net when it is fed by some program a link to open up.

What is a good way to set up the default browser to prevent the default
browser from doing anything on links that are either accidental or called
for by a program?

Am Fri, 19 Nov 2021 19:55:36 -0000 (UTC)
schrieb soyon <soyon@soyon.biz>:

> What is a good way to set up the default browser to prevent the
> default browser from doing anything on links that are either
> accidental or called for by a program?
You could install another browser, set it as default and set up an
invalid proxy server for it.
Then it will try to connect to the proxy but can't, so no connection
can be established.

On 11/19/2021 2:55 PM, soyon wrote:
> Sometimes links open up in my default browser that I didn't do on purpose.
>
> This happens when I install things sometimes for example. But it could also
> happen if I accidentally click on links in my newsreader or in a MS Office
> document or whatever.
>
> That means I can't just turn off the network to prevent it from happening.
>
> I want to set up my default browser so that the default browser doesn't go
> to the net when it is fed by some program a link to open up.
>
> What is a good way to set up the default browser to prevent the default
> browser from doing anything on links that are either accidental or called
> for by a program?
>

I don't know any of the details (I won't be trying this),
but what you could do is:

1) Install a decoy browser. Say Opera.
2) Make Opera your "default browser".
3) Use Applocker (it used to be a Windows feature), to
prevent Opera.exe from running. AppLocker can block
stuff, and you can define policies that way.

AppLocker was once proposed as a solution, to prevent
an inserted CD from installing shit on the PC.

I don't know if the AppLocker is still there, but it might
be one way to trap attempts to start the default browser.
Just make sure the browser is not something you will ever
want to use. If you set up Opera.exe that way, and then
used AppLocker on it, you'd no longer be able to double-click
Opera.exe either. Once AppLocker blocks it, that would not
work.

https://www.tenforums.com/tutorials/124008-use-applocker-allow-block-executable-files-windows-10-a.html

Paul

On Fri, 19 Nov 2021 19:40:38 -0500, Paul wrote:

> 1) Install a decoy browser. Say Opera.
> 2) Make Opera your "default browser".
> 3) Use Applocker (it used to be a Windows feature), to
> prevent Opera.exe from running. AppLocker can block
> stuff, and you can define policies that way.

Thx. Your good suggestion mostly worked when I tried it.

1) I installed Opera and made it my Windows 10 default browser.
2) I set up the VPN to start on invocation for that Opera browser.
3) I don't have Applocker but I don't think I need it anyway.

When I tested your suggestion I found that Opera was so slow to come up that
I could kill it if I saw it (which happens when I click on a link by mistake
or when a program installs and then it brings up the default browser to the
thank you page).

Then I realized that leaving Opera on VPN helps for when I don't see the
browser come up because at least the web page it goes to doesn't get my IP
address (but they do get the serial number or other information if that's
what the post install program feeds it when it calls up the browser).

But then I think I found a better solution along what Marco Moock suggested.

On Fri, 19 Nov 2021 21:09:40 +0100, Marco Moock wrote:

>> What is a good way to set up the default browser to prevent the
>> default browser from doing anything on links that are either
>> accidental or called for by a program?

> You could install another browser, set it as default and set up an
> invalid proxy server for it.
> Then it will try to connect to the proxy but can't, so no connection
> can be established.

Thx. That was a good suggestion but I don't know what you mean by setting up
an "invalid proxy server" and I still don't know what that actually means.

But when I looked up what a "proxy server" is, I found something called the
onion router which has its own built in invalid mechanism for connecting to
the internet.

What I did was not check the box in the onion router that asks
"Always connect automatically" and then I set the onion router as my default
from inside of the onion router's settings by hitting the "Make Default"
box.

But Windows 10 isn't making it the default.

Even when I went to the Windows settings for apps, it doesn't give me the
option to make the onion router my default browser so I think I'm going to
have to reboot and see if that's what Windows needs to set it as the default
router.

