[gptalk] Re: Sanity Check regarding Pop-Up Blocker GPO

Thanks Jamie...good thoughts...I would agree it sounds like there may be
another policy conflicting.  I had checked that but will certainly check
again and post back.  I am also testing removal of my own settings in IE
first, and then relink the policy to see if it makes a difference.

Also appreicate the remark on "Trusted Sites".  Client currently does not
have that particular site listed there (although there are others), but
that's something I hadn't thought of.

-DaveC

On Wed, Jul 23, 2008 at 2:45 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx> wrote:

>  Are you sure that there is no IE Maintenance Policy getting applied? Are
> the users and computer objects all in the same OUs? The Admin Template
> settings are the way to go, but the behavior you're explaining kind of
> sounds like there is something else conflicting with them.
>
>
>
> Also keep in mind that if you add a site to the "Trusted Sites" zone you
> should not have to also add it to the pop-up allow list. If you do indeed
> trust the site, I would go ahead and add it there instead of maintaining two
> different lists.
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *David Cliffe
> *Sent:* Wednesday, July 23, 2008 1:35 PM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Sanity Check regarding Pop-Up Blocker GPO
>
>
>
> Hi,
>
>
>
>   A client is shortly to distribute a new app (for IE) which generates
> pop-ups, so I was asked to implement GPO which specifically adds the new
> site to the pop-up blocker settings and ALLOW the pop-up.
>
>
>
>   Forest and domain is Win2003 (FFL/DFL=2).  All client machines are WinXP
> with SP2.  Most clients are IE6 (some are IE7).  I configured the following:
>
>
>
> "User Configuration\Administrative Templates\Windows Components\Internet
> Explorer\Pop-up allow list"   (no strong reason to go with USER side
> config...I just thought no need to do this on COMPUTER side).
>
>
>
>   I enabled that policy, added one domain to the list (*.site.org) and
> linked the GPO to a test OU with some users in it.  RSOP/GPRESULT all show
> the GPO is applied successfully and also the following REG_SZ is confirmed
> present in registry:
>
>
>
> "HKCU\Software\Policies\Microsoft\Internet Explorer\New Windows\Allow"   (
> *.site.org is present both as the value and the data )
>
>
>
>   So I thought I was golden.  Wrong.  For three test users I
> encountered strange results when logging on as each user and looking in IE
> pop-up blocker settings (from the application itself).  Note that the GPO
> was configured and applied via GPMC while logged on as User1 :
>
>
>
> User1 (me) runs IE7 and had two additional domains previously configured in
> pop-up blocker settings prior to existence of this GPO.  They were simply
> configured via IE7 interface (not via GPO or other method).  The new domain
> was added to the list.  This is the behavior I was hoping for.  Recall that
> this user (me) created the GPO on this machine.
>
>
>
> User2 runs IE6 and had one additional domain previously configured in
> pop-up blocker settings prior to existence of new GPO.  The new domain was
> NOT added to the list.  Instead, the two domains previously configured on
> User1's machine were added to the list!
>
>
>
> User3 runs IE7 and logged on to fresh built machine with NO pop-up blocker
> settings configured.  The new domain was NOT added to the list.  Instead,
> the two domains previously configured on User1's machine were added to the
> list!  This test user took it upon himself to REMOVE ALL domains from the
> list (manually in the IE interface) and then exit/relaunch IE.  This seemed
> to cause the one correct domain to get added to the list.
>
>
>
>   When the wrong domains got added to the list on User2 and User3 machine,
> they were added as REG_BINARY here:
>
>
>
> HKCU\Software\Microsoft\Internet Explorer\New Windows\Allow   (this is
> where they existed on the original User1 machine as well)
>
>
>
>
>
> I'm confused by this beharvior, or else I should not be mixing IE versions
> or else should clean my own settings out first when creating the GPO
> (although I didn't realize this could happen outside of IE Maint policies).
>
>
>
> Sorry for the long post...hope it makes sense.  Just wondering if anyone
> else has experienced it.
>
> DaveC
>

Other related posts: