>They want me to block navigating to any URL that is not http protocol. Is there any way to do this other than forcing them to put 'http://' at the beginning of the URL?

Make the HTTP optional, and when you go to navigate to the page, if HTTP wasn't expliclty typed in, add it. THat makes URLs like HTTP://c:\ invlaid.

Also, you can put simple little tricks in to discourage users. For example, if a "\" is detected, you know its not a valid URL since they use "/" and you can cancel navigation. If a "c:" is detected, or any other URLs, same thing.