| Author | Messages | |
DBITGuy
Posts:12
 | | 03/08/2010 12:35 AM |
| Thank you very much for the help on my last question, Andrew and Darren. I
have one more question related to my last question. Again, I've scoured the
Internet for an answer and I've found nothing. I've spent days trying to fix
this. Days.
I'm getting nowhere with these customized IE7 Security Zones. I've decided
to go with the Internet Control Panel. I've added several sites such as
*.google.com (an example) with a value of 2, to the Site-to-Zone Assignment
List.
If I gpupdate /force on an XP x86 machine and then rsop.msc it, it appears
to have applied. I can view the Site-to-Zone setting and see *.google at 2,
there. However, if I open up IE7 and navigate to Google.com it's still an
internet zone. If I go to the Security settings and View Trusted Sites, the
window is grayed out as intended, however none of my sites are listed!!
I want to believe the following is why my Site-to-Zone policies aren't
working. I cannot think of any other reason:
Another co-worker had attempted to set up Internet zones several years back
with a Group Policy. She created a policy and stuck it on the top level OU
of our organization. She created it from our Windows 2003 Server and used
the Internet Explorer Maintenance extension under Preference Mode. ESC was
enabled when this GPO was created. Due to being at the top-level, default
scope; it tattooed every XP user (and/or computer).
I realize that ESC doesn't affect Windows XP but it appears to have done
something... If I rsop.msc and look at the User Config\Windows Settings\IEM
extension\Security\Security Zones and Content Ratings area, it says "Do not
customize security zones and privacy" like think it should. Yet, on the next
two tabs of this window (Security Zone Precedence and Content Ratings
Precedence), it shows this ancient ESC policy as <disabled>. Here is a
screenshot of what I mean: http://i45.tinypic.com/30ae1kj.jpg
I've gone through the registry, I've tried disabling this old policy, I've
tried Reset Browser Settings, and I've tried replacing the IEM with a new
IEM from an XP machine and then removing it. I really feel this has
something to do with this zone assignment problem. I haven't flat out
deleted this policy because I'm afraid of the consequences. maybe the GUID
of this policy is important to these tattooed systems or something. If you
suggest it go, I can delete it.
Has anyone experienced this nightmare and how is it fixed?
I really hope you all can help. Thank you very much.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, March 04, 2010 11:38 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Internet Control Panel vs. IEAK?
I will concur with Andrew that I usually tell most folks to use Admin
Templates when it comes to managing site-to-zone assignment. However, a
small correction on what he wrote. Admin Templates takes total control over
site assignments-once you start configuring using them, users cannot add
their own sites to a given zone. IE Maintenance's method for controlling it
does allow users to modify the list, however. In general, there are now
three ways to configure IE with Group Policy:
n IE maintenance policy
n Admin Templates
n GP Preferences Internet Settings
Sadly each of these three provide different capabilities, so that it is
almost impossible to fully lock down IE using only one area. Perhaps IE
Maintenance comes closest but is also quirky to use and buggy in its
implementation. So, if you are just focused on locking down site to zone
assignments, and don't need users to be able to add to the lists, then Admin
Templates is the right choice. If you need that flexibility then you're
better off using IE Maintenance Policy. If you do decide to go IEM, one
suggestion. Enable the policy for all of your machines that forces IEM to
refresh its settings during each background refresh cycle, regardless of
whether anything has changed. This is found under Computer Config\Admin
Templates\System\Group Policy\IE Maintenance Policy Processing.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Andrew McHale
Sent: Thursday, March 04, 2010 7:30 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Internet Control Panel vs. IEAK?
Hi Dan and welcome to the list,
What I've understood from the numerous discussions around locking down IE is
that no-one likes using the IE maintenance policy for the exact reason you
state. It overwrites all existing zone settings and stops users from adding
new settings to the zone, such as trusted sites.
As a result most people choose another method of implementing IE settings.
Below is a quote from one of the resident GP experts on the list (Jamie)
which should point you in the right direction
The best solution, however, is to move all your zone security settings and
URL mappings over to the IE Administrative Template settings and stop using
IE Maintenance Policy altogether. They can be found under [User|Computer
Configuration/Administrative Templates/Windows Components/Internet
Explorer/Internet Control Panel/Security Page].
For some more detail, read the following:
http://technet.microsoft.com/en-us/library/cc783259(WS.10).aspx
Hope this helps
Andrew
From: Dan Bilodeau [mailto:xxxxxxxxxxxxxxxx]
Sent: 04 March 2010 15:10
To: GPO Talk
Subject: [gptalk] Internet Control Panel vs. IEAK?