If I can get Windows 10 to accept it as the default router, all I need to do
is make sure that box isn't checked and it won't even try to go to the net.

soyon <soyon@soyon.biz> wrote:

> Sometimes links open up in my default browser that I didn't do on
> purpose.
>
> This happens when I install things sometimes for example. But it
> could also happen if I accidentally click on links in my newsreader
> or in a MS Office document or whatever.
>
> That means I can't just turn off the network to prevent it from
> happening.
>
> I want to set up my default browser so that the default browser
> doesn't go to the net when it is fed by some program a link to open
> up.
>
> What is a good way to set up the default browser to prevent the
> default browser from doing anything on links that are either
> accidental or called for by a program?

You cannot do anything about a program programmtically calling another
program other than to uninstall or never run the caller program
(assuming no other program calls the one that programmatically loads a
web browser), or uninstall all web browsers (because one of them will be
the default). You could use portable web browsers on a USB drive, keep
the USB drive unplugged until you want to use a web browser, and
uninstall all other web browsers installed in your OS.

As for your accidental clicking on hyperlinks, that's a behavior you
need to alter yourself. You chose to click on them.

You could disable your network connection until when you decide you want
to use it (by any network-capable client). Once you re-enable network
access, any program you run that is network capable can connect to the
network. However, that will still not prevent any program from
programmatically calling another program, like calling a web browser.

No matter how you disable a program programmatically loads a web
browser, like never running the caller program, how are you going to
stop programs that do the network connections directly instead of
calling a web browser? Yep, you'll have to disable the network access
until you want to do network stuff, but as soon as you do than any
program that is loaded that can do network stuff gets access, too.

In Internet Options, you could define using a proxy that doesn't exist.
Change the proxy settings to bogus settings, so when you or any caller
that programmatically calls the web browser (or for ANY network capable
client) cannot connect anywhere until you change the proxy settings back
to normal. Internet Options -> Connections -> LAN Settings -> Proxy
server. Probably would be easier to disable the network connectoid, and
later reenable it only when you want to use it, and disable it again
when you are done. That won't stop any process from programmatically
calling the web browser to load it pointing it at some URL, but the web
browser cannot connect to a proxy that doesn't exist or using a
connectoid that is disabled.

You mentioned Windows 10, but not which edition. With Pro and
Enterprise editions, you can use the policy editor to create a policy
that blocks loading of the dummy web browser. As Marco suggested by
using a dummy default web browser, but if you don't want to use a proxy
to kill network connections, you could still install a web browser to
use as the dummy one, and define a Software Restriction Policy (SRP) to
block running that dummy web browser's .exe file. SRPs are only
available if the policy edit (gpedit.msc) is available. Pro, and up,
editions have it, but not Home editions. All policies are registry
entries, but SRPs have a crypto-hash assigned to them that only the OS
knows how to generate. That is to prevent malware from defining or
altering SRPs.

Perhaps simpler is to define outbound rules in the Windows firewall on
the dummy web browser that blocks it from obtaining connections. The
dummy web browser can still get programmatically loaded by a caller
process, but the dummy web browser cannot get any network connections.
The firewall on the dummy web browser would need several outbound rules
- one for every common port used by web browsers: HTTP, HTTPS, FTP, etc.
As Marco mentioned, the dummy web browser would have to be the default
one. That also means YOU can never click on a hyperlink to open it,
because the default web browser cannot get any network connections.
Some web browsers let you define its network connections instead of
relying on the OS settings (Internet Options -> Connections mentioned
before). If so, you could define a bogus proxy for just the dummy web
browser, so that web browser can never connect anywhere because its
proxy doesn't exist. For example, Firefox lets you define whether to
use system network settings, or use its own config. I'm sure there are
other web browsers that do the same. However, you cannot use that
default and dummy web browser configured to use a bogus proxy. So, you
accidentally clicking on a hyperlink won't get blocked from loading a
web browser, but it will be the one that is neutered. Yet that also
means when you click a hyperlink you do want to load that you'll be
using the default dummy web browser that cannot connect anywhere, and
you'll have to copy the URL for a hyperlink to use in a manually-loaded
alternate web browser. Of course, those processes that programmatically
load the default web browser will still be loading that web browser, but
get no connection. You'll still end up having to close the
programmatically loaded dummy web browser.

Someone mentioned AppLocker. You can install it into Enterprise
editions of Windows which probably eliminates that as a choice for you.
Plus, I only see you can Allow or Block, but nothing about prompting the
user. In fact, AppLocker is an enterprise-level control over what
software inventory on a workstation the employee can use, not something
for personal use on your own computer.

