How do I lock Internet Explorer Security Settings accross users?
Hi. On my pc I have several user accounts (user priviliedges only)in addition to a Administrator account. I maintain a list of Restricited Sites, Blocked Cookies, Blocked Active X controls etc. (via Spybot Immunise, Spyware blaster, and some manual additions) If I update the lists on the Administrator account, how ...
Hi.
On my pc I have several user accounts (user priviliedges only)in addition to a Administrator account.
I maintain a list of Restricited Sites, Blocked Cookies, Blocked Active X controls etc. (via Spybot Immunise, Spyware blaster, and some manual additions)
If I update the lists on the Administrator account, how do I get WinXP to automatically propagate those restrictions to all of the user accounts?
Also how can I lock the security settings page, so users can not lower security settings, or alter cookie handling, or active x controls etc?
I know this can be done, as most big businesses use this kind of approach, Ijust can't figure it out.
Many Thanks
Kind Regards
Chris
On my pc I have several user accounts (user priviliedges only)in addition to a Administrator account.
I maintain a list of Restricited Sites, Blocked Cookies, Blocked Active X controls etc. (via Spybot Immunise, Spyware blaster, and some manual additions)
If I update the lists on the Administrator account, how do I get WinXP to automatically propagate those restrictions to all of the user accounts?
Also how can I lock the security settings page, so users can not lower security settings, or alter cookie handling, or active x controls etc?
I know this can be done, as most big businesses use this kind of approach, Ijust can't figure it out.
Many Thanks
Kind Regards
Chris
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
To lock the security tab, simply add the following dword in the registry.
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
Add reg_dword = SecurityTab dword = 1
For more info, see [link] http://www.jsiinc.com/subk/tip5100/rh5165.htm[/link]
To automatically propogate these security settings, you might need to create a logon(login) script.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
and
HKEY_Local_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Also, this link is helpful. [link] http://www.jsiinc.com/subk/tip5100/rh5130.htm[/link]
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
Add reg_dword = SecurityTab dword = 1
For more info, see [link] http://www.jsiinc.com/subk/tip5100/rh5165.htm[/link]
To automatically propogate these security settings, you might need to create a logon(login) script.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
and
HKEY_Local_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Also, this link is helpful. [link] http://www.jsiinc.com/subk/tip5100/rh5130.htm[/link]
thanks guys,
I'm very new to this aspect of winxp
The IEAK seems not to be good for other users on the same computer, I only have 1 computer running winXP not a network or domains or anything.
I've been looking at the GPedit.
In Administrative templates, win comp, Internet explorer "use only machine settings to enabled" which should keep a standard set of settings amongst all users, however if I change them on the administrator account they do not propagate to the other limited accounts.
I have set "security Zones: Do not allow users to change policy" to enabled, however that also locks the administrator account from making amendments!
Any more suggestions?
Thanks
Chris
I'm very new to this aspect of winxp
The IEAK seems not to be good for other users on the same computer, I only have 1 computer running winXP not a network or domains or anything.
I've been looking at the GPedit.
In Administrative templates, win comp, Internet explorer "use only machine settings to enabled" which should keep a standard set of settings amongst all users, however if I change them on the administrator account they do not propagate to the other limited accounts.
I have set "security Zones: Do not allow users to change policy" to enabled, however that also locks the administrator account from making amendments!
Any more suggestions?
Thanks
Chris
Let me thing. Its been about 4 years since I last a ran a multiple domain NT network.
I'd say, create a group, restric that group within the GPedit. Assign your users to said group.
Propogation, may take some doing. I'm sure there is an easier way to do this, but since I've been outta the loop, I'll tell you the hardway. After setting whatever permissions/restrictions that group has, create a logon script with checks, that updates the security zones and whatnot.
Hmmm, maybe this doesn't exactly answer your question. Hope it gives some ideas....
I'd say, create a group, restric that group within the GPedit. Assign your users to said group.
Propogation, may take some doing. I'm sure there is an easier way to do this, but since I've been outta the loop, I'll tell you the hardway. After setting whatever permissions/restrictions that group has, create a logon script with checks, that updates the security zones and whatnot.
Hmmm, maybe this doesn't exactly answer your question. Hope it gives some ideas....
thanks Theefool Its winxp pro.
Update
This is what I have found so far.
If I add a site to the restricted site list in IE, it creates it in this registry key.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
This only adds it to the restricted site list for the user who is logged in at the time.
To add it globally, you have to manually add it to the registry - here!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
Note the only difference in the key is CURRENT_USER to LOCAL_MACHINE.
However this will not make ANY difference to each users restricted sites list, until you enable 'SECURITY ZONES:Use only machine settings' to 'ENABLED' you can do this through GPEDIT (I haven't discovered the registry key for this yet)
If you don't enable the above option then the Local Machine entries are ignored, and it won't have anyeffect on the restricted lists.