Hello GPO folks,
My name is Dan Bilodeau and I've just subscribed. I have a formal education
in Group Policy basics but no real-world experience up until this point. I
am exploring the Policy Settings myself. Please bear with me. I have scoured
the internet and sifted through your list archive for a definitive answer to
this question.
My goal is to harden security on several WinXP Pro SP3 machines running IE7.
I would like to particularly modify the Internet and Trusted zones of IE7
through Group Policy. This is where I get confused.
There appears to be two places I can do this: Internet Explorer Maintenance
Extension or the Internet Control Panel section under
UserConfig\AdminTemps\WinComponents\IE\.
. What are your suggestions and/or preferences when you configure IE
zones?
. Is one of these methods 'better' than the other?
It appears both places may do what I'm looking to do. so this fact alone
gravitates me towards the Internet Control Panel due to flexibility. I have
two colleagues and they need the ability to modify the IE Zone policy if and
when the need arises-they have different usernames and different PCs. I
understand there is a limitation that wipes the IEK zone settings if opened
and modified by another machine. However, if IEK is definitely the bad
choice I can live. I am prepared to deploy a background copy of XP and the
zone template for ease of access.
Lastly, our initial install of IE7 was the generic, stock build from Windows
Update. I'm not sure if that matters. We didn't use IEAK.
Thank you all very much!
- Dan Bilodeau
| | | |
| DBITGuy
Posts:12
| | 03/12/2010 2:43 PM |
| Darren-
Thanks again for the support. While troubleshooting I actually had looked at
the path you mentioned. No such luck. No .ins anywhere. I've found some
traces of this policy's GUID in the registry, but when I delete or modify
them it breaks future gpupdates and RSOPs. I am stumped as to how I can
erase this policy. However, it's no longer a concern to me. My policies are
now doing what I want them to do so I'll just leave this disabled ESC
"ghost" policy for another day.
It turns out my theory was incorrect. The ghost policy wasn't preventing my
Site-To-Zones from applying. The many Site-To-Zone Assignment policies I had
written were 'broken' for some other reason(s). I want to believe they were
broken due to having an IEM config on them at one point in time but I don't
know for sure. I rewrote the policies from scratch and Site-To-Zone
Assignment *is* working.
The ghost policy will lie in wait..
- Dan
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Monday, March 08, 2010 3:51 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Old IEM ESC conflicting with new Site-To-Zone
Assignments?
Dan-
Since no one has piped, I'll venture a few thoughts. If you look under
%useprofile%\Local Settings\Application Data\Microsoft\Internet
Explorer\Custom Settings, do you see any folders containing *.ins files? If
so, what happens if you move those out of the user's profile, and then
re-logon and try your gpupdate /force again? Does that get rid of the old
settings?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Dan Bilodeau
Sent: Sunday, March 07, 2010 4:24 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Old IEM ESC conflicting with new Site-To-Zone Assignments?
Thank you very much for the help on my last question, Andrew and Darren. I
have one more question related to my last question. Again, I've scoured the
Internet for an answer and I've found nothing. I've spent days trying to fix
this. Days.
I'm getting nowhere with these customized IE7 Security Zones. I've decided
to go with the Internet Control Panel. I've added several sites such as
*.google.com (an example) with a value of 2, to the Site-to-Zone Assignment
List.
If I gpupdate /force on an XP x86 machine and then rsop.msc it, it appears
to have applied. I can view the Site-to-Zone setting and see *.google at 2,
there. However, if I open up IE7 and navigate to Google.com it's still an
internet zone. If I go to the Security settings and View Trusted Sites, the
window is grayed out as intended, however none of my sites are listed!!
I want to believe the following is why my Site-to-Zone policies aren't
working. I cannot think of any other reason:
Another co-worker had attempted to set up Internet zones several years back
with a Group Policy. She created a policy and stuck it on the top level OU
of our organization. She created it from our Windows 2003 Server and used
the Internet Explorer Maintenance extension under Preference Mode. ESC was
enabled when this GPO was created. Due to being at the top-level, default
scope; it tattooed every XP user (and/or computer).