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview

It is SRPs on steroids. If you have the Pro edition, or above, of
Windows then you can just define a policy to Allow or Block a program
from loading. However, like AppLocker, I don't remember there is a
Prompt choice. You only get to specify Allow or Block.

You could use an anti-virus/anti-malware program that prompts when a
process loads that wants network access. You will need one that prompts
Yes or No. However, if you ever answer Yes and also to remember that
choice, you're back to always loading it without a prompt. Using an
AV's app control does not eliminate programmatically calling the web
browser, just eliminate the web browser from loading or not based on
your response to a prompt. Some 3rd party firewalls also provide a
prompt to Allow or Block. As I recall, Comodo Firewall (CFW) has that
feature. Just be sure to not permanently Allow, just temporarily when
you want to use the web browser. You also need to configure it in
paranoid mode. It comes with a database of preset rules to minimize the
prompting to eliminate their firewall becoming a major nuisance when
first using it. However, that means anything that wants a network
connection will generate a prompt, and you'll have lots of prompts to
answer, reducing them as you select to permanently Allow or permanently
Block the access (until you decide to delete the app rule to start over
again with a prompt). I do NOT recommand using Comodo Anti-Virus (CAV)
product as it is shit. It uses a small and outdated database of
signatures, and primarily relies on the Defense+ heuristics component of
their firewall product, so just get their firewall product alone. When
CAV was separate, they kept in in beta status to remove it from AV
comparisons. They had promised to copy Defense+ into CAV. Instead they
rolled CAV into CFW which further precludes it from AV comparisons. I'd
have to research CFW again to determine how to configure its D+
component to always prompt you on anything that wants network access
(i.e., paranoid mode). You'll answer a lot of prompts on processes you
probably know nothing about and have to research. You could use CFW in
normal D+ mode letting it pre-answer the prompts to allow or block, and
just define outbound rules to block access by the dummy default web
browser, but you can use Windows Firewall for that.

On Fri, 19 Nov 2021 22:19:10 -0600, VanguardLH wrote:
> In Internet Options, you could define using a proxy that doesn't exist.
> Change the proxy settings to bogus settings, so when you or any caller
> that programmatically calls the web browser (or for ANY network capable
> client) cannot connect anywhere until you change the proxy settings back
> to normal. Internet Options -> Connections -> LAN Settings -> Proxy
> server.

I don't know what a proxy is (nor even a valid proxy to set things to for
what proxies are supposed to be used for) but even so, I can't find those
manual proxy settings in the Windows 10 Pro Microsoft Edge on my system
Microsoft Edge [Version 96.0.1054.29 (Official build) (64-bit)].

> You mentioned Windows 10, but not which edition.

Windows 10 Pro Version 20H2 (OS Build 19042.1348).

> With Pro and
> Enterprise editions, you can use the policy editor to create a policy
> that blocks loading of the dummy web browser. As Marco suggested by
> using a dummy default web browser, but if you don't want to use a proxy
> to kill network connections, you could still install a web browser to
> use as the dummy one, and define a Software Restriction Policy (SRP) to
> block running that dummy web browser's .exe file. SRPs are only
> available if the policy edit (gpedit.msc) is available.

I ran gpedit.msc and it popped up a "Local Group Policvy Editor" but I don't
know how to use it yet to block the dummy web browser's executable file.

> For example, Firefox lets you define whether to
> use system network settings, or use its own config. I'm sure there are
> other web browsers that do the same.

I didn't want to mess with Firefox or Chrome and I couldn't find the manual
proxy settings Microsoft Edge (which is a browser that I never use).
Microsoft Edge kept taking me to the Windows 10 system proxy (which I don't
even know what that is).

I installed Pale Moon & found the browser manual proxy settings in
Pale Moon's Tools --> Preferences --> Advanced --> Network.

In the Connection section is a settings button to "Configure how Pale Moon
connects to the Internet" which is set to the default "Use system proxy
settings", whatever they are.

