[gptalk] Sanity Check regarding Pop-Up Blocker GPO

  • From: "David Cliffe" <dc31hz@xxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Wed, 23 Jul 2008 14:35:26 -0400

Hi,

  A client is shortly to distribute a new app (for IE) which generates
pop-ups, so I was asked to implement GPO which specifically adds the new
site to the pop-up blocker settings and ALLOW the pop-up.

  Forest and domain is Win2003 (FFL/DFL=2).  All client machines are WinXP
with SP2.  Most clients are IE6 (some are IE7).  I configured the following:

"User Configuration\Administrative Templates\Windows Components\Internet
Explorer\Pop-up allow list"   (no strong reason to go with USER side
config...I just thought no need to do this on COMPUTER side).

  I enabled that policy, added one domain to the list (*.site.org) and
linked the GPO to a test OU with some users in it.  RSOP/GPRESULT all show
the GPO is applied successfully and also the following REG_SZ is confirmed
present in registry:

"HKCU\Software\Policies\Microsoft\Internet Explorer\New Windows\Allow"   (
*.site.org is present both as the value and the data )

  So I thought I was golden.  Wrong.  For three test users I
encountered strange results when logging on as each user and looking in IE
pop-up blocker settings (from the application itself).  Note that the GPO
was configured and applied via GPMC while logged on as User1 :

User1 (me) runs IE7 and had two additional domains previously configured in
pop-up blocker settings prior to existence of this GPO.  They were simply
configured via IE7 interface (not via GPO or other method).  The new domain
was added to the list.  This is the behavior I was hoping for.  Recall that
this user (me) created the GPO on this machine.

User2 runs IE6 and had one additional domain previously configured in pop-up
blocker settings prior to existence of new GPO.  The new domain was NOT
added to the list.  Instead, the two domains previously configured on
User1's machine were added to the list!

User3 runs IE7 and logged on to fresh built machine with NO pop-up blocker
settings configured.  The new domain was NOT added to the list.  Instead,
the two domains previously configured on User1's machine were added to the
list!  This test user took it upon himself to REMOVE ALL domains from the
list (manually in the IE interface) and then exit/relaunch IE.  This seemed
to cause the one correct domain to get added to the list.

  When the wrong domains got added to the list on User2 and User3 machine,
they were added as REG_BINARY here:

HKCU\Software\Microsoft\Internet Explorer\New Windows\Allow   (this is where
they existed on the original User1 machine as well)


I'm confused by this beharvior, or else I should not be mixing IE versions
or else should clean my own settings out first when creating the GPO
(although I didn't realize this could happen outside of IE Maint policies).

Sorry for the long post...hope it makes sense.  Just wondering if anyone
else has experienced it.
DaveC

Other related posts: