Sign in with
Sign up | Sign in
Your question

Reducing IE security settings

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
February 23, 2005 3:15:01 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi

We run XP with SP2 applied on our network - deployed via a GPO from 2003
server. This puts the security settings for the Internet Zone in IE to
high - which creates lots of problems with our students not being able
to access interactive content/mulitmedia/etc etc. We've thought about
this and would like to reduce this setting to Medium; we know the risks
but feel that the gains will outweigh them in our context, as we'd be
forevever adding stuff to 'trusted sites' if we do it that way!

However we've been unable to achive this, either by modifying exisiting
GPOs or creating our own! Any advice would be gratefully recivied!

tia
andy
Anonymous
a b 8 Security
February 24, 2005 1:46:55 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Andy.

The default setting is medium for the internet Web Content Zone. You can change
this in Group Policy/user configuration/Windows settings/Internet Explorer
maintenance/security - security zones and content. You can configure the
settings you want on the computer you are configuring the policy on or modify
the existing settings.

Also check the settings in advanced settings for "allow active content from cd
to run on my computer" which may also be part of the problem. However I don't
think that can be changed via Group Policy. --- Steve


"andy smart" <anonymus@discussions.microsoft.com> wrote in message
news:cvhs46$k69$1@newsfeed.th.ifl.net...
> Hi
>
> We run XP with SP2 applied on our network - deployed via a GPO from 2003
> server. This puts the security settings for the Internet Zone in IE to
> high - which creates lots of problems with our students not being able
> to access interactive content/mulitmedia/etc etc. We've thought about
> this and would like to reduce this setting to Medium; we know the risks
> but feel that the gains will outweigh them in our context, as we'd be
> forevever adding stuff to 'trusted sites' if we do it that way!
>
> However we've been unable to achive this, either by modifying exisiting
> GPOs or creating our own! Any advice would be gratefully recivied!
>
> tia
> andy
Anonymous
a b 8 Security
February 24, 2005 7:21:45 PM

Archived from groups: microsoft.public.win2000.security (More info?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven Umbach wrote:
| Hi Andy.
|
| The default setting is medium for the internet Web Content Zone. You
can change
| this in Group Policy/user configuration/Windows settings/Internet Explorer
| maintenance/security - security zones and content. You can configure the
| settings you want on the computer you are configuring the policy on or
modify
| the existing settings.
|
| Also check the settings in advanced settings for "allow active content
from cd
| to run on my computer" which may also be part of the problem. However
I don't
| think that can be changed via Group Policy. --- Steve
|
|
| "andy smart" <anonymus@discussions.microsoft.com> wrote in message
| news:cvhs46$k69$1@newsfeed.th.ifl.net...
|
|>Hi
|>
|>We run XP with SP2 applied on our network - deployed via a GPO from 2003
|>server. This puts the security settings for the Internet Zone in IE to
|>high - which creates lots of problems with our students not being able
|>to access interactive content/mulitmedia/etc etc. We've thought about
|>this and would like to reduce this setting to Medium; we know the risks
|>but feel that the gains will outweigh them in our context, as we'd be
|>forevever adding stuff to 'trusted sites' if we do it that way!
|>
|>However we've been unable to achive this, either by modifying exisiting
|>GPOs or creating our own! Any advice would be gratefully recivied!
|>
|>tia
|>andy
|
|
|
Thanks Steve

This makes us think that somewhere we have another GPO which is
increasign the settings for us. Is there an easy way to find out which
GPO might be doing this, or is it a case of starting from 'default
domain' and systematically adding GPOs till we find it?

andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCHf8Yqmlxlf41jHgRAn9HAJ0W1xy5sTxK0mTDWpQqfu6t8G2TUwCfUVKK
YvZo9WbYojvGY8ilyJfbMn0=
=4c2D
-----END PGP SIGNATURE-----
Anonymous
a b 8 Security
February 24, 2005 7:21:46 PM

Archived from groups: microsoft.public.win2000.security (More info?)

What would be worth a try is to run gpresult on one of those affected domain
computers. By default gpresult will display the result for the logged on
user and computer but you can specify a different user and also user the /v
switch for verbose results. You may want to pipe it to a text file as the
output could more than fill the screen - as in [ gpresult /user Andy /v
>results.txt ]. Look for something like below. If you do not find a Group
Policy that is enforcing the setting, then maybe it was removed or it was
implemented some other way as in IEAK possibly in which case you could
configure a Group Policy to make the change to be what you need for the
domain computers. --- Steve

Internet Explorer Security
--------------------------
Always Viewable Sites: N/A
Password Override Enabled: N/A

GPO: Default Domain Policy
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: Yes
Import current Authenticode Security Information: No
Enable trusted publisher lockdown: No


"andy smart" <anonymus@discussions.microsoft.com> wrote in message
news:cvkuuq$o6r$1@newsfeed.th.ifl.net...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Steven Umbach wrote:
> | Hi Andy.
> |
> | The default setting is medium for the internet Web Content Zone. You
> can change
> | this in Group Policy/user configuration/Windows settings/Internet
> Explorer
> | maintenance/security - security zones and content. You can configure the
> | settings you want on the computer you are configuring the policy on or
> modify
> | the existing settings.
> |
> | Also check the settings in advanced settings for "allow active content
> from cd
> | to run on my computer" which may also be part of the problem. However
> I don't
> | think that can be changed via Group Policy. --- Steve
> |
> |
> | "andy smart" <anonymus@discussions.microsoft.com> wrote in message
> | news:cvhs46$k69$1@newsfeed.th.ifl.net...
> |
> |>Hi
> |>
> |>We run XP with SP2 applied on our network - deployed via a GPO from 2003
> |>server. This puts the security settings for the Internet Zone in IE to
> |>high - which creates lots of problems with our students not being able
> |>to access interactive content/mulitmedia/etc etc. We've thought about
> |>this and would like to reduce this setting to Medium; we know the risks
> |>but feel that the gains will outweigh them in our context, as we'd be
> |>forevever adding stuff to 'trusted sites' if we do it that way!
> |>
> |>However we've been unable to achive this, either by modifying exisiting
> |>GPOs or creating our own! Any advice would be gratefully recivied!
> |>
> |>tia
> |>andy
> |
> |
> |
> Thanks Steve
>
> This makes us think that somewhere we have another GPO which is
> increasign the settings for us. Is there an easy way to find out which
> GPO might be doing this, or is it a case of starting from 'default
> domain' and systematically adding GPOs till we find it?
>
> andy
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCHf8Yqmlxlf41jHgRAn9HAJ0W1xy5sTxK0mTDWpQqfu6t8G2TUwCfUVKK
> YvZo9WbYojvGY8ilyJfbMn0=
> =4c2D
> -----END PGP SIGNATURE-----
!