Now I'm really confused, your previous message said only GPO was effective, now you're saying GPO is not for pushing down proxy settings? Okay, let's look at this in a little more detail. IE, as in all Windows-based browsers, defaults to using port 80 on the default gateway to contact websites. This is where the problem we were discussing comes in, utilizing this method causes it to bypass SurfControl. So, to get around this problem, IE, as in all Windows-based browsers, must use a "proxy" so SurfControl can filter it. These proxy settings, in IE and almost all other Windows-based browsers, are stored as Registry entries. When you go into the menus within these browsers to make the proxy settings, they are merely a GUI interface into making these registry changes. You can visit each and every workstation, and enter the proxy settings manually. However, most of the time in AD environments, if a proxy server is in use, administrators use GPO to make these registry changes upon login. Unfortunately, IE is the only program that is "natively" capable of managing settings via GPO. The scenario we're discussing having a problem also involves all clients using the Firewall Client. The FWC also has the ability to update these registry entries without the use of GPO. Whenever the Firewall Client is refreshed, it will make the necessary registry entries to make IE use a proxy server. Thus, in order for a browser (in this case we're talking about IE) to use a proxy server, it needs to have the necessary registry entries. Whether you use GPO to set these proxy settings, or the FWC, or entering them by hand makes ABSOLUTLEY NO DIFFERENCE! I hope this will clear this up a bit more for you... ________________________________ From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] Sent: Thursday, March 24, 2005 15:19 To: [ISAserver.org Discussion List] Subject: [isalist] RE: possible fix RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004 http://www.ISAserver.org GPO is not for pushing down the IE proxy setting, it is for lock the setting tab at user's IE, then FCW with webproxy setting is fixed and unchangable at user's side! ----- Original Message ----- From: Ball, Dan <mailto:DBall@xxxxxxxxxxx> To: [ISAserver.org Discussion List] <mailto:isalist@xxxxxxxxxxxxx> Sent: Friday, March 25, 2005 4:06 AM Subject: [isalist] RE: possible fix RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004 http://www.ISAserver.org Could you please explain this a bit more? I fail to see how it would make a difference whether the proxy settings were pushed out via FWC or GPO. Either way, you have the proxy settings in IE, and they can disable them. ________________________________ From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] Sent: Thursday, March 24, 2005 14:39 To: [ISAserver.org Discussion List] Subject: [isalist] RE: possible fix RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004 http://www.ISAserver.org To make a consistant filter to user's web access, only GPO is effective because user under FWC only can disable web proxy server for a while until FWC is refreshed! If some bad boy would like to see a prohibited site, they can uncheck webproxy tab!