Sign in with
Sign up | Sign in
Your question

Help Overriding Group Policy IE Settings

Last response: in Windows 2000/NT
Share
Anonymous
February 17, 2005 3:24:40 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

My company has recently adopted a "one size fits all" group policy
regarding IE settings. I however, belong to a very small group of
DBA's and Unix Admins who use our own proxy server. At least, that's
the way it USED to work.

Two weeks ago the group policy was implemented with refreshes scheduled
every 10 mins. I've taken the issue through the appropriate channels
but we've been told we're on our own. We are free to do whatever we
want but THEY are not going to administer a separate group policy for
us. Teamwork at it's best.

So every 10 mins our proxy settings get reset and we have to manually
set them back. Also it seems to be resetting the warning message that
IE gives the first time you send unencrypted data through a form.
(like a google search) So even though I click the box that says never
show this message again, it keeps popping up.

Now, I'm a DBA so I don't really know anything about this stuff. Can
someone suggest a way to lock down the particular registry keys that
are being reset or otherwise block the group policy refreshes from
taking place?

And yes I do use Firefox occasionally but it seems to give me problems
on certain internal sites so I would rather use IE than have to switch
back and forth between them.

Thanks in advance for whatever help you can provide!
Anonymous
February 18, 2005 8:33:30 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

We have been told we can do whatever we want but they will not make any
administrative changes to support us. They are simply not interested
in "making it work" for us. It is only because we are all "I.S." that
we are allowed to do what we want on the client side.
Anonymous
February 18, 2005 10:46:05 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Kael_Sidhe@yahoo.com said

> We have been told we can do whatever we want but they will not make any
> administrative changes to support us. They are simply not interested
> in "making it work" for us. It is only because we are all "I.S." that
> we are allowed to do what we want on the client side.
>

You can set your settings to what you want them to be, then quickly run
regedit (before the next refresh) and export the settings you want to a .reg
file.
Then set a scheduled task to run every 30 seconds that calls regedit /s with
your reg file as an argument to import the settings back in again.

--

Andy.
Related resources
Anonymous
February 18, 2005 12:04:35 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi

My suggestion would be to request that you and your machine be moved to an
OU that is not subject to the GPO. Once this is done, you'll be free to do
as you like and they won't have to implement further administration.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

<Kael_Sidhe@yahoo.com> wrote in message
news:1108671880.229388.84700@f14g2000cwb.googlegroups.com...
> My company has recently adopted a "one size fits all" group policy
> regarding IE settings. I however, belong to a very small group of
> DBA's and Unix Admins who use our own proxy server. At least, that's
> the way it USED to work.
>
> Two weeks ago the group policy was implemented with refreshes scheduled
> every 10 mins. I've taken the issue through the appropriate channels
> but we've been told we're on our own. We are free to do whatever we
> want but THEY are not going to administer a separate group policy for
> us. Teamwork at it's best.
>
> So every 10 mins our proxy settings get reset and we have to manually
> set them back. Also it seems to be resetting the warning message that
> IE gives the first time you send unencrypted data through a form.
> (like a google search) So even though I click the box that says never
> show this message again, it keeps popping up.
>
> Now, I'm a DBA so I don't really know anything about this stuff. Can
> someone suggest a way to lock down the particular registry keys that
> are being reset or otherwise block the group policy refreshes from
> taking place?
>
> And yes I do use Firefox occasionally but it seems to give me problems
> on certain internal sites so I would rather use IE than have to switch
> back and forth between them.
>
> Thanks in advance for whatever help you can provide!
>
Anonymous
February 21, 2005 3:36:33 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hmm, that might just do the trick. Is there any way to actually deny
access to the affected registry values? I've done that before but that
was denying user SYSTEM from making certain changes as executed from
the WINLOGON process. It worked great but I'm not sure how to
accomplish the same thing here. Winlogon was executing as user SYSTEM
and I suspect that is not the case here. Also I found the registry key
and there is a bunch of other stuff in that branch. Even if it is
possible to deny access to the process or service that is making the
change, I don't know what would happen if I locked down that entire
branch.

Thanks again!
Anonymous
March 5, 2005 12:18:14 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Kael_Sidhe@yahoo.com said

> Hmm, that might just do the trick. Is there any way to actually deny
> access to the affected registry values? I've done that before but that
> was denying user SYSTEM from making certain changes as executed from
> the WINLOGON process. It worked great but I'm not sure how to
> accomplish the same thing here. Winlogon was executing as user SYSTEM
> and I suspect that is not the case here. Also I found the registry key
> and there is a bunch of other stuff in that branch. Even if it is
> possible to deny access to the process or service that is making the
> change, I don't know what would happen if I locked down that entire
> branch.
>

The other way you could do it is to write a small DLL that loads at startup
and hooks all calls to the registry API's. If the parameters indicate the
calls are making changes to proxy settings return 0 and drop the call. Any
other calls can be passed to windows as normal.

--

Andy.
!