I changed that to "Manual proxy configuration" with the "HTTP Proxy" set to
127.0.0.1 port 9999 and then I checked "Use this proxy for all protocols"
which then set the SSL Proxy, FTP Proxy and SOCKS Host to that value.

Unlike the onion router, Windows 10 let me set Pale Moon as the default
browser. When I tested a link Pale Moon came up with the error "The proxy
server is refusing connections. Pale Moon is configured to use a proxy
server that is refusing connections."

> Yet that also
> means when you click a hyperlink you do want to load that you'll be
> using the default dummy web browser that cannot connect anywhere, and
> you'll have to copy the URL for a hyperlink to use in a manually-loaded
> alternate web browser.

I didn't realize that until you said it and I agree that's unfortunate.
The bogus proxy settings in the dummy Pale Moon default browser block
everything, even when I might want to click on a link to go somewhere.

Maybe the original suggestion of using a "slow" VPN browser like Opera is
best because it still allows it to be the default browser (unlike the onion
router) but it is slow enough to close the browser if I see it pop up. And
if I don't see it pop up, at least it will report back to the recipient web
site the Opera VPN IP address instead of mine.

soyon <soyon@soyon.biz> wrote:

> VanguardLH wrote:
>
>> In Internet Options, you could define using a proxy that doesn't
>> exist. Change the proxy settings to bogus settings, so when you or
>> any caller that programmatically calls the web browser (or for ANY
>> network capable client) cannot connect anywhere until you change the
>> proxy settings back to normal. Internet Options -> Connections ->
>> LAN Settings -> Proxy server.
>
> I don't know what a proxy is (nor even a valid proxy to set things to
> for what proxies are supposed to be used for) but even so, I can't
> find those manual proxy settings in the Windows 10 Pro Microsoft Edge
> on my system Microsoft Edge [Version 96.0.1054.29 (Official build)
> (64-bit)].

As noted, Internet Options -> Connections -> LAN Settings -> Proxy. You
can use the old Control Panel (control.exe) to get to Internet Options,
or just search on "Internet Options" in the Start menu search.

>> You mentioned Windows 10, but not which edition.
>
> Windows 10 Pro Version 20H2 (OS Build 19042.1348).

The Pro edition has the policy editor (gpedit.msc) in which you can
define SRPs (Software Restriction Policies). I don't hand hold on this
stuff, especially since the Web has lots of articles on them.

https://www.google.com/search?q=policy%20editor%20software%20restriction%20policies

While there are several types of SRPs, I only used Path rules. You
define the policy by pointing at a particular file (i.e., the
executables path). If the executable gets moved elsewhere, or exists
elsewhere and that one gets called, the Path SRP rule won't apply, so
you have to define multiple Path rules on whatever number of copies of
the executable that exist in whatever paths. However, I've used that to
an advantage. I didn't want an .exe in its default path to get
executed, but I did want another .exe in a different path executed. I
had magicJack at one time that would auto-update that would screw up my
config. I blocked access to the .exe in the default path the updater
would use, and specify a copy of the .exe in a different path that the
program or shortcuts could use.

> I ran gpedit.msc and it popped up a "Local Group Policvy Editor" but I
> don't know how to use it yet to block the dummy web browser's
> executable file.

Use the web for training.

> Maybe the original suggestion of using a "slow" VPN browser like Opera
> is best because it still allows it to be the default browser (unlike
> the onion router) but it is slow enough to close the browser if I see
> it pop up. And if I don't see it pop up, at least it will report back
> to the recipient web site the Opera VPN IP address instead of mine.

As mentioned, you could use the firewall to block network access to the
dummy/default web browser. You have to manually use an alternate web
browser.

Or use app control in AVs or 3rd party firewalls to prompt you to allow
or block network access. Just don't ever select to remember your
choice; else, you lose the prompt thereafter since your choice will
always get used (until you delete the app rule in the AV or firewall).
You wouldn't need a dummy web browser as the default that always has it
network access denied, or use SRPs to always block the program from
loading. Get a prompt to let you decide what to do when the default web
browser gets loaded.

