Thanks Jamie...good thoughts...I would agree it sounds like there may be another policy conflicting. I had checked that but will certainly check again and post back. I am also testing removal of my own settings in IE first, and then relink the policy to see if it makes a difference. Also appreicate the remark on "Trusted Sites". Client currently does not have that particular site listed there (although there are others), but that's something I hadn't thought of. -DaveC On Wed, Jul 23, 2008 at 2:45 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx> wrote: > Are you sure that there is no IE Maintenance Policy getting applied? Are > the users and computer objects all in the same OUs? The Admin Template > settings are the way to go, but the behavior you're explaining kind of > sounds like there is something else conflicting with them. > > > > Also keep in mind that if you add a site to the "Trusted Sites" zone you > should not have to also add it to the pop-up allow list. If you do indeed > trust the site, I would go ahead and add it there instead of maintaining two > different lists. > > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *David Cliffe > *Sent:* Wednesday, July 23, 2008 1:35 PM > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Sanity Check regarding Pop-Up Blocker GPO > > > > Hi, > > > > A client is shortly to distribute a new app (for IE) which generates > pop-ups, so I was asked to implement GPO which specifically adds the new > site to the pop-up blocker settings and ALLOW the pop-up. > > > > Forest and domain is Win2003 (FFL/DFL=2). All client machines are WinXP > with SP2. Most clients are IE6 (some are IE7). I configured the following: > > > > "User Configuration\Administrative Templates\Windows Components\Internet > Explorer\Pop-up allow list" (no strong reason to go with USER side > config...I just thought no need to do this on COMPUTER side). > > > > I enabled that policy, added one domain to the list (*.site.org) and > linked the GPO to a test OU with some users in it. RSOP/GPRESULT all show > the GPO is applied successfully and also the following REG_SZ is confirmed > present in registry: > > > > "HKCU\Software\Policies\Microsoft\Internet Explorer\New Windows\Allow" ( > *.site.org is present both as the value and the data ) > > > > So I thought I was golden. Wrong. For three test users I > encountered strange results when logging on as each user and looking in IE > pop-up blocker settings (from the application itself). Note that the GPO > was configured and applied via GPMC while logged on as User1 : > > > > User1 (me) runs IE7 and had two additional domains previously configured in > pop-up blocker settings prior to existence of this GPO. They were simply > configured via IE7 interface (not via GPO or other method). The new domain > was added to the list. This is the behavior I was hoping for. Recall that > this user (me) created the GPO on this machine. > > > > User2 runs IE6 and had one additional domain previously configured in > pop-up blocker settings prior to existence of new GPO. The new domain was > NOT added to the list. Instead, the two domains previously configured on > User1's machine were added to the list! > > > > User3 runs IE7 and logged on to fresh built machine with NO pop-up blocker > settings configured. The new domain was NOT added to the list. Instead, > the two domains previously configured on User1's machine were added to the > list! This test user took it upon himself to REMOVE ALL domains from the > list (manually in the IE interface) and then exit/relaunch IE. This seemed > to cause the one correct domain to get added to the list. > > > > When the wrong domains got added to the list on User2 and User3 machine, > they were added as REG_BINARY here: > > > > HKCU\Software\Microsoft\Internet Explorer\New Windows\Allow (this is > where they existed on the original User1 machine as well) > > > > > > I'm confused by this beharvior, or else I should not be mixing IE versions > or else should clean my own settings out first when creating the GPO > (although I didn't realize this could happen outside of IE Maint policies). > > > > Sorry for the long post...hope it makes sense. Just wondering if anyone > else has experienced it. > > DaveC >