Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IE Advanced/Security settings

1 view
Skip to first unread message

Kevin

unread,
Sep 29, 2005, 3:26:14 PM9/29/05
to
We have a need to set one of these settings company-wide and that's what
group policies are for, right?

Well, I go into my group policy editor and go to the IE/Advanced page and
there are only 2 of the many, many options from that tab (in IE).

Are there templates that I can import to add these? I'm not really that
much of an A/D or group policy guru, I just know how to add a few basic
rules, not add missing options, etc.

Any suggestions?

Thanks!

Steven L Umbach

unread,
Oct 1, 2005, 2:38:50 PM10/1/05
to
There are a lot more than two settings in IE maintenance/advanced under
internet settings inetset.adm if you have a Windows 2003 domain controller
or for XP Pro computers though I agree all settings are not there. I have
not used it myself but the IEAK [see link below] can also be used to
configure IE settings though I believe that works best before deployment. If
you can determine the registry entry that the setting uses you might be able
to deploy the change with a Group Policy startup [computer specific] and or
logon script [user specific] using a .reg file. There are free tools such as
regshot to take before and after snapshots of the registry after doing a
setting change to help track down the registry key/entry. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/ac9df2a1-6750-4d6f-bd91-74be5d619e81.mspx
http://www.snapfiles.com/get/regshot.html --- regshot

"Kevin" <KStr...@Hu-Friedy.com> wrote in message
news:Xns96E092DD9CB2EKS...@207.46.248.16...

Kevin

unread,
Oct 3, 2005, 11:25:45 AM10/3/05
to
I was referring to the last section of the maint/adv group as it appears
in the IE Options windows. The 'Security' block at the bottom has about
16 choices in the IE dialog box, but only 2 GP settings in the GP
Editor. The full maint/adv page has more, yes.

I imported wuau.adm to get all my firewall settings and WSUS stuff
(can't remember which) a while back and that worked nicely. I guess I
am looking for a bit more in the way of IE settings that I can push via
domain group policy.

The IEAK stuff seems vastly overkill for what I'm trying to do - we
don't 'deploy' IE, its just installed on our workstations and I can't
get past the part where it wants to do a bunch of stuff to our IE
Deployment environemnt - because we don't have one.

I don't really want to have to wade throuhg 300+ registry change
deployments, either. I've been able to do all the settings I've needed
up to this point in the group policy stuff and I'd really like to stick
with that way of doung things - I just need more templates (or options
within the templates or whatever).

Makse sense?

"Steven L Umbach" <n9...@nospam-comcast.net> wrote in
news:#NnJDerx...@TK2MSFTNGP10.phx.gbl:

Steven L Umbach

unread,
Oct 4, 2005, 11:25:59 PM10/4/05
to
I don't know of any templates offhand but it is possibly to apply changes
to the registry via Group Policy startup or logon scripts once you find the
registry changes that apply the desired setting. The script would simply be
a .bat file created with notepad using the regedit /s command with the path
to the .reg file which could be on a network share. Below is an example of
such a .reg file for a couple advanced security settings - enabling that
temporary internet files be deleted at IE closing and enabling Windows
integrated authentication and it would be a logon script. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;310516&sd=tech ---
about .reg files.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
"EnableNegotiate"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache]
"Persistent"=dword:00000000


"Kevin" <KStr...@Hu-Friedy.com> wrote in message

news:Xns96E46A17B911EKS...@207.46.248.16...

Per Hagstrom

unread,
Oct 14, 2005, 10:42:40 AM10/14/05
to
Oh, so there is no place within IE Group Policy where you can enforce
"Integrated Windows Authentication"?

Sounds like the reg hack would do it though... will give it a try... thanks!

/ Per


"Steven L Umbach" <n9...@nospam-comcast.net> wrote in message
news:%23Bid1xV...@TK2MSFTNGP09.phx.gbl...


>I don't know of any templates offhand but it is possibly to apply changes
>to the registry via Group Policy startup or logon scripts once you find the
>registry changes that apply the desired setting. The script would simply be
>a .bat file created with notepad using the regedit /s command with the path
>to the .reg file which could be on a network share. Below is an example of
>such a .reg file for a couple advanced security settings - enabling that
>temporary internet files be deleted at IE closing and enabling Windows
>integrated authentication and it would be a logon script. --- Steve
>
>

Per Hagstrom

unread,
Oct 17, 2005, 9:46:04 AM10/17/05
to
The answer is in Greg Edmonds thread: "Modify a setting in IE" in this same
forum. (started 10/14/2005)
Have to create a Custom Admin Template...

