| Author | Messages | |
dmarelia
Posts:394
 | | 03/08/2010 8:52 PM |
| Dan-
Since no one has piped, I'll venture a few thoughts. If you look under %useprofile%\Local Settings\Application Data\Microsoft\Internet Explorer\Custom Settings, do you see any folders containing *.ins files? If so, what happens if you move those out of the user's profile, and then re-logon and try your gpupdate /force again? Does that get rid of the old settings?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dan Bilodeau
Sent: Sunday, March 07, 2010 4:24 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Old IEM ESC conflicting with new Site-To-Zone Assignments?
Thank you very much for the help on my last question, Andrew and Darren. I have one more question related to my last question. Again, I've scoured the Internet for an answer and I've found nothing... I've spent days trying to fix this. Days...
I'm getting nowhere with these customized IE7 Security Zones. I've decided to go with the Internet Control Panel. I've added several sites such as *.google.com (an example) with a value of 2, to the Site-to-Zone Assignment List.
If I gpupdate /force on an XP x86 machine and then rsop.msc it, it appears to have applied. I can view the Site-to-Zone setting and see *.google at 2, there. However, if I open up IE7 and navigate to Google.com it's still an internet zone. If I go to the Security settings and View Trusted Sites, the window is grayed out as intended, however none of my sites are listed!!
I want to believe the following is why my Site-to-Zone policies aren't working. I cannot think of any other reason:
Another co-worker had attempted to set up Internet zones several years back with a Group Policy. She created a policy and stuck it on the top level OU of our organization. She created it from our Windows 2003 Server and used the Internet Explorer Maintenance extension under Preference Mode. ESC was enabled when this GPO was created. Due to being at the top-level, default scope; it tattooed every XP user (and/or computer).
I realize that ESC doesn't affect Windows XP but it appears to have done something... If I rsop.msc and look at the User Config\Windows Settings\IEM extension\Security\Security Zones and Content Ratings area, it says "Do not customize security zones and privacy" like think it should. Yet, on the next two tabs of this window (Security Zone Precedence and Content Ratings Precedence), it shows this ancient ESC policy as <disabled>... Here is a screenshot of what I mean: http://i45.tinypic.com/30ae1kj.jpg
I've gone through the registry, I've tried disabling this old policy, I've tried Reset Browser Settings, and I've tried replacing the IEM with a new IEM from an XP machine and then removing it. I really feel this has something to do with this zone assignment problem... I haven't flat out deleted this policy because I'm afraid of the consequences... maybe the GUID of this policy is important to these tattooed systems or something. If you suggest it go, I can delete it.
Has anyone experienced this nightmare and how is it fixed?
I really hope you all can help. Thank you very much.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Thursday, March 04, 2010 11:38 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Internet Control Panel vs. IEAK?
I will concur with Andrew that I usually tell most folks to use Admin Templates when it comes to managing site-to-zone assignment. However, a small correction on what he wrote. Admin Templates takes total control over site assignments-once you start configuring using them, users cannot add their own sites to a given zone. IE Maintenance's method for controlling it does allow users to modify the list, however. In general, there are now three ways to configure IE with Group Policy:
n IE maintenance policy
n Admin Templates
n GP Preferences Internet Settings
Sadly each of these three provide different capabilities, so that it is almost impossible to fully lock down IE using only one area. Perhaps IE Maintenance comes closest but is also quirky to use and buggy in its implementation. So, if you are just focused on locking down site to zone assignments, and don't need users to be able to add to the lists, then Admin Templates is the right choice. If you need that flexibility then you're better off using IE Maintenance Policy. If you do decide to go IEM, one suggestion. Enable the policy for all of your machines that forces IEM to refresh its settings during each background refresh cycle, regardless of whether anything has changed. This is found under Computer Config\Admin Templates\System\Group Policy\IE Maintenance Policy Processing.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: Thursday, March 04, 2010 7:30 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Internet Control Panel vs. IEAK?
Hi Dan and welcome to the list,
What I've understood from the numerous discussions around locking down IE is that no-one likes using the IE maintenance policy for the exact reason you state. It overwrites all existing zone settings and stops users from adding new settings to the zone, such as trusted sites.
As a result most people choose another method of implementing IE settings.
Below is a quote from one of the resident GP experts on the list (Jamie) which should point you in the right direction
The best solution, however, is to move all your zone security settings and URL mappings over to the IE Administrative Template settings and stop using IE Maintenance Policy altogether. They can be found under [User|Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page].
For some more detail, read the following:
http://technet.microsoft.com/en-us/library/cc783259(WS.10).aspx
Hope this helps
Andrew
From: Dan Bilodeau [mailto:xxxxxxxxxxxxxxxx]
Sent: 04 March 2010 15:10
To: GPO Talk
Subject: [gptalk] Internet Control Panel vs. IEAK?
Hello GPO folks,
My name is Dan Bilodeau and I've just subscribed. I have a formal education in Group Policy basics but no real-world experience up until this point. I am exploring the Policy Settings myself. Please bear with me. I have scoured the internet and sifted through your list archive for a definitive answer to this question.
My goal is to harden security on several WinXP Pro SP3 machines running IE7. I would like to particularly modify the Internet and Trusted zones of IE7 through Group Policy. This is where I get confused.
There appears to be two places I can do this: Internet Explorer Maintenance Extension or the Internet Control Panel section under UserConfig\AdminTemps\WinComponents\IE\.
* What are your suggestions and/or preferences when you configure IE zones?
* Is one of these methods 'better' than the other?
It appears both places may do what I'm looking to do... so this fact alone gravitates me towards the Internet Control Panel due to flexibility. I have two colleagues and they need the ability to modify the IE Zone policy if and when the need arises-they have different usernames and different PCs. I understand there is a limitation that wipes the IEK zone settings if opened and modified by another machine. However, if IEK is definitely the bad choice I can live. I am prepared to deploy a background copy of XP and the zone template for ease of access.
Lastly, our initial install of IE7 was the generic, stock build from Windows Update. I'm not sure if that matters. We didn't use IEAK.
Thank you all very much!
- Dan Bilodeau
| | | |
|
|