Note that clicking on a hyperlink does not always use the default web
browser. URLs can specify a protocol other than HTTP or HTTPS. For
example, URLs with a protocol of microsoft-edge:// will open the Edge
web browser no matter what is selected as the default web browser. You
could edit the registry, or use a tool to modify the ms-edge protocol,
to point at your choice of web browser even for these special URLs, but
I use Edge Redirector instead to do the registry editing. Using
microsoft-edge://<url> is how Microsoft tries to force Windows users to
use Edge when clicking on hyperlinks in the Settings dialogs, and
elsewhere, like for the hyperlinks in their Settings dialogs. Microsoft
isn't the only one using their proprietary protocol URL prefixes to
direct to their app. Norton AntiVirus used to run as an HTA (HTML
Application), and define a proprietary URL protocol that pointed to
their AV program.

In Start menu, search on Default Apps, and load that dialog. Scroll
down to "Choose default apps by protocol". You'll see HTTP and HTTPS
list whatever is your default web browser. Scroll a bit farther, and
you'll see Microsoft-Edge (URL: microsoft-edge:). For me, that doesn't
list the Microsoft Edge web browser, but EdgeDeflector, a tool I use to
make the registry edits to change that protocol's definition to load
whatever is currently the assigned default web browser.

https://github.com/da2x/EdgeDeflector

It makes registry edits to change the microsoft-edge: protocol to point
at whatever is currently assigned as the default web browser. You run
it, it's done. It does not stay running. It makes the registry edits,
and unloads, and its done.

Am Sat, 20 Nov 2021 03:13:07 -0000 (UTC)
schrieb soyon <soyon@soyon.biz>:

> Thx. That was a good suggestion but I don't know what you mean by
> setting up an "invalid proxy server" and I still don't know what that
> actually means.
>
> But when I looked up what a "proxy server" is, I found something
> called the onion router which has its own built in invalid mechanism
> for connecting to the internet.
Onion routing is not the same and not really useful here.

For example, install Firefox as your browser that can't connect to the
internet.
Open the settings, got to proxy settings and select the manual proxy.
Then enter for all options
127.0.0.1 port 50000
There is no proxy running, so the connection will be refused.
No webpage can be opened.

On Fri, 19 Nov 2021 23:43:07 -0600, VanguardLH wrote:

> As noted, Internet Options -> Connections -> LAN Settings -> Proxy. You
> can use the old Control Panel (control.exe) to get to Internet Options,
> or just search on "Internet Options" in the Start menu search.

I went there but isn't that setting up a proxy for the entire machine?
Not just for the one default Microsoft Edge browser?

Windows Run --> control --> Internet Options --> Connections -->
LAN Settings --> Proxy server --> Use a proxy server for your LAN

>>> You mentioned Windows 10, but not which edition.
>>
>> Windows 10 Pro Version 20H2 (OS Build 19042.1348).
>
> The Pro edition has the policy editor (gpedit.msc) in which you can
> define SRPs (Software Restriction Policies). I don't hand hold on this
> stuff, especially since the Web has lots of articles on them.

No need to hand hold. The best solution is to find a web browser like the
onion router that has a "Connect" button. That way nothing will connect that
opens up the default browser even if a URL is fed to that browser.

When I want to connect with the default browser, I just have to hit that
"Connect" button. That's the most direct and easiest to use solution
overall.

The only problem is it's not easy to get the onion router to be the default
web browser in Windows.
>> Maybe the original suggestion of using a "slow" VPN browser like Opera
>> is best because it still allows it to be the default browser (unlike
>> the onion router) but it is slow enough to close the browser if I see
>> it pop up. And if I don't see it pop up, at least it will report back
>> to the recipient web site the Opera VPN IP address instead of mine.
>
> As mentioned, you could use the firewall to block network access to the
> dummy/default web browser. You have to manually use an alternate web
> browser.

The best solution so far is to use an intelligent browser that has an
additional switch for connecting to the internet like the onion router has.

That way, when an errant program tries to connect to the default browser it
won't be able to get on the net but if I want to use the default browser I
just have the one extra step to hit the onion router's "Connect" button.

Does any other browser have the "Connect" feature that the onion router has?

> Or use app control in AVs or 3rd party firewalls to prompt you to allow
> or block network access. Just don't ever select to remember your
> choice; else, you lose the prompt thereafter since your choice will
> always get used (until you delete the app rule in the AV or firewall).

That might work too!

