The most I'd be okay with doing here is filtering for "<scheme>://" in the webbrowser module, and not limiting "scheme" at all except that it must be a valid scheme.

Windows allows apps and programs to extend protocol handling in HKEY_CLASSES_ROOT\PROTOCOLS\Handler and os.startfile() should respect this list, even while some browsers may handle more protocols that are not registered here. So there's really no way to limit the scheme sensibly.

And yeah, anyone can take an arbitrary local or remote path and rewrite it as "file://<computer>/<path>". That's a feature :)

Perhaps we should add a warning to the docs that by default, webbrowser will open a URL with the user's associated program, and while this is generally the desirable behavior, if you want to enforce a particular browser then you should .get() it first?