Securing with Group Policy

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I have my GP set to disable downloads from IE for the
general internet users. It works great. I have another
that allows members of a certain group download rights. It
doesn't work. When I view the policy, everything appears
to be OK. I have had to open the Security tab for those
users and let them set download rights themselves.
Obviously not the best way of doing it. I set the
downloads under Windows Settings/IE Maint/Security
Zones/Internet: Custom. Is this the wrong place to set it?

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

First thing is to make sure that the user is under the scope on influence of
the Group Policy. In other words if you create an OU with a GPO with user
configuration, the user accounts must reside in that OU or possibly a child
OU. Use the support tool gpresult to see what Group Policies for user
configuration are being applied to a user and the last time the policy was
applied. You can use the /v switch for more detailed info. If you have an XP
computer in the domain you can install the Group Policy management Console
on it which makes checking Group Policy configuration much easier and the
Resultant Set of Policy is a godsend. You would have to logon to the XP
computer as a domain admin [or use domain admin credentials ] so be sure to
do that only on a known secure workstation [keyboard loggers, etc]. If
domain is misconfigured for dns you will also have Group Policy problems and
the netdiag support tool can help track that down. The links below may
help. --- Steve

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx --- GPMC free
download.
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- Must
use procedures for AD dns.

"Darren Hackler" <anonymous@discussions.microsoft.com> wrote in message
news:03c401c4f331$add10400$a401280a@phx.gbl...
>I have my GP set to disable downloads from IE for the
> general internet users. It works great. I have another
> that allows members of a certain group download rights. It
> doesn't work. When I view the policy, everything appears
> to be OK. I have had to open the Security tab for those
> users and let them set download rights themselves.
> Obviously not the best way of doing it. I set the
> downloads under Windows Settings/IE Maint/Security
> Zones/Internet: Custom. Is this the wrong place to set it?

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

In addition, I note they you indicate that your GPO is using
the IE adm template setting in the Computer branch of the
policies tree. AIUI this will set the base level for all of the
identities using IE, while the equivalent policy in the IE adm
template of the Users branch set for the impacted user only.

Now, what was not clear is how you are filtering this GPO
so that it allows that select set of account to have a different
setting for the policy (or, to hopefully have it).
If this is being done by linking the GPO onto the OU the
contains those accounts, then notice that the computer branch
of policies is not being used (the computers may be in a
different OU). So, try setting it in the users branch instead.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Darren Hackler" <anonymous@discussions.microsoft.com> wrote in message
news:03c401c4f331$add10400$a401280a@phx.gbl...
> I have my GP set to disable downloads from IE for the
> general internet users. It works great. I have another
> that allows members of a certain group download rights. It
> doesn't work. When I view the policy, everything appears
> to be OK. I have had to open the Security tab for those
> users and let them set download rights themselves.
> Obviously not the best way of doing it. I set the
> downloads under Windows Settings/IE Maint/Security
> Zones/Internet: Custom. Is this the wrong place to set it?