Web Site Whitelisting in Microsoft Internet Explorer

This article describes how to design and deploy a makeshift "whitelist" in Microsoft Internet Explorer (IE). A whitelist is a list of approved web sites. By using this technique, IE will be restricted from accessing web sites that are not explicitly on the whitelist.

Whitelisting in IE using a proxy auto-configuration (PAC) file

IE does not support whitelisting as a primary feature. However, it is possible to create a makeshift whitelist using a proxy auto-configuration (PAC) file. By specifying a "dummy" proxy server using the local loopback address, IE will attempt, and fail, to access any web sites that are not explicitly added as exceptions to bypass the proxy server.

Consider the following example contents of a PAC file:

function FindProxyForURL(url, host) {

// Bypass the proxy for *.berkeley.edu

if (dnsDomainIs(host, ".berkeley.edu")) {

return "DIRECT";

}

return "PROXY http://127.0.0.1:18080";

} // End of function

 

The above file instructs IE to bypass the proxy and connect directly to any web site ending with the berkeley.edu domain. Requests for all other web sites will use the dummy loopback proxy server address 127.0.0.1:18080. These requests will fail because there is no proxy server listening at that address.

IT Security recommends using at a minimum the above example when utilizing a PAC file to restrict IE with Java enabled to campus web sites. 

You may use other PAC file functions to tailor the PAC file to your environment. For instance, if IE and out-of-date Java are needed to access a single web site for every day business, then you may want to bypass the proxy for just that single site and not all sites ending in the berkeley.edu domain as shown above.

An excellent resource for designing PAC files is The Practical Proxy PAC File Guide.

Configuring IE to use a PAC file

The following instructions apply to Internet Explorer 8, 9, and 10. 

  1. Download the *.berkeley.edu proxy.pac file here (right-click and Save Target As -- then rename so the file has a .pac extension) to your computer and note the folder location.

    Alternatively, you may copy and paste the sample Javascript code in the previous section into Notepad and save the file with a .pac extension. Note: Other editors such as Microsoft Word may insert special characters that break the formatting of the PAC file. 
  2. In Internet Explorer, navigate to the Tools menu, then click Internet Options. This can sometimes be found by clicking the "cog" icon in the upper right hand corner of some versions of IE.
  3. Click the Connections tab, then click LAN Settings
  4. In LAN Settings, make sure Automatically detect settings is unchecked.
  5. Click the Use automatic configuration script checkbox so that it is checked.
  6. In the Address field, specify the location where you saved the proxy.pac file on your system in step #1. The Address field accepts URLs and the file:// URL should be used for a local file. So for example if you saved proxy.pac to C:\Windows\proxy.pac, you would enter this into the Address field:

    file://C:/Windows/proxy.pac

    Note the usage of forward slashes instead of back slashes.
  7. Restart Internet Explorer for changes to take effect.
  8. Notice that IE will correctly load all berkeley.edu web sites by directly connecting to them, but that accessing other sites will cause IE to fail to connect and issue a Proxy Server is Refusing Connections error. Remember, this is because IE is attempting to use the dummy proxy server of 127.0.0.1:18080 to connect to web sites not on the berkeley.edu domain. Please see the Caveats section below for other considerations when using a PAC file.

Configuring a group of Windows hosts to use a PAC file

System Administrators wishing to simplify management of PAC files may host one on a web server and point all client Windows machines to the PAC file (e.g. http://mydepartmental.berkeley.edu/proxy.pac) in the Address field. This Automatic configuration script Address field can also be set and locked via Group Policy Objects (GPOs).

Caveats when using IE's automatic configuration script setting

Please take the following notes into consideration when configuring IE to use a PAC file:

  • Any Windows application that defaults to using the "system proxy" will also inherit the PAC file settings set in IE. A good example of this is Google Chrome -- if IE is set to use a PAC file, Chrome will also use the PAC file. Other applications such as Mozilla Firefox have their own set of proxy configuration settings and do not use the system proxy. If you notice that an application requiring network access suddenly stops working after configuring IE to use a PAC file, check the application's documentation to see if it defaults to using the system proxy.
  • Windows Update / Automatic Updates will not be affected by PAC file settings unless you use IE to visit the Windows Update web site and attempt to update via the web. See How the Windows Update client determines which proxy server to use to connect to the Windows Update Web site for details.
  • Remotely included content on whitelisted web sites in the PAC file will not load unless the remote web sites are also on the whitelist. For example, using the above PAC file for berkeley.edu web sites, a remotely included JavaScript library from Google (e.g. //ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js) will not load, because IE will attempt to use the dummy proxy server to retrieve that resource. In this example, ajax.googleapis.com must be added to the whitelist of sites set to bypass the dummy proxy server.

A warning about IE Content Advisor & Parental Controls 

Users may be tempted to use the Content Advisor and Parental Controls features of IE in order to restrict web access. This practice is not safe for the avoidance of malware and other security threats such as Java exploits, because Content Advisor and Parental Controls load all web sites entered in the address bar of IE into a hidden frame before checking access to the web site is allowed. This means that IE will still silently connect to web sites that you have intended to restrict access to.

IT Security recommends that you do not use the Content Advisor and Parental Control features of IE as a whitelisting security mechanism.

Download Example proxy.pac File

You can download an example proxy.pac file here:

Note: You'll need to rename the file so that the file extension is .pac (e.g. "mv proxy.pac_.txt proxy.pac").