[gptalk] Re: Sanity Check regarding Pop-Up Blocker GPO
- From: "David Cliffe" <dc31hz@xxxxxxxxx>
- To: gptalk@xxxxxxxxxxxxx
- Date: Wed, 23 Jul 2008 15:39:07 -0400
Thanks Jamie...good thoughts...I would agree it sounds like there may be
another policy conflicting. I had checked that but will certainly check
again and post back. I am also testing removal of my own settings in IE
first, and then relink the policy to see if it makes a difference.
Also appreicate the remark on "Trusted Sites". Client currently does not
have that particular site listed there (although there are others), but
that's something I hadn't thought of.
-DaveC
On Wed, Jul 23, 2008 at 2:45 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx> wrote:
> Are you sure that there is no IE Maintenance Policy getting applied? Are
> the users and computer objects all in the same OUs? The Admin Template
> settings are the way to go, but the behavior you're explaining kind of
> sounds like there is something else conflicting with them.
>
>
>
> Also keep in mind that if you add a site to the "Trusted Sites" zone you
> should not have to also add it to the pop-up allow list. If you do indeed
> trust the site, I would go ahead and add it there instead of maintaining two
> different lists.
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *David Cliffe
> *Sent:* Wednesday, July 23, 2008 1:35 PM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Sanity Check regarding Pop-Up Blocker GPO
>
>
>
> Hi,
>
>
>
> A client is shortly to distribute a new app (for IE) which generates
> pop-ups, so I was asked to implement GPO which specifically adds the new
> site to the pop-up blocker settings and ALLOW the pop-up.
>
>
>
> Forest and domain is Win2003 (FFL/DFL=2). All client machines are WinXP
> with SP2. Most clients are IE6 (some are IE7). I configured the following:
>
>
>
> "User Configuration\Administrative Templates\Windows Components\Internet
> Explorer\Pop-up allow list" (no strong reason to go with USER side
> config...I just thought no need to do this on COMPUTER side).
>
>
>
> I enabled that policy, added one domain to the list (*.site.org) and
> linked the GPO to a test OU with some users in it. RSOP/GPRESULT all show
> the GPO is applied successfully and also the following REG_SZ is confirmed
> present in registry:
>
>
>
> "HKCU\Software\Policies\Microsoft\Internet Explorer\New Windows\Allow" (
> *.site.org is present both as the value and the data )
>
>
>
> So I thought I was golden. Wrong. For three test users I
> encountered strange results when logging on as each user and looking in IE
> pop-up blocker settings (from the application itself). Note that the GPO
> was configured and applied via GPMC while logged on as User1 :
>
>
>
> User1 (me) runs IE7 and had two additional domains previously configured in
> pop-up blocker settings prior to existence of this GPO. They were simply
> configured via IE7 interface (not via GPO or other method). The new domain
> was added to the list. This is the behavior I was hoping for. Recall that
> this user (me) created the GPO on this machine.
>
>
>
> User2 runs IE6 and had one additional domain previously configured in
> pop-up blocker settings prior to existence of new GPO. The new domain was
> NOT added to the list. Instead, the two domains previously configured on
> User1's machine were added to the list!
>
>
>
> User3 runs IE7 and logged on to fresh built machine with NO pop-up blocker
> settings configured. The new domain was NOT added to the list. Instead,
> the two domains previously configured on User1's machine were added to the
> list! This test user took it upon himself to REMOVE ALL domains from the
> list (manually in the IE interface) and then exit/relaunch IE. This seemed
> to cause the one correct domain to get added to the list.
>
>
>
> When the wrong domains got added to the list on User2 and User3 machine,
> they were added as REG_BINARY here:
>
>
>
> HKCU\Software\Microsoft\Internet Explorer\New Windows\Allow (this is
> where they existed on the original User1 machine as well)
>
>
>
>
>
> I'm confused by this beharvior, or else I should not be mixing IE versions
> or else should clean my own settings out first when creating the GPO
> (although I didn't realize this could happen outside of IE Maint policies).
>
>
>
> Sorry for the long post...hope it makes sense. Just wondering if anyone
> else has experienced it.
>
> DaveC
>
Other related posts:
