[gptalk] Re: GPO setting for INternet Explorer

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 6 Nov 2006 11:18:50 -0800

There are a few issues with this:\
1. The GPO settings do not work with Windows 2000- even if the 2k machines
are running IE6 or IE7
2. For the Win XP and Win 2003- as Zach stated- the items already in the
trusted sites and intranet sites are wiped out (they remain in the registry
but they are not live) and the end user cannot modify the site lists anymore
as long as the GPO is active.
So to get around this- as I am just about to deploy (today) a new web app
that required IWA to work. So I wrote a script that works with Win2k, winXP
and Win2003 with IE 6 and IE7.
Now this script just creates a few registry keys, values and their
respective Data and it allows the user to keep control of the site list.
You can add this script to a logon script.
The following script will add the http://*.NCBPAC.org zone to the intranet
sites in IE. This does not modify the SSL required checkbox- but it just
'****************************start script
Const HKEY_CLASSES_ROOT  = &H80000000
Const HKEY_CURRENT_USER  = &H80000001
Const HKEY_LOCAL_MACHINE  = &H80000002
Const HKEY_USERS   = &H80000003
Const HKEY_CURRENT_CONFIG  = &H80000005
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &
strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
strValueName = "http"
strValue = 1
oReg.CreateKey HKEY_CURRENT_USER,strKeyPath
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue
let me know if this works out for you.


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Baiel, Zach
Sent: Monday, November 06, 2006 11:02 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] RE: [gptalk] GPO setting for INternet Explorer

Is this something you would want?
Applying Internet Explorer Security Settings to All Machines

One of the features of Group Policy is its ability to apply security
settings to Internet Explorer that takes affect on all machines in the OU.
The most useful of this is to add Intranet sites to the list so that
Integrated Windows Authentication Works. 

However the capability to do this is not that clear. However you can set it
how you like. 

1.      Open the Group Policy editor for the domain. 

2.      Go to the following location in the Group Policy location: User
Configuration, Windows Settings, Internet Explorer Maintenance, Security. 

3.      In the right window you will see an object called "Security Zones
and Content Ratings". Double-click it to open it. 

4.      The "Security Zones and Content Ratings" window will open. In the
section labelled "Security Zones and Privacy" there are two radio buttons.
Choose the second one - "Import the current security zones and privacy
settings" so that "Modify Settings" becomes enabled. 

5.      Click on "Modify Settings". 

6.      The Internet Explorer security window will be opened and you can
change the settings to what you wish. 
For example, if you want to add an address to to the list of sites in the
Intranet zone (allowing you to use Windows Integrated Authentication) you
need to do the following. 

a.      Click on "Local Intranet" so that the "Sites" button becomes

b.      Click on the "Sites" button. 

c.      You will see three options already enabled. Leave those alone and
click on the "Advanced..." button below them. 

d.      Enter the addresses of the sites you want to include.
Note. You can use wildcards. Therefore if you have sites called
home.domain.com and intranet.domain.com you might want to enter *.domain.com

e.      If you are using a certificate on these sites, then you could enable
"Require server verification (https:) for all sites in the zone" but you
should test first. 

7.      Once you have finished making your changes just click "OK" until you
are back to the Group Policy window again. 

8.      You will need to log off and log back on again for the changes to
take affect on workstations. 

These settings override any that the users may have put in themselves, so be
aware before you enable the features. 




-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]On
Behalf Of Tom Strader
Sent: Monday, November 06, 2006 12:50 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO setting for INternet Explorer

I am having trouble finding a setting in GPO that allows me to set (enable)
Windows Integrated Authentication in Internet Explorer.


Can anyone guide me in the right way to accomplish this?


Thanks for your assistance in advance,

Tom Strader

Server Systems Administrator



No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.13.28/518 - Release Date: 11/4/2006
5:30 PM

Other related posts: