Due to the implementation of a proxy server a while back, we had to lock down a previously open environment in order to ensure all user’s web traffic was forced through the proxy server. This presented a problem of it’s own, controlling Safari & it’s proxy settings through Group Policy. Chrome, Firefox and IE are all relatively simple, but for love nor money I wasn’t able to find a way of group policying Safari. My next option was to disable Safari browser via group policy.

As the fleet of computers are Windows 7 Professional, I wasn’t able to use Applocker… Initially, blocking Safari.exe from running on a machine via a Software Restriction Policy works – you get a denied message when trying to launch the application. However renaming the exe to Safari1.exe circumvents this control instantly.

Then I noticed that when you launch Safari, a second process was spawns called WebKit2WebProcess.exe. I tried renaming this .exe and suddenly Safari stopped communicating with the internet . Now it loads Safari, and just refuses to do anything from therein.

Blocking WebKit2WebProcess.exe at the Group Policy level is simple, add a disallow to the C:\\Program Files\\Common Files\\Apple\\Apple Application Support directory, via:

User Configuration > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules

Adding in a New Path Rule, disallowing access to C:\\Program Files\\Common Files\\Apple\\Apple Application Support

EDIT – Having found a couple of users running Safari recently, I discovered that newer versions of the application have moved this file to C:\\Program Files\\Safari\\Apple Application Support