- The fact that many users are used to copying/moving files and folders through an Explorer window.
- Its one of the only ways in SharePoint to copy multiple folders at a time into a SharePoint library.
As well, Microsoft has stated that when using claims based authentication with SAML security tokens
that the Windows Explorer view in SharePoint 2010 does not work: http://technet.microsoft.com/en-us/library/hh706161.aspx. It goes
on to say that this feature (and others) do not work because claims based
authentication does not generate a Windows Security Token which is required for
this feature. From my experience in this situation the explorer view
partially works in that it can be accessed but it does not respect ACLs correctly.
As a result, we often recommend to customers that they "turn off" the Windows Explorer view in SharePoint and force users to use the web view. With SharePoint 2013, this option is even more viable because the web view now allows users to drag and drop files from their Windows desktop into the web browser and have those files copied into the SharePoint library. An awesome feature if I may say so!
"Turning off" the Windows Explorer view is a bit of a misnomer though. There is no way, that I can find to completely turn off the Explorer View to SharePoint from the SharePoint server. However there are several methods for preventing end users from accessing these Windows Explorer view. This blog post will describe each of these methods in detail.
Method #1
Administrators can disable access to the Windows Explorer view by modifying the “User Permissions” on the web application. This is done within Central Administration:- Click Manage Web Applications and select your web application
- Click the User Permission button in the ribbon
- Find the “Use Remote Interfaces” permission in the list and uncheck it (this will also automatically uncheck the “Use Client Integration Features” permission as well)
There is a problem with this method though - it also disables all access to open documents in SharePoint from the open dialog in MS Office applications. As well, access from SharePoint Designer and access from all client object model applications will be also be disabled. Please note that the Open Dialog, like the Windows Explorer view also does not fully respect SharePoint permissions. So, this method may or may not work for your environment.
Method #2
I have found that simply removing the “Open in Explorer” button all together from the SharePoint ribbon can be an effective way to prevent access through the Explorer view. There is a good blog post here on how to accomplish this here.[previous link was incorrect - this is now fixed]
This method is effective because you open Windows Explorer on your desktop and paste the URL to a SharePoint library Windows will automatically open a web browser and navigate to the SharePoint web view of the library. It does not actually open in Windows Explorer. This allows the open dialog in Windows to still navigate to a file in a SharePoint library and open it, but prevents users from effectively using the Explorer view.
This method of course may not be fool proof, meaning a malicious user may still find a way around it. However it would cover 95% of cases where end users are simply trying to open documents that they are permitted to access. As well, this method still allows users to open SharePoint documents from the Open dialog in MS Office applications, SharePoint Designer and client object model applications.
Method #3
A third method that is effective and allows you to still maintain client object model access and access through the Microsoft Office open dialog is the following procedure which modifies the permissions required to access the Open in Explorer button. This procedure will result in the “Open in Explorer” button in the SharePoint web interface to still be visible and enabled, but to only be accessible by users that have the “ManageWeb” permission on the site. This would allow you to configure SharePoint to allow site owners to have access to the Windows Explorer interface, but not regular users that only have contribute permissions. Follow these steps to accomplish this:- On the SharePoint 2010 server navigate to the folder \Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\CONTROLTEMPLATES
- Make a copy of the file DefaultTemplates.ascx
- Open DefaultTemplates.ascx in Notepad:
- Search for the following string ID=”OpenInExplorer”
- Below that string change PermissionString=”UseClientIntegration” to PermissionString=”ManageWeb”
- You will find 2 instances of ID=”OpenInExplorer” – you’ll need to make the change in both places
- Save the file and issue an IIS Reset
Method #4
A 4th and probably more extreme method is to in fact disable WebDAV itself on the IIS Web Server. To accomplish this follow these steps:- Click the Windows "Start" button on your Web server, and select "Administrative Tools." Click "Internet Information Services Manager" to open the configuration utility.
- Click the Web server name in the left panel. A list of websites expands. Click the website name you want to edit, and click "Web Services Extensions" in the website directory.
- Right-click the WebDav entry in the list of extensions, and click "Prohibit," then click "OK" to confirm that you want to disable WebDav.
Please note: I have not tested this last method myself so your mileage may be different. Ensure that if you go this route that you fully test the SharePoint server and determine if access to files through other mechanisms (MS Office Open dialog, SharePoint Designer, client object model applications) is also affected. As well, these instructions may vary slightly depending on your version of IIS.
- Antonio