I did another Citrix breakout job just the other day and as per usual found the effectively cosmetic only lockdown provided for by group policy… remember kids: “Group Policy is not a security boundary”.
So I had a bit more of a play about imagining I had less access than I did. Turns out that while file paths and calls were correctly disabled within the address bar of internet explorer, I could quite happily specify them as a link within the favourites bar by modifying a pre-existing favourite and then clicking it.
Clicking the abused favourite link would then pop explorer (or tbh anything you like, its effectively a .lnk at this point).
Not world-destroying by any means but yet another method of breakout worth considering. Not sure why i’ve not used this before now but meh, its one to remember for next time 🙂