/ Per


"Per Hagstrom" <p...@charter.NOSPAMnet> wrote in message
news:u2YzK2M0...@TK2MSFTNGP14.phx.gbl...


> Oh, so there is no place within IE Group Policy where you can enforce
> "Integrated Windows Authentication"?
>
> Sounds like the reg hack would do it though... will give it a try...
> thanks!
>
> / Per
>
>
> "Steven L Umbach" <n9...@nospam-comcast.net> wrote in message
> news:%23Bid1xV...@TK2MSFTNGP09.phx.gbl...
>>I don't know of any templates offhand but it is possibly to apply changes
>>to the registry via Group Policy startup or logon scripts once you find
>>the registry changes that apply the desired setting. The script would
>>simply be a .bat file created with notepad using the regedit /s command
>>with the path to the .reg file which could be on a network share. Below is
>>an example of such a .reg file for a couple advanced security settings -
>>enabling that temporary internet files be deleted at IE closing and
>>enabling Windows integrated authentication and it would be a logon

>>ript. --- Steve

Steven L Umbach

unread,
Oct 17, 2005, 12:05:43 PM10/17/05
to
Either way will work and apply the same registry setting. Derek Melber has a
great article on the various ways to implement registry settings explaining
the advantages and disadvantages of each method at the link below and he
discusses a free program called PolicyMaker [with a link to it] for registry
extensions that simplifies enabling such. It does require a small client
component on domain computers that you want to push out the registry
settings to but since the client component is an .msi file that can easily
be distributed by Group Policy Software Installation. PolicyMaker is a
quality program and the free version is a small part of their overall Group
Policy management program. The second link is about the best I have come
across at explaining how to make your own basic custom .adm files.

To find a registry setting use a registry snapshot program to compare the
registry just before and just after you make a configuration change that you
want to implement. Regshot is free and basic but others may be easier to
use. You would mostly want to look at registry changes. Regshot will show
the key for the current logged on user but you want to use the HKEY_USERS
key instead. Also keep in mind that most of these type registry changes can
be undone by the user if he has access to the settings such as
IE -tools/internet options/advanced in your case so it would make sense to
disable their access to the configuration settings and even the registry. If
the user does change the configuration it will stay the way they configured
it until you make a change to the GPO, run gpupdate /force on their
computer, or configure Group Policy registry processing to apply settings
even if the Group Policy object has not changed as explained in the last
link below. --- Steve

http://www.windowsecurity.com/articles/Pushing-Out-Security-Settings-Configured-Registry.html
http://thelazyadmin.com/index.php?/archives/125-Creating-Custom-ADM-Templates.html
--- how to create basic custom .adm files
http://www.snapfiles.com/get/regshot.html --- Regshot
http://www.windowsecurity.com/articles/Enforcing-GPO-Security-Settings.html
--- force Group Policy registry processing with each GP refresh.

"Per Hagstrom" <p...@charter.NOSPAMnet> wrote in message

news:OUF8hEy...@tk2msftngp13.phx.gbl...


> The answer is in Greg Edmonds thread: "Modify a setting in IE" in this
> same forum. (started 10/14/2005)
> Have to create a Custom Admin Template...
>
> / Per
>
>
> "Per Hagstrom" <p...@charter.NOSPAMnet> wrote in message
> news:u2YzK2M0...@TK2MSFTNGP14.phx.gbl...
>> Oh, so there is no place within IE Group Policy where you can enforce
>> "Integrated Windows Authentication"?
>>
>> Sounds like the reg hack would do it though... will give it a try...
>> thanks!
>>
>> / Per
>>
>>
>> "Steven L Umbach" <n9...@nospam-comcast.net> wrote in message
>> news:%23Bid1xV...@TK2MSFTNGP09.phx.gbl...
>>>I don't know of any templates offhand but it is possibly to apply
>>>changes to the registry via Group Policy startup or logon scripts once
>>>you find the registry changes that apply the desired setting. The script
>>>would simply be a .bat file created with notepad using the regedit /s
>>>command with the path to the .reg file which could be on a network share.
>>>Below is an example of such a .reg file for a couple advanced security
>>>settings - enabling that temporary internet files be deleted at IE
>>>closing and enabling Windows integrated authentication and it would be a
>>>logon ript. --- Steve
>>>
>>>
>>>
>>>

0 new messages