So using Spybot, and spyware blaster to maintain the restricted lists, only updates the current user, so to use those programs to maintain the restricted site lists for the other users on my PC, (which is the whole point) I have to do the following.
Make sure the 'Use only machine settings' is 'enabled' in GPedit
Run Spybot/Spyware blaster
Open registry, export HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ to a text file.
edit the text file replacing HKEY_CURRENT_USER with HKEY_LOCAL_MACHINE
rename the text file so it ends in .reg. Then run it, and it'll add it to the registry.
a bit long winded but it seems to work. Now I need to figure out how to write a script or something to do that automatically. (I have no idea how to write scripts)
I have also discovered a conflict when using such programs to maintain these lists. When using domain names everything seems to work hunkydory, however also updated is the range key (IP ADDRESSES)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges
Now unlike the domains key where the subkeys are the names of the website.
The list of IPaddresses is different. Inside the ranges key, sub keys are numbered 1, 2, 3, 4, 5 etc. with the ip address stored as a value, not a key. therefore the ranges installed by one such utility work great but is overwritten by another will replace the Keys 1, 2, 3, 4, 5, 6, with its own ones storing different ip addresses.
This does not happen with the domains, as the domain or website names itself is the key name, so they don't get removed accidentally.
I think this is just a limitation of the os.
I have spent ALL day on this so far, and do not have anymore time to try and find a work around for this issue today.
If anyone knows an easier way of spreading the restricted list through all users on the machine, then please let me know.
Also if anyone knows how to automate the above process (perhaps by way of script), then I'd really appreciate it .
Kind regards
Chris
(Now I have to learn how to do the same, with the privacy settings - ALL SUGGESTIONS NEEDED AND MOST WELCOME)
Update
This is what I have found so far.
If I add a site to the restricted site list in IE, it creates it in this registry key.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
This only adds it to the restricted site list for the user who is logged in at the time.
To add it globally, you have to manually add it to the registry - here!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
Note the only difference in the key is CURRENT_USER to LOCAL_MACHINE.
However this will not make ANY difference to each users restricted sites list, until you enable 'SECURITY ZONES:Use only machine settings' to 'ENABLED' you can do this through GPEDIT (I haven't discovered the registry key for this yet)
If you don't enable the above option then the Local Machine entries are ignored, and it won't have anyeffect on the restricted lists.
So using Spybot, and spyware blaster to maintain the restricted lists, only updates the current user, so to use those programs to maintain the restricted site lists for the other users on my PC, (which is the whole point) I have to do the following.
Make sure the 'Use only machine settings' is 'enabled' in GPedit
Run Spybot/Spyware blaster
Open registry, export HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ to a text file.
edit the text file replacing HKEY_CURRENT_USER with HKEY_LOCAL_MACHINE
rename the text file so it ends in .reg. Then run it, and it'll add it to the registry.
a bit long winded but it seems to work. Now I need to figure out how to write a script or something to do that automatically. (I have no idea how to write scripts)
I have also discovered a conflict when using such programs to maintain these lists. When using domain names everything seems to work hunkydory, however also updated is the range key (IP ADDRESSES)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges
Now unlike the domains key where the subkeys are the names of the website.
The list of IPaddresses is different. Inside the ranges key, sub keys are numbered 1, 2, 3, 4, 5 etc. with the ip address stored as a value, not a key. therefore the ranges installed by one such utility work great but is overwritten by another will replace the Keys 1, 2, 3, 4, 5, 6, with its own ones storing different ip addresses.
This does not happen with the domains, as the domain or website names itself is the key name, so they don't get removed accidentally.
I think this is just a limitation of the os.
I have spent ALL day on this so far, and do not have anymore time to try and find a work around for this issue today.
If anyone knows an easier way of spreading the restricted list through all users on the machine, then please let me know.
Also if anyone knows how to automate the above process (perhaps by way of script), then I'd really appreciate it .
Kind regards
Chris
(Now I have to learn how to do the same, with the privacy settings - ALL SUGGESTIONS NEEDED AND MOST WELCOME)
One 'cleaner' /* */ method to export specific registery key is:
Quote:regedit /e "z:\my_reg_file.reg" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"
This will export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ registery path to "z:\my_reg_file.reg".
<edit>
Quote:...
a bit long winded but it seems to work. Now I need to figure out how to write a script or something to do that automatically. (I have no idea how to write scripts)
...
You could try to use Windows Script Host (WSH), as it is built-in to Windows. You need to know something about visual basic, though...
</edit>
Quote:regedit /e "z:\my_reg_file.reg" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"
This will export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ registery path to "z:\my_reg_file.reg".
<edit>
Quote:...
a bit long winded but it seems to work. Now I need to figure out how to write a script or something to do that automatically. (I have no idea how to write scripts)
...
You could try to use Windows Script Host (WSH), as it is built-in to Windows. You need to know something about visual basic, though...
</edit>
