[gptalk] Re: Sanity Check regarding Pop-Up Blocker GPO
- From: "David Cliffe" <dc31hz@xxxxxxxxx>
- To: gptalk@xxxxxxxxxxxxx
- Date: Mon, 28 Jul 2008 18:12:59 -0400
Hi all,
Just a follow up note on this for completeness. Further testing confirmed
that if I configure the "Pop-up allow list" GPO for users, then the list of
domains I push down can be seen in the IE interface on IE7. The IE6
interface does not show the list. BOTH versions respect the policy setting.
Thanks,
DaveC
On Thu, Jul 24, 2008 at 12:04 AM, David Cliffe <dc31hz@xxxxxxxxx> wrote:
> Hm...possibly not; I suppose I'll have to confirm that the pop-ups do
> indeed work from that website on an IE6 system (you'd think I would have
> done that by now but I actually don't have an account to login to it yet!).
>
> Thanks :-)
> -DaveC
>
> On Wed, Jul 23, 2008 at 6:27 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx>
> wrote:
>
>> Yeah, I bet your local settings got imported to the IE Maintenance
>> Policy whenever you were dinking around with the new GPO. Is not being able
>> to see the list a deal breaker for you?
>>
>>
>>
>> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
>> *On Behalf Of *David Cliffe
>> *Sent:* Wednesday, July 23, 2008 4:26 PM
>> *To:* gptalk@xxxxxxxxxxxxx
>> *Subject:* [gptalk] Re: Sanity Check regarding Pop-Up Blocker GPO
>>
>>
>>
>> Update....
>>
>>
>>
>> Cleaning up my own IE pop-up blocker settings prior to config [and link]
>> of the new GPO seems to have fixed the issue where the domains I had
>> personally configured also got sent down to the test users. Could not find
>> ANY other GPOs which even came close to specifying those so I'm pretty sure
>> they got sent down incorrectly from my machine when I configured this new
>> GPO. Very strange.
>>
>>
>>
>> Next issue is that even though the correct domain name now gets sent down
>> to the POLICIES key for ALL test users (regardless of IE version), I can
>> only view it (within the IE interface) on an IE7 browser. If I open the
>> pop-up blocker settings on IE6 even with the reg key set, the domain does
>> not get shown in the window. The setting says this is supportd on IE6, so
>> my question is does it still take effect even though not shown in the app's
>> dialog box? IE7 it can be seen in the dialog box.
>>
>>
>>
>> -DaveC
>>
>> On Wed, Jul 23, 2008 at 3:39 PM, David Cliffe <dc31hz@xxxxxxxxx> wrote:
>>
>> Thanks Jamie...good thoughts...I would agree it sounds like there may be
>> another policy conflicting. I had checked that but will certainly check
>> again and post back. I am also testing removal of my own settings in IE
>> first, and then relink the policy to see if it makes a difference.
>>
>>
>>
>> Also appreicate the remark on "Trusted Sites". Client currently does not
>> have that particular site listed there (although there are others), but
>> that's something I hadn't thought of.
>>
>>
>>
>> -DaveC
>>
>> On Wed, Jul 23, 2008 at 2:45 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx>
>> wrote:
>>
>> Are you sure that there is no IE Maintenance Policy getting applied? Are
>> the users and computer objects all in the same OUs? The Admin Template
>> settings are the way to go, but the behavior you're explaining kind of
>> sounds like there is something else conflicting with them.
>>
>>
>>
>> Also keep in mind that if you add a site to the "Trusted Sites" zone you
>> should not have to also add it to the pop-up allow list. If you do indeed
>> trust the site, I would go ahead and add it there instead of maintaining two
>> different lists.
>>
>>
>>
>> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
>> *On Behalf Of *David Cliffe
>> *Sent:* Wednesday, July 23, 2008 1:35 PM
>> *To:* gptalk@xxxxxxxxxxxxx
>> *Subject:* [gptalk] Sanity Check regarding Pop-Up Blocker GPO
>>
>>
>>
>> Hi,
>>
>>
>>
>> A client is shortly to distribute a new app (for IE) which generates
>> pop-ups, so I was asked to implement GPO which specifically adds the new
>> site to the pop-up blocker settings and ALLOW the pop-up.
>>
>>
>>
>> Forest and domain is Win2003 (FFL/DFL=2). All client machines are WinXP
>> with SP2. Most clients are IE6 (some are IE7). I configured the following:
>>
>>
>>
>> "User Configuration\Administrative Templates\Windows Components\Internet
>> Explorer\Pop-up allow list" (no strong reason to go with USER side
>> config...I just thought no need to do this on COMPUTER side).
>>
>>
>>
>> I enabled that policy, added one domain to the list (*.site.org) and
>> linked the GPO to a test OU with some users in it. RSOP/GPRESULT all show
>> the GPO is applied successfully and also the following REG_SZ is confirmed
>> present in registry:
>>
>>
>>
>> "HKCU\Software\Policies\Microsoft\Internet Explorer\New Windows\Allow" (
>> *.site.org is present both as the value and the data )
>>
>>
>>
>> So I thought I was golden. Wrong. For three test users I
>> encountered strange results when logging on as each user and looking in IE
>> pop-up blocker settings (from the application itself). Note that the GPO
>> was configured and applied via GPMC while logged on as User1 :
>>
>>
>>
>> User1 (me) runs IE7 and had two additional domains previously configured
>> in pop-up blocker settings prior to existence of this GPO. They were simply
>> configured via IE7 interface (not via GPO or other method). The new domain
>> was added to the list. This is the behavior I was hoping for. Recall that
>> this user (me) created the GPO on this machine.
>>
>>
>>
>> User2 runs IE6 and had one additional domain previously configured in
>> pop-up blocker settings prior to existence of new GPO. The new domain was
>> NOT added to the list. Instead, the two domains previously configured on
>> User1's machine were added to the list!
>>
>>
>>
>> User3 runs IE7 and logged on to fresh built machine with NO pop-up blocker
>> settings configured. The new domain was NOT added to the list. Instead,
>> the two domains previously configured on User1's machine were added to the
>> list! This test user took it upon himself to REMOVE ALL domains from the
>> list (manually in the IE interface) and then exit/relaunch IE. This seemed
>> to cause the one correct domain to get added to the list.
>>
>>
>>
>> When the wrong domains got added to the list on User2 and User3 machine,
>> they were added as REG_BINARY here:
>>
>>
>>
>> HKCU\Software\Microsoft\Internet Explorer\New Windows\Allow (this is
>> where they existed on the original User1 machine as well)
>>
>>
>>
>>
>>
>> I'm confused by this beharvior, or else I should not be mixing IE versions
>> or else should clean my own settings out first when creating the GPO
>> (although I didn't realize this could happen outside of IE Maint policies).
>>
>>
>>
>> Sorry for the long post...hope it makes sense. Just wondering if anyone
>> else has experienced it.
>>
>> DaveC
>>
>>
>>
>>
>>
>> *
>> ------------------------------
>> *
>>
>> *Confidentiality Warning:* This message and any attachments are intended
>> only for the use of the intended recipient(s), are confidential, and may be
>> privileged. If you are not the intended recipient, you are hereby notified
>> that any review, retransmission, conversion to hard copy, copying,
>> circulation or other use of all or any portion of this message and any
>> attachments is strictly prohibited. If you are not the intended recipient,
>> please notify the sender immediately by return e-mail, and delete this
>> message and any attachments from your system.
>>
>>
>
Other related posts:
