| Author | Messages | |
DBITGuy
Posts:12
 | | 03/04/2010 3:11 PM |
| Hello GPO folks,
My name is Dan Bilodeau and I've just subscribed. I have a formal education
in Group Policy basics but no real-world experience up until this point. I
am exploring the Policy Settings myself. Please bear with me. I have scoured
the internet and sifted through your list archive for a definitive answer to
this question.
My goal is to harden security on several WinXP Pro SP3 machines running IE7.
I would like to particularly modify the Internet and Trusted zones of IE7
through Group Policy. This is where I get confused.
There appears to be two places I can do this: Internet Explorer Maintenance
Extension or the Internet Control Panel section under
UserConfig\AdminTemps\WinComponents\IE\.
. What are your suggestions and/or preferences when you configure IE
zones?
. Is one of these methods 'better' than the other?
It appears both places may do what I'm looking to do. so this fact alone
gravitates me towards the Internet Control Panel due to flexibility. I have
two colleagues and they need the ability to modify the IE Zone policy if and
when the need arises-they have different usernames and different PCs. I
understand there is a limitation that wipes the IEK zone settings if opened
and modified by another machine. However, if IEK is definitely the bad
choice I can live. I am prepared to deploy a background copy of XP and the
zone template for ease of access.
Lastly, our initial install of IE7 was the generic, stock build from Windows
Update. I'm not sure if that matters. We didn't use IEAK.
Thank you all very much!
- Dan Bilodeau
| | | |
| AndrewMcHale
Posts:0
| | 03/04/2010 3:31 PM |
| Hi Dan and welcome to the list,
What I've understood from the numerous discussions around locking down
IE is that no-one likes using the IE maintenance policy for the exact
reason you state. It overwrites all existing zone settings and stops
users from adding new settings to the zone, such as trusted sites.
As a result most people choose another method of implementing IE
settings.
Below is a quote from one of the resident GP experts on the list (Jamie)
which should point you in the right direction
The best solution, however, is to move all your zone security settings
and URL mappings over to the IE Administrative Template settings and
stop using IE Maintenance Policy altogether. They can be found under
[User|Computer Configuration/Administrative Templates/Windows
Components/Internet Explorer/Internet Control Panel/Security Page].
For some more detail, read the following:
http://technet.microsoft.com/en-us/library/cc783259(WS.10).aspx
Hope this helps
Andrew
From: Dan Bilodeau [mailto:xxxxxxxxxxxxxxxx]
Sent: 04 March 2010 15:10
To: GPO Talk
Subject: [gptalk] Internet Control Panel vs. IEAK?
Hello GPO folks,
My name is Dan Bilodeau and I've just subscribed. I have a formal
education in Group Policy basics but no real-world experience up until
this point. I am exploring the Policy Settings myself. Please bear with
me. I have scoured the internet and sifted through your list archive for
a definitive answer to this question.
My goal is to harden security on several WinXP Pro SP3 machines running
IE7. I would like to particularly modify the Internet and Trusted zones
of IE7 through Group Policy. This is where I get confused.
There appears to be two places I can do this: Internet Explorer
Maintenance Extension or the Internet Control Panel section under
UserConfig\AdminTemps\WinComponents\IE\.
* What are your suggestions and/or preferences when you
configure IE zones?
* Is one of these methods 'better' than the other?
It appears both places may do what I'm looking to do... so this fact
alone gravitates me towards the Internet Control Panel due to
flexibility. I have two colleagues and they need the ability to modify
the IE Zone policy if and when the need arises-they have different
usernames and different PCs. I understand there is a limitation that
wipes the IEK zone settings if opened and modified by another machine.
However, if IEK is definitely the bad choice I can live. I am prepared
to deploy a background copy of XP and the zone template for ease of
access.
Lastly, our initial install of IE7 was the generic, stock build from
Windows Update. I'm not sure if that matters. We didn't use IEAK.
Thank you all very much!
- Dan Bilodeau
| | | |
| DBITGuy
Posts:12
| | 03/04/2010 3:38 PM |
| I ought to clarify I have seen
http://gpoguy.com/MailList/tabid/58/forumid/1/postid/1417/view/topic/Default
.aspx and followed the resources Tim Bolton provided.
Thanks again,
- Dan B.
From: Dan Bilodeau [mailto xxxxxxxxxxxxxxxx]
Sent: Thursday, March 04, 2010 10:10 AM
To: GPO Talk
Subject: Internet Control Panel vs. IEAK?
Hello GPO folks,
My name is Dan Bilodeau and I've just subscribed. I have a formal education
in Group Policy basics but no real-world experience up until this point. I
am exploring the Policy Settings myself. Please bear with me. I have scoured
the internet and sifted through your list archive for a definitive answer to
this question.
My goal is to harden security on several WinXP Pro SP3 machines running IE7.
I would like to particularly modify the Internet and Trusted zones of IE7
through Group Policy. This is where I get confused.
There appears to be two places I can do this: Internet Explorer Maintenance
Extension or the Internet Control Panel section under
UserConfig\AdminTemps\WinComponents\IE\.
. What are your suggestions and/or preferences when you configure IE
zones?
. Is one of these methods 'better' than the other?
It appears both places may do what I'm looking to do. so this fact alone
gravitates me towards the Internet Control Panel due to flexibility. I have
two colleagues and they need the ability to modify the IE Zone policy if and
when the need arises-they have different usernames and different PCs. I
understand there is a limitation that wipes the IEK zone settings if opened
and modified by another machine. However, if IEK is definitely the bad
choice I can live. I am prepared to deploy a background copy of XP and the
zone template for ease of access.
Lastly, our initial install of IE7 was the generic, stock build from Windows
Update. I'm not sure if that matters. We didn't use IEAK.
Thank you all very much!
- Dan Bilodeau
| | | |
| dmarelia
Posts:394
| | 03/04/2010 4:41 PM |
| I will concur with Andrew that I usually tell most folks to use Admin Templates when it comes to managing site-to-zone assignment. However, a small correction on what he wrote. Admin Templates takes total control over site assignments-once you start configuring using them, users cannot add their own sites to a given zone. IE Maintenance's method for controlling it does allow users to modify the list, however. In general, there are now three ways to configure IE with Group Policy:
n IE maintenance policy
n Admin Templates
n GP Preferences Internet Settings
Sadly each of these three provide different capabilities, so that it is almost impossible to fully lock down IE using only one area. Perhaps IE Maintenance comes closest but is also quirky to use and buggy in its implementation. So, if you are just focused on locking down site to zone assignments, and don't need users to be able to add to the lists, then Admin Templates is the right choice. If you need that flexibility then you're better off using IE Maintenance Policy. If you do decide to go IEM, one suggestion. Enable the policy for all of your machines that forces IEM to refresh its settings during each background refresh cycle, regardless of whether anything has changed. This is found under Computer Config\Admin Templates\System\Group Policy\IE Maintenance Policy Processing.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: Thursday, March 04, 2010 7:30 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Internet Control Panel vs. IEAK?
Hi Dan and welcome to the list,
What I've understood from the numerous discussions around locking down IE is that no-one likes using the IE maintenance policy for the exact reason you state. It overwrites all existing zone settings and stops users from adding new settings to the zone, such as trusted sites.
As a result most people choose another method of implementing IE settings.
Below is a quote from one of the resident GP experts on the list (Jamie) which should point you in the right direction
The best solution, however, is to move all your zone security settings and URL mappings over to the IE Administrative Template settings and stop using IE Maintenance Policy altogether. They can be found under [User|Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page].
For some more detail, read the following:
http://technet.microsoft.com/en-us/library/cc783259(WS.10).aspx
Hope this helps
Andrew
From: Dan Bilodeau [mailto:xxxxxxxxxxxxxxxx]
Sent: 04 March 2010 15:10
To: GPO Talk
Subject: [gptalk] Internet Control Panel vs. IEAK?
Hello GPO folks,
My name is Dan Bilodeau and I've just subscribed. I have a formal education in Group Policy basics but no real-world experience up until this point. I am exploring the Policy Settings myself. Please bear with me. I have scoured the internet and sifted through your list archive for a definitive answer to this question.
My goal is to harden security on several WinXP Pro SP3 machines running IE7. I would like to particularly modify the Internet and Trusted zones of IE7 through Group Policy. This is where I get confused.
There appears to be two places I can do this: Internet Explorer Maintenance Extension or the Internet Control Panel section under UserConfig\AdminTemps\WinComponents\IE\.
* What are your suggestions and/or preferences when you configure IE zones?
* Is one of these methods 'better' than the other?
It appears both places may do what I'm looking to do... so this fact alone gravitates me towards the Internet Control Panel due to flexibility. I have two colleagues and they need the ability to modify the IE Zone policy if and when the need arises-they have different usernames and different PCs. I understand there is a limitation that wipes the IEK zone settings if opened and modified by another machine. However, if IEK is definitely the bad choice I can live. I am prepared to deploy a background copy of XP and the zone template for ease of access.
Lastly, our initial install of IE7 was the generic, stock build from Windows Update. I'm not sure if that matters. We didn't use IEAK.
Thank you all very much!
- Dan Bilodeau
| | | |
|
|