I realize that ESC doesn't affect Windows XP but it appears to have done
something... If I rsop.msc and look at the User Config\Windows Settings\IEM
extension\Security\Security Zones and Content Ratings area, it says "Do not
customize security zones and privacy" like think it should. Yet, on the next
two tabs of this window (Security Zone Precedence and Content Ratings
Precedence), it shows this ancient ESC policy as <disabled>. Here is a
screenshot of what I mean: http://i45.tinypic.com/30ae1kj.jpg
I've gone through the registry, I've tried disabling this old policy, I've
tried Reset Browser Settings, and I've tried replacing the IEM with a new
IEM from an XP machine and then removing it. I really feel this has
something to do with this zone assignment problem. I haven't flat out
deleted this policy because I'm afraid of the consequences. maybe the GUID
of this policy is important to these tattooed systems or something. If you
suggest it go, I can delete it.
Has anyone experienced this nightmare and how is it fixed?
I really hope you all can help. Thank you very much.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, March 04, 2010 11:38 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Internet Control Panel vs. IEAK?
I will concur with Andrew that I usually tell most folks to use Admin
Templates when it comes to managing site-to-zone assignment. However, a
small correction on what he wrote. Admin Templates takes total control over
site assignments-once you start configuring using them, users cannot add
their own sites to a given zone. IE Maintenance's method for controlling it
does allow users to modify the list, however. In general, there are now
three ways to configure IE with Group Policy:
n IE maintenance policy
n Admin Templates
n GP Preferences Internet Settings
Sadly each of these three provide different capabilities, so that it is
almost impossible to fully lock down IE using only one area. Perhaps IE
Maintenance comes closest but is also quirky to use and buggy in its
implementation. So, if you are just focused on locking down site to zone
assignments, and don't need users to be able to add to the lists, then Admin
Templates is the right choice. If you need that flexibility then you're
better off using IE Maintenance Policy. If you do decide to go IEM, one
suggestion. Enable the policy for all of your machines that forces IEM to
refresh its settings during each background refresh cycle, regardless of
whether anything has changed. This is found under Computer Config\Admin
Templates\System\Group Policy\IE Maintenance Policy Processing.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Andrew McHale
Sent: Thursday, March 04, 2010 7:30 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Internet Control Panel vs. IEAK?
Hi Dan and welcome to the list,
What I've understood from the numerous discussions around locking down IE is
that no-one likes using the IE maintenance policy for the exact reason you
state. It overwrites all existing zone settings and stops users from adding
new settings to the zone, such as trusted sites.
As a result most people choose another method of implementing IE settings.
Below is a quote from one of the resident GP experts on the list (Jamie)
which should point you in the right direction
The best solution, however, is to move all your zone security settings and
URL mappings over to the IE Administrative Template settings and stop using
IE Maintenance Policy altogether. They can be found under [User|Computer
Configuration/Administrative Templates/Windows Components/Internet
Explorer/Internet Control Panel/Security Page].
For some more detail, read the following:
http://technet.microsoft.com/en-us/library/cc783259(WS.10).aspx
Hope this helps
Andrew
From: Dan Bilodeau [mailto:xxxxxxxxxxxxxxxx]
Sent: 04 March 2010 15:10
To: GPO Talk
Subject: [gptalk] Internet Control Panel vs. IEAK?
Hello GPO folks,
My name is Dan Bilodeau and I've just subscribed. I have a formal education
in Group Policy basics but no real-world experience up until this point. I
am exploring the Policy Settings myself. Please bear with me. I have scoured
the internet and sifted through your list archive for a definitive answer to
this question.
My goal is to harden security on several WinXP Pro SP3 machines running IE7.
I would like to particularly modify the Internet and Trusted zones of IE7
through Group Policy. This is where I get confused.
There appears to be two places I can do this: Internet Explorer Maintenance
Extension or the Internet Control Panel section under
UserConfig\AdminTemps\WinComponents\IE\.
. What are your suggestions and/or preferences when you configure IE
zones?
. Is one of these methods 'better' than the other?
It appears both places may do what I'm looking to do. so this fact alone
gravitates me towards the Internet Control Panel due to flexibility. I have
two colleagues and they need the ability to modify the IE Zone policy if and
when the need arises-they have different usernames and different PCs. I
understand there is a limitation that wipes the IEK zone settings if opened
and modified by another machine. However, if IEK is definitely the bad
choice I can live. I am prepared to deploy a background copy of XP and the
zone template for ease of access.
Lastly, our initial install of IE7 was the generic, stock build from Windows
Update. I'm not sure if that matters. We didn't use IEAK.
Thank you all very much!
- Dan Bilodeau
| | | |
|
|