Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
lammypie

How do I lock Internet Explorer Security Settings accross users?

By lammypie, in Networking

Recommended Posts

lammypie    0

lammypie
Posted

Hi.

 

On my pc I have several user accounts (user priviliedges only)in addition to a Administrator account.

 

I maintain a list of Restricited Sites, Blocked Cookies, Blocked Active X controls etc. (via Spybot Immunise, Spyware blaster, and some manual additions)

 

If I update the lists on the Administrator account, how do I get WinXP to automatically propagate those restrictions to all of the user accounts?

 

Also how can I lock the security settings page, so users can not lower security settings, or alter cookie handling, or active x controls etc?

 

 

 

I know this can be done, as most big businesses use this kind of approach, Ijust can't figure it out.

 

Many Thanks

 

 

Kind Regards

 

Chris

Share this post

Link to post

theefool    0

theefool
Posted

To lock the security tab, simply add the following dword in the registry.

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel

Add reg_dword = SecurityTab dword = 1

 

For more info, see [link]http://www.jsiinc.com/subk/tip5100/rh5165.htm[/link]

 

To automatically propogate these security settings, you might need to create a logon(login) script.

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

and

HKEY_Local_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

 

Also, this link is helpful. [link]http://www.jsiinc.com/subk/tip5100/rh5130.htm[/link]

Share this post

Link to post

theefool    0

theefool
Posted

Yes, group policy is a good thing to use. Though, becareful with the group policies.....It can be a royal pain setting them up perfectly.

Share this post

Link to post

lammypie    0

lammypie
Posted

thanks guys,

 

I'm very new to this aspect of winxp

 

The IEAK seems not to be good for other users on the same computer, I only have 1 computer running winXP not a network or domains or anything.

 

I've been looking at the GPedit.

 

In Administrative templates, win comp, Internet explorer "use only machine settings to enabled" which should keep a standard set of settings amongst all users, however if I change them on the administrator account they do not propagate to the other limited accounts.

 

I have set "security Zones: Do not allow users to change policy" to enabled, however that also locks the administrator account from making amendments!

 

Any more suggestions?

 

 

Thanks

 

Chris

Share this post

Link to post

theefool    0

theefool
Posted

Let me thing. Its been about 4 years since I last a ran a multiple domain NT network.

 

I'd say, create a group, restric that group within the GPedit. Assign your users to said group.

 

Propogation, may take some doing. I'm sure there is an easier way to do this, but since I've been outta the loop, I'll tell you the hardway. After setting whatever permissions/restrictions that group has, create a logon script with checks, that updates the security zones and whatnot.

 

Hmmm, maybe this doesn't exactly answer your question. Hope it gives some ideas....

Share this post

Link to post

lammypie    0

lammypie
Posted

I can create a group in user accounts, but I can't get GPedit to apply settings just to one group. Just to either all the users, or the whole machine.

 

Seeing as I am only running 1 machine (not connected to any network or domain, those two configurations have the same effect).

 

aarrgh

Share this post

Link to post

theefool    0

theefool
Posted

Is this XP home or Pro....

 

You know, maybe you can't do this on pro, by itself. Might need server to establish this properly. I need to think more on this....

Share this post

Link to post

lammypie    0

lammypie
Posted

thanks Theefool Its winxp pro.

 

Update

This is what I have found so far.

 

If I add a site to the restricted site list in IE, it creates it in this registry key.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\

 

This only adds it to the restricted site list for the user who is logged in at the time.

 

To add it globally, you have to manually add it to the registry - here!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\

 

Note the only difference in the key is CURRENT_USER to LOCAL_MACHINE.

 

However this will not make ANY difference to each users restricted sites list, until you enable 'SECURITY ZONES:Use only machine settings' to 'ENABLED' you can do this through GPEDIT (I haven't discovered the registry key for this yet)

 

If you don't enable the above option then the Local Machine entries are ignored, and it won't have anyeffect on the restricted lists.

 

 

So using Spybot, and spyware blaster to maintain the restricted lists, only updates the current user, so to use those programs to maintain the restricted site lists for the other users on my PC, (which is the whole point) I have to do the following.

Make sure the 'Use only machine settings' is 'enabled' in GPedit

Run Spybot/Spyware blaster

Open registry, export HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ to a text file.

edit the text file replacing HKEY_CURRENT_USER with HKEY_LOCAL_MACHINE

rename the text file so it ends in .reg. Then run it, and it'll add it to the registry.

 

a bit long winded but it seems to work. Now I need to figure out how to write a script or something to do that automatically. (I have no idea how to write scripts)

 

 

I have also discovered a conflict when using such programs to maintain these lists. When using domain names everything seems to work hunkydory, however also updated is the range key (IP ADDRESSES)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges

 

Now unlike the domains key where the subkeys are the names of the website.

The list of IPaddresses is different. Inside the ranges key, sub keys are numbered 1, 2, 3, 4, 5 etc. with the ip address stored as a value, not a key. therefore the ranges installed by one such utility work great but is overwritten by another will replace the Keys 1, 2, 3, 4, 5, 6, with its own ones storing different ip addresses.

This does not happen with the domains, as the domain or website names itself is the key name, so they don't get removed accidentally.

 

I think this is just a limitation of the os.

 

I have spent ALL day on this so far, and do not have anymore time to try and find a work around for this issue today.

 

If anyone knows an easier way of spreading the restricted list through all users on the machine, then please let me know.

Also if anyone knows how to automate the above process (perhaps by way of script), then I'd really appreciate it . wink

 

 

Kind regards

 

Chris

 

(Now I have to learn how to do the same, with the privacy settings - ALL SUGGESTIONS NEEDED AND MOST WELCOME)

laugh

Share this post

Link to post

Wilhelmus    1

Wilhelmus
Posted

One 'cleaner' /* wink */ method to export specific registery key is:

Quote:

regedit /e "z:\my_reg_file.reg" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"

This will export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ registery path to "z:\my_reg_file.reg".

 

<edit>

Quote:

...

a bit long winded but it seems to work. Now I need to figure out how to write a script or something to do that automatically. (I have no idea how to write scripts)

...

You could try to use Windows Script Host (WSH), as it is built-in to Windows. You need to know something about visual basic, though... smile

</edit>

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Networking
×