Check the Process Access right of 7z under D+, mine are all set to ask…
OK, I’ve checked it now (though I have currently no internet for the CFP 3 equiped machine). For 7zFM.exe, only “Windows Messages” and “Keyboard” are set to “allow”. All other are set to “ask”, e.g. “run an executable”. I thought that should mean that CFP should ask me if 7z should have the right to execute a program like FF. Despite that I have no internet now, I can of course click on a link i the 7-Zip GUI. This does open Firefox, without any alert. ???
I’ve put this up on the wish list, really hope for a change!
/LA
EDIT: Yes! I’ve found some kind of workaround. For 7zFM.exe, under Process Access Rights / Run an executable, I clicked modify. Here, in the Allow tab, Firefox was present. I removed it, but this only caused D+ to relearn that FF should get access from 7-Zip. Without asking. So insted I put FF on the Block list, and now, 7-Zip has no right to execute Firefox.
This “workaround” is however not as good as getting alerts from D+. To block a parent from starting FF, I would have to add FF on the block list for every application.
LA
I have two entries for 7z in CSP. On the first entry (7zG) everything is set to ask. On the second entry (7zFM) only Windows Messages are allowed, everything else is set to ask.
I’m really not sure why your seeing things differently from me. I can repeat this with more or less any application that needs to access the Net via another.
[attachment deleted by admin]
OK, I don’t have 7zG in my list. Speaking of list, “CSP”?
My workaround obviously works, but it’s painful to make those rules for every single application. The best thing would be the other way around; making a Firefox rule “do not allow any application to execute firefox.exe”.
It seems like we won’t really solve this. It makes no sense that CFP doesn’t ask me for permission, when all is set to “Ask”. Or maybe it does make sense, maybe there is a global rule I’ve missed. At least I think it shouldn’t depend on the D+ security level, it is set to Clean PC mode now. Well what do I know, I’m still not sitting by a CFP equiped machine!
Thanks a lot anyway Toggie,
LA
CSP = Computer Security Policy.
I’m using Train with Safe Mode right now, maybe this makes a difference…
I agree, manually changing those rules for each application would be painful, but using Train with Safe Mode or Paranoid Mode should negate that.
My so called workaround is worthless. Having Firefox as a blocked executable for 7zFM.exe didn’t help (now I’m connected with my CFP 3 computer). Even with Paranoid mode, there is no parent-child control whatsoever. i[/i] 
The CFP settings are so many and so advanced, I don’t know if I’m doing something wrong or if is is a bug that the alerts are so few. I guess I’ll have to play a little more with the rules because this is definitely not sufficient.
LA
EDIT: I may have found a new way to get more control. In the Network Security Policy window, under the Application Rules tab, I created a rule that blocks ALL applications. Then I used the hierarchy and put this rule below my allowed apps, like FF, IE, DC++, Google Earth etc. Thanks to this, I do get a Defense+ popup when I try to execute FF from within 7-Zip. Maybe this works like the child-parent control I’m looking for, I’ll have to continue trying this.
A slightly optimistic 
OK everybody, here are two ways to get some parent-child control.
To prevent applications from starting your browser (or any executable):
a) Go to the Defense+ tab / Advanced / Computer Security Policy (CSP).
b) Click Add…, then Select. Chose Filegroups → Executables.
c) Click Access Rights. All may be Ask, except for “Run an executable” which you set to Block. Apply, apply.
d) The rule has been created, scroll down in the list (CSP window). Drag it up, put it below %windir%\explorer.exe
Now, no programs under your new rule may execute another program. Please note, this will cause several of your programs not to work! Photoshop and Illustrator will not work, and maybe OpenOffice.org won’t either since these programs must execute other programs to work.
So a better option may be:
Prevent applications from accessing the internet (but don’t bother to block them with Defense+):
i) Go to the Firewall tab / Advanced / Network Security Policy (NSP).
ii) Only have rules that allows your browser(s), IM client, Google Earth etc…
iii) Click Add…, then Select. Chose Filegroups → All Applications.
iv) Click Use a Predefined Policy, chose Blocked Application. Apply.
v) The rule has been created, you should put it UNDER the rules of ii) otherwise it will block your browser completely.
I hope this is useful for anyone.
/LA
EDIT: Perhaps you can also get a better behavior of CFP, by changing to Paranoid mode and disabling the “Trust of applications”.
Those workarounds arn’t that good
I mean, they do work, but the side-effects are quite severe
Do you think parent checks will make it back in?
Do you think parent checks will make it back in?
It’s still there. Did you see the pop-ups I posted?
I read the wording carefully on the first and see that if you were using a version of Firefox that Comodo classified as safe, that most likely wouldn’t happen.
No matter what settings I’ve used, I’ve not been able to get the second type of pop-up you got. Even when on paranoid mode and wallbreaker not trusted in either firewall or defense+
I can generate the same alert using fx 2.0.0.9/10 as well as 3b2, which I was using when I created those screen shots. The same is true of IE and Opera…
[attachment deleted by admin]
You’re right, unfortunately. The D+ rule is ■■■■■■ because of the side-effects, and the firewall rule, well I couldn’t get it to work perfectly.
The least ■■■■■■ solution I think, has been to chose paranoid mode, and uncheck the option of trusting vendors (in the same box as the D+ level you chose). This gives me the popups Toggie has posted, but it also makes D+ very noisy. It’s not a convenient way to check the parent-child relationship.
LA