; Machine-wide settings
CLASS MACHINE
CATEGORY !!IEURLLock
  KEYNAME "Software\Policies\Steven Lawrance\IEURLLock"
  EXPLAIN !!IEURLLock_Explain

  ; The AllowUserOverride registry value
  POLICY !!AllowUserOverride
    EXPLAIN !!AllowUserOverride_Explain
    VALUENAME AllowUserOverride
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
  END POLICY

  ; The Debug registry value
  POLICY !!Debug
    EXPLAIN !!Debug_Explain
    PART !!DebugLevel DROPDOWNLIST REQUIRED
      VALUENAME Debug
      ITEMLIST
        NAME !!DebugLevel_0 VALUE NUMERIC 0 DEFAULT
        NAME !!DebugLevel_1 VALUE NUMERIC 1
        NAME !!DebugLevel_2 VALUE NUMERIC 2
        NAME !!DebugLevel_3 VALUE NUMERIC 3
        NAME !!DebugLevel_4 VALUE NUMERIC 4
        NAME !!DebugLevel_5 VALUE NUMERIC 5
      END ITEMLIST
    END PART
  END POLICY

  ; Logging level
  POLICY !!Logging
    EXPLAIN !!LogLevel_Explain
    VALUENAME Logging
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
    PART !!LogLevel DROPDOWNLIST REQUIRED
      VALUENAME LogLevel
      ITEMLIST
        NAME !!LogLevel_1 VALUE NUMERIC 1 DEFAULT
        NAME !!LogLevel_2 VALUE NUMERIC 2
        NAME !!LogLevel_3 VALUE NUMERIC 3
      END ITEMLIST
    END PART
  END POLICY

  ; The RedirectURL registry value
  POLICY !!RedirectURL
    EXPLAIN !!RedirectURL_Explain
    PART !!RedirectURLText EDITTEXT EXPANDABLETEXT DEFAULT "%PROGRAMFILES%\IE URL Lock\securitywarning.html"
      VALUENAME RedirectURL
    END PART
  END POLICY

  ; The Enabled registry value
  POLICY !!Enabled
    EXPLAIN !!Enabled_Explain
    VALUENAME Enabled
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
  END POLICY

  ; The RestrictWebOnly registry value
  POLICY !!RestrictWebOnly
    EXPLAIN !!RestrictWebOnly_Explain
    VALUENAME RestrictWebOnly
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
    PART !!WebProtocols EDITTEXT REQUIRED DEFAULT "^(?:http(?:s)?):"
      VALUENAME WebProtocolRegex
    END PART
  END POLICY

  ; Access control settings
  POLICY !!AccessControl
    EXPLAIN !!AccessControl_Explain
    PART !!AccessOrder DROPDOWNLIST REQUIRED
      VALUENAME AccessOrder
      ITEMLIST
        NAME !!AllowDeny VALUE NUMERIC 0 DEFAULT
        NAME !!DenyAllow VALUE NUMERIC 1
      END ITEMLIST
    END PART
  END POLICY

  ; Allow list
  POLICY !!AllowList
    EXPLAIN !!AllowList_Explain
    PART !!AllowListList LISTBOX EXPLICITVALUE
      KEYNAME "Software\Policies\Steven Lawrance\IEURLLock\AllowList"
    END PART
  END POLICY

  ; Deny list
  POLICY !!DenyList
    EXPLAIN !!DenyList_Explain
    PART !!DenyListList LISTBOX EXPLICITVALUE
      KEYNAME "Software\Policies\Steven Lawrance\IEURLLock\DenyList"
    END PART
  END POLICY

END CATEGORY

; User-specific settings
CLASS USER
CATEGORY !!IEURLLock
  KEYNAME "Software\Policies\Steven Lawrance\IEURLLock"
  EXPLAIN !!IEURLLock_Explain

  ; Logging level
  POLICY !!Logging
    EXPLAIN !!LogLevel_Explain
    VALUENAME Logging
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
    PART !!LogLevel DROPDOWNLIST REQUIRED
      VALUENAME LogLevel
      ITEMLIST
        NAME !!LogLevel_1 VALUE NUMERIC 1 DEFAULT
        NAME !!LogLevel_2 VALUE NUMERIC 2
        NAME !!LogLevel_3 VALUE NUMERIC 3
      END ITEMLIST
    END PART
  END POLICY

  ; The RedirectURL registry value
  POLICY !!RedirectURL
    EXPLAIN !!RedirectURL_Explain
    PART !!RedirectURLText EDITTEXT EXPANDABLETEXT DEFAULT "%PROGRAMFILES%\IE URL Lock\securitywarning.html"
      VALUENAME RedirectURL
    END PART
  END POLICY

  ; The Enabled registry value
  POLICY !!Enabled
    EXPLAIN !!Enabled_Explain
    VALUENAME Enabled
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
  END POLICY

  ; The RestrictWebOnly registry value
  POLICY !!RestrictWebOnly
    EXPLAIN !!RestrictWebOnly_Explain
    VALUENAME RestrictWebOnly
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
    PART !!WebProtocols EDITTEXT REQUIRED DEFAULT "^(?:http(?:s)?):"
      VALUENAME WebProtocolRegex
    END PART
  END POLICY

  ; Access control settings
  POLICY !!AccessControl
    EXPLAIN !!AccessControl_Explain
    PART !!AccessOrder DROPDOWNLIST REQUIRED
      VALUENAME AccessOrder
      ITEMLIST
        NAME !!AllowDeny VALUE NUMERIC 0 DEFAULT
        NAME !!DenyAllow VALUE NUMERIC 1
      END ITEMLIST
    END PART
  END POLICY

  ; Allow list
  POLICY !!AllowList
    EXPLAIN !!AllowList_Explain
    PART !!AllowListList LISTBOX EXPLICITVALUE
      KEYNAME "Software\Policies\Steven Lawrance\IEURLLock\AllowList"
    END PART
  END POLICY

  ; Deny list
  POLICY !!DenyList
    EXPLAIN !!DenyList_Explain
    PART !!DenyListList LISTBOX EXPLICITVALUE
      KEYNAME "Software\Policies\Steven Lawrance\IEURLLock\DenyList"
    END PART
  END POLICY

END CATEGORY

[Strings]

IEURLLock="IE URL Lock"
IEURLLock_Explain="The Internet Explorer URL Lock Browser Helper Object restricts which locations a user can navigate to within the Windows Explorer and Internet Explorer windows.\n\nActive IE URL Lock instances automatically detect changes to their registry values and will reload their configurations at their next navigation events."

AllowUserOverride="Enable Non-Policy User Configurations"
AllowUserOverride_Explain="When enabled, IE URL Lock will apply the user's IE URL Lock configuration after applying IE URL Lock's local machine and user policies to the running configuration. Note that the user's IE URL Lock configuration lives outside of the policy registry tree and is thus editable by the user by default. As a result, this is disabled by default. The registry key that contains the user's configuration is HKEY_CURRENT_USER\Software\Steven Lawrance\IEURLLock.\n\nWhen disabled, which is the default, the user's IE URL Lock configuration is ignored, permitting IE URL Lock to use only the local machine and user policies for its configuration."

Debug="Debugging"
Debug_Explain="NOTE: This setting is primarily meant as a software development and testing feature. The event log and the logging configuration option should be used for determining which locations are being denied or allowed and why at runtime. The event log has the additional benefit of keeping track of which locations are being denied or allowed and why on a network of active user computers without bothering your users.\n\nIn almost all cases, you don't want to enable this in an ActiveDirectory policy that applies to multiple computers or users. It is primarily meant for temporary use on a local computer.\n\nWhen enabled, IE URL Lock writes its activities and internal states to a console window that appears when IE URL Lock is active.\n\nWhen this setting is enabled, it controls how verbose IE URL Lock will be when it writes messages to the console window or, if in Vista or above, the event log.\n\nEach debugging level includes all messages in that debugging level as well as all messages from the debugging levels that are less than the selected debugging level.\n\nWhen debugging is disabled, which is the default when it is not configured or when the debugging level is zero, IE URL Lock does not create a console window.\n\nSee the source code for which logging level is appropriate for what you are trying to see."

DebugLevel="Debugging Level"
DebugLevel_0="0 No debugging"
DebugLevel_1="1 Errors"
DebugLevel_2="2 Warnings"
DebugLevel_3="3 Important Information"
DebugLevel_4="4 All Information"
DebugLevel_5="5 Minutiae"

Logging="Logging"
LogLevel_Explain="This setting controls which events will get logged to the Windows event log.\n\nBy default, or when this setting is not configured, only errors are logged. It is possible to adjust this to include site blocking and site allowance events. When this setting is disabled, IE URL Lock does not attempt to write to the Windows event log."

LogLevel="Logging Level"
LogLevel_1="Errors Only"
LogLevel_2="Blocked Sites and Errors"
LogLevel_3="Allowed Sites, Blocked Sites, and Errors"

RedirectURL="Access Denial Location"
RedirectURLText="URL, UNC, or File Path"
RedirectURL_Explain="By default, IE URL Lock redirects denied locations to res://webhost.exe/nonavigate.htm. If you want to use a custom access denial location, then specify the URL, UNC, or file path to that location in this setting, which can include environment variables such as %ProgramFiles%. This location will not get blocked by IE URL Lock, nor will access to it be logged.\n\nNote that this path should ideally not redirect to another location unless if that location is permitted via the allowed location regular expression list. If you want to set this to the root path on a web server, then you should include the trailing slash or else the default access denial page will appear. This event is logged to the event log along with the location that the original access denial location redirected to. If logging is turned off, this error will appear to the user in a message box.\n\nNote that a blank path is equivalent to the default access denial location."

Enabled="Enable IE URL Lock"
Enabled_Explain="When enabled, which is the default setting when not configured, IE URL Lock blocks or allows locations based on the configuration.\n\nWhen disabled, IE URL Lock does not block any locations."

RestrictWebOnly="Restrict Only Web Locations"
RestrictWebOnly_Explain="When enabled, which is the default when this is not configured, IE URL Lock only blocks locations that begin with http: or https:. As an exception, WebDAV locations are not blocked when opened as a web folder. Once IE URL Lock encounters navigation to a folder-based view, it delays its blocking decision until that navigation's view gets created to ensure the proper operation of the Back button to a folder-based view, which causes the browser to contact remote web servers and begin to download the navigated site before being blocked. Fortunately, the blocking decision takes place before scripts are run, so this behavior should be safe, but is not as safe as blocking the location before contacting the remote server.\n\nIE URL Lock will make its blocking decisions before the browser contacts the remote web server on browser windows that have not shown a folder-based view yet. As an exception, however, if a permitted site redirects to a denied site, then the blocking decision takes place after the web server serving the blocked location gets contacted but before any scripts are run.\n\nWhen this setting is disabled, IE URL Lock will restrict ALL locations, not just http: and https:. This means that locations such as "Control Panel", C:\, \\server\sharename, res:, and the rest will get blocked unless if they are permitted through the allowed location regular expression list. No special considerations for folder-based views to accommodate WebDAV are enabled when this setting is disabled, meaning that all blocking decisions, except for the special redirection case mentioned in the previous paragraph, happen once the location is known and before any remote servers are contacted. This option grants IT administrators the greatest level of control and security, though one should note that this does not affect the explorer view within the common file-open and save-as dialog boxes, which do not load browser helper objects (BHOs).\n\nIt's possible to change the regular expression that IE URL Lock uses for determining if a location is a web site by setting the web protocol regular expression. Note that, as mentioned earlier, WebDAV will continue to be allowed even if this regular expression is changed and web-only restrictions are enabled."

AccessControl="Access Control"
AccessControl_Explain="The access control processing order sets which regular expression list has priority over the other and what the default action is. The second list is processed until a match is found. If no match is found in the second list, the first list is processed until a match is found. If no match exists in both lists, the action of the second list is used as the default. A match in a list will trigger that list's action. Effectively, a match in the first list can be overridden by a match in the second list (technically, if a match exists in the second list, the first list is not processed).\n\nThe default value is 'Allow, Deny', which denies access to all locations except for those that match a regular expression in the allow list and do not match a regular expression in the deny list. The default applies when this setting is not configured, disabled, or explicitly set to the default value.\n\nTo allow access by default and block access to specific sites, enable this setting and set the access control processing order to process the deny list before the allow list ('Deny, Allow').\n\nNote that this behavior is nearly identical to the effects of the Order directive in the Apache HTTP server, though IE URL Lock stops processing regular expressions in a list once it finds a match in that list. That is, if a URL theoretically matches two regular expressions in the allow list and three in the deny list, only one of the two in the allow list is processed and only one of the three in the deny list is processed, since further expression evaluations in each list once a match is found is unnecessary. The order of the regular expressions within a single list is insignificant -- just as it is in the Apache HTTP server.\n\nAs an example, if you want to allow access to all Microsoft web sites but block access to Microsoft's development network (MSDN), it's possible to set the processing order to 'Allow, Deny' so that access to MSDN can be blocked in the deny list after a catch-all Microsoft rule in the allow list allows all other Microsoft sites."
AccessOrder="Access Control Processing Order"
AllowDeny="Allow, Deny"
DenyAllow="Deny, Allow"
WebProtocols="Web Protocol Regular Expression"

