Disabling Internet Explorer "Save my password" checkbox for http authentication

• Previous message: Robert Blackwell: "RE: Disabling sharing and group policies"
• Next in thread: Tumarinson, Max: "RE: Disabling Internet Explorer "Save my password" checkbox for http authentication"
• Maybe reply: Tumarinson, Max: "RE: Disabling Internet Explorer "Save my password" checkbox for http authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 19 Sep 2003 14:38:27 -0400
To: focus-ms@securityfocus.com

Greetings,

I maintain several "public" computers that are configured with group
policy to allow a user to log on with a generic account and the Windows
shell is replaced by Internet Explorer running in kiosk mode, so they
basically get a full screen web browser pointed at a particular
website. (Windows XP Pro running IE6 latest with all patches on a Win2k
AD environment). This site requires http authentication, so an http
authentication window pops up stating the realm and asking for
username/password, and has a checkbox below to save this username and
password combination. Unfortunately it seems some of our users lack
the common sense to realize they are using a public terminal that
always goes to the same website where sensitive information is kept and
check this box off. The next person to come along and log in to the
machine is then prompted for the http authentication username/password
combination and are greeted with some other user's information
conveniently filled out for them. Is there a way to disable this
checkbox, or perhaps clear the stored information some how at logout?
It seems that turning off AutoComplete including the save passwords
option does not affect the http authentication dialog, and I've also
tried to disable userdata persistence and set user authentication to
"prompt for username and password" in the IE security options, but
neither of these seem to help me.

Any suggestions? Any idea where this information is stored on the
system so that it can at least be cleared at logout? It is common
practice for users to log off the machine after using the kiosk mode
because the website they visit actually enables an account for them to
re-logon to the system and use it as a regular workstation, so this
would be a viable option.

Thanks in advance!

-Anthony

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Robert Blackwell: "RE: Disabling sharing and group policies"
• Next in thread: Tumarinson, Max: "RE: Disabling Internet Explorer "Save my password" checkbox for http authentication"
• Maybe reply: Tumarinson, Max: "RE: Disabling Internet Explorer "Save my password" checkbox for http authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]