> Note that clicking on a hyperlink does not always use the default web
> browser.

Good to know!
Thx!

What I'm looking for is a web browser like the onion router that has an
additional "Connect" button which would be the perfect solution overall.

soyon <soyon@soyon.biz> wrote:

> On Fri, 19 Nov 2021 23:43:07 -0600, VanguardLH wrote:
>
>> As noted, Internet Options -> Connections -> LAN Settings -> Proxy. You
>> can use the old Control Panel (control.exe) to get to Internet Options,
>> or just search on "Internet Options" in the Start menu search.
>
> I went there but isn't that setting up a proxy for the entire machine?
> Not just for the one default Microsoft Edge browser?

Yep, it is the OS-level proxy setting which would be used by Edge, and
any web browser configured to use system network settings. In Firefox,
and other web browsers, you can elect to have them use the system
network settings, or use their own. So, configure the non-Edge web
browsers to use their own settings (and don't bother specifying a proxy
in their network settings).

>> Or use app control in AVs or 3rd party firewalls to prompt you to allow
>> or block network access. Just don't ever select to remember your
>> choice; else, you lose the prompt thereafter since your choice will
>> always get used (until you delete the app rule in the AV or firewall).
>
> That might work too!

You keep mentioning "onion router". At best, that's a routing program
that does the prompting to allow or block. However, I suspect what
you're actually dealing with is the Tor web browser (a variant of
Firefox) and connecting through Tor nodes (some of which are operated by
the FBI, and the others by operators unknown). Your traffic goes
through their much smaller network, and where of the nodes are running
on home PCs instead of through data centers.

The 3rd party firewall with prompting to allow/block network connects is
probably easier to setup. Just remember that you'll have to either
configure it to paranoid mode where you have to authorize every network
access by every program, or use their easy mode that uses a database of
known programs that pre-authorizes those to use, and then modify their
rules to change from Allow to Prompt on all your web browsers.

On Fri, 19 Nov 2021 at 19:40:38, Paul <nospam@needed.invalid> wrote (my
responses usually follow points raised):
>On 11/19/2021 2:55 PM, soyon wrote:
[]
>> What is a good way to set up the default browser to prevent the
>>default
>> browser from doing anything on links that are either accidental or called
>> for by a program?
>>
>
>I don't know any of the details (I won't be trying this),
>but what you could do is:
>
>1) Install a decoy browser. Say Opera.
>2) Make Opera your "default browser".
>3) Use Applocker (it used to be a Windows feature), to
> prevent Opera.exe from running. AppLocker can block
> stuff, and you can define policies that way.
[]
As this (or other similar discussed matters) would mean the default
browser wouldn't do anything useful (well, other than look at local HTML
files I suppose), is there any reason to install a full browser for this
purpose?

I'd have thought just having a dummy executable that doesn't do
_anything_ (except perhaps return a zero error return value [challenge:
who can create the smallest such executable!]), and declaring that to be
the default browser, would achieve what you want.

It'd have the inconvenience that you then wouldn't _have_ a "default
browser" (at least, not one that browsed!), but having one and then
nobbling it would surely have the same effect (other than, as I said,
viewing local files)?
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

A man is not contemptible because he thinks science explains everything, and a
man is not contemptible because he doesn't. - Howard Jacobson, in Radio Times
2010/1/23-29.

On Sun, 21 Nov 2021 13:31:51 +0000, J. P. Gilliver (John) wrote:

> As this (or other similar discussed matters) would mean the default
> browser wouldn't do anything useful (well, other than look at local HTML
> files I suppose), is there any reason to install a full browser for this
> purpose?

What you want is for the default browser to pop up with the URL, but not go
to the Internet. That's what the "Connect" does, for example, with the onion
router.
(a) When you do want the URL to visit the net, you hit the Connect button.
(b) When you don't want the URL to visit the net, you don't hit Connect.

The only problem with the onion router is it can't easily be set as the
default browser on Microsoft Windows 10 (as far as I can tell).

As a workaround, a slooooooow browser (like Opera) only needs to be slow
enough that you can catch it in the act, and even if you miss it in the act,
it will at least show a bogus IP address.

In the end, you want what the onion router does, but as the default browser.