AllowList="Allowed Location Regular Expression List"
AllowList_Explain="Locations that the user navigates to will get checked against the regular expressions in this list. If a location matches a regular expression in this list, then it is marked for being allowed. Note that a location that matches a regular expression in this list can still be blocked if the access control processing order is set to 'Allow, Deny' and the location matches a regular expression in the deny list.\n\nIE URL Lock uses Perl-compatible regular expressions through the PCRE library. More information on this library and how to construct regular expressions exists at http://www.pcre.org/ and http://gnuwin32.sourceforge.net/packages/pcre.htm. Examples of common regular expressions for IE URL Lock exist at https://www.moonlightdesign.org/urllock\n\nFor each regular expression, put a descriptive name into the value name field and the regular expression into the value field.\n\nIf any regular expression compilation errors arise when IE URL Lock loads its configuration, IE URL Lock will log the details to the application event log or, if logging is disabled, display the error message in a message box.\n\nIf your policy editor does not let you edit the regular expressions that you previously added, then, if you want to, open the Registry Editor and browse to HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER and open up Software\Policies\Steven Lawrance\IEURLLock\AllowList to edit previously-added items. Note that this only works on the local machine. When editing policies in an ActiveDirectory, this workaround will not work. If you have user-specific configurations enabled, then you can edit Software\Steven Lawrance\IEURLLock\AllowList in HKEY_CURRENT_USER, which is not managed by policies.\n\nExample:\n  Value Name: Microsoft\n  Value: ^http(s)?://(www\.)?microsoft\.com(/|$)\n\nCase-Insensitive Example:\n  Value Name: Sourceforge.net Project Web Sites\n  Value: (?i)^http(s)?://(\w)+\.(sf|sourceforge)\.net(/|$)"
AllowListList="Allowed Location Regular Expression List"

DenyList="Denied Location Regular Expression List"
DenyList_Explain="Locations that the user navigates to will get checked against the regular expressions in this list. If a location matches a regular expression in this list, then it is marked for being blocked. Note that a location that matches a regular expression in this list can still be allowed if the access control processing order is set to 'Deny, Allow' and the location matches a regular expression in the allow list.\n\nIE URL Lock uses Perl-compatible regular expressions through the PCRE library. More information on this library and how to construct regular expressions exists at http://www.pcre.org/ and http://gnuwin32.sourceforge.net/packages/pcre.htm. Examples of common regular expressions for IE URL Lock exist at https://www.moonlightdesign.org/urllock\n\nFor each regular expression, put a descriptive name into the value name field and the regular expression into the value field.\n\nIf any regular expression compilation errors arise when IE URL Lock loads its configuration, IE URL Lock will log the details to the application event log or, if logging is disabled, display the error message in a message box.\n\nIf your policy editor does not let you edit the regular expressions that you previously added, then, if you want to, open the Registry Editor and browse to HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER and open up Software\Policies\Steven Lawrance\IEURLLock\DenyList to edit previously-added items. Note that this only works on the local machine. When editing policies in an ActiveDirectory, this workaround will not work. If you have user-specific configurations enabled, then you can edit Software\Steven Lawrance\IEURLLock\DenyList in HKEY_CURRENT_USER, which is not managed by policies.\n\nExample:\n  Value Name: Microsoft\n  Value: ^http(s)?://(www\.)?microsoft\.com(/|$)\n\nCase-Insensitive Example:\n  Value Name: Sourceforge.net Project Web Sites\n  Value: (?i)^http(s)?://(\w)+\.(sf|sourceforge)\.net(/|$)"
DenyListList="Denied Location Regular Expression List"