Best Practices, Turorials, News, Tips and Trick for all your Group Policy needs…
Posts tagged ‘Internet Explorer’
If you have ever configured you Internet Explorer setting via the “Internet Explorer Maintenance” group policy setting you might be wondering however to remove these setting now you found a few easier ways to do the same thing. Well its not all that obvious but if you go to User Configuration > Policies > Windows Settings you can then right click on "Internet Explorer Maintenance" and click "Reset Browser Settings" you are done…
There is currently a security advisory out about a Zero Day vulnerability in Internet Explore 6 & 7 on Windows XP and Vista. While there is no patch out for this issues so far you can mitigate the security a number ways using Group Policy. Below I have listed two ways to implement the workaround as listed by Microsoft using Group Policy.
Step 1. Edit a Group Policy Object (GPO) that is targeted to the computer accounts you want to apply this setting. Then navigate to Computer Configurations > Windows Settings > Security Settings > File System.
Step 2. Click on “Action” in the menu and then “Add File…”
Step 3. Type “%WINDIR%\System32\iepeers.DLL” into the Folder: field then click “OK”
Step 4. Click “Add”and then add the “Everyone” group and click “OK”
Step 5. Tick the Full Control “Deny” tick box. This will then tick all the Deny tick boxes.
Step 6. Click “Yes” to the Deny warning.
Step 7. Click “OK” to the permissions option.
Note: If you want to apply this to x64 version of Windows as well repeat step 2 thought 7 but type “%WINDIR%\SYSWOW64\iepeers.DLL” instead in the Folder: field.
You have now denied permissions to the file that has the issues.
Once you have applied the patch to fix this vulnerability be sure to go into each of file security settings and remove the “Everyone” deny permission from the setting.
Step 1. Edit a GPO that is targeted to the users accounts you want to apply security setting. Then Enabled both the “Allow active scripting” under User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Security Page > Internet Zone and the Intranet Zone. Then configure the Options to either “Prompt” or “Disable”.
Once you have performed the above configuration changes be sure to add *.windowsupdate.microsoft.com, *.update.microsoft.com and any other site you require to run Active Scripting on to the trusted sites zone list. Instructions on how to do this can be found here How to use Group Policy to configure Internet Explorer security zone sites
Disclaimer: I do not guarantee that this information will work. All the above information is to be used at your own risk.
For more details on the security vulnerability and other ways to mitigate this issue see Microsoft Security Advisory (981374)
Microsoft have just released a hotfix (KB980959) to fix the problem with the “Configured new tab page default behaviour” group policy setting not working for Internet Explorer 8. Apparently the Intetres.admx had the wrong path configured path is configured to “Software\Policies\Microsoft\Internet Explorer\Main” where it should be configured to “Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabbedPageShow”. If you want to see the setting for your self just look for the text “NewTabAction” in the Inetres.admx file.
For details on getting the hot fix and to see the full article “The “Configure new tab page default behavior” Group Policy setting does not work on a computer that is running Windows 7 or Windows Server 2008 R2 and that has Internet Explorer 8 installed” here http://support.microsoft.com/?kbid=980959
This weeks setting is one that you would use if you are in an environment that you want a very high level of security (e.g. Kiosk computers). The “Allow file download” option is used to prevent the downloading of files via Internet Explorer. This setting does not prevent the browser form downloading files such as images to display in the browser page but it does prevent users from downloading of files when a user click on a file download link. This could also be useful if you want to help limit the security attack vector of users being tricked into download and running malicious files on their computers from the internet which could help mitigate some Zero day attacks.
Note: This does not prevent users from running Firefox or Chrome to get around this restriction (although they would have difficulty in downloading it) therefore you may also want to consider deploying AppLocker or Software Restriction Policies to prevent the running of those apps.
To enable this restriction you need to first “Enable” the policy and then set the Allow file downloads option to “Disable” . This setting can be found under Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone. This setting can also be configured on the other zone’s under the Security Page section however the Internet Zone is what most web sites are classified as and therefore will have the largest affect.
When this policy is applied to a user and the user clicks on a hyperlink to a file to download they will then receive this dialogue box.
If you did enabled this setting and you wanted to let users download file from particular web sites you could add the site URL to the trusted sites zone list. I have previously blogged how to do here http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/
P.S. Sorry i am a day late with this one… have been a bit busy lately. But don’t worry i will make sure that i always have time to do a setting of the week post each week.
As you know Group Policy Preferences are these fantastic new settings that allow IT administrators perform any configuration they want on a users group using Group Policy… well almost.. In this tutorial I will show you how to configured one of the few settings that are not controlled by preferences but can be configured using a native Group Policy.
The Internet Explore site zone assignment is one of the few settings you specifically can’t configured using preferences, as you can see (image below) the User Interface to this options has been disabled.
There is a native Group Policy that allows you to control Internet Explorer site zone list is called “Site to Zone Assignment List” which I will go thought below how to use.
Step 1. Edit the Group Policy Object that is targeted to the users you whish this setting to be applied.
Step 2. Navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and double click on the “Site to Zone Assignment List” and check the “Enable” option then click on the “Show..” button.
Step 3. Now type the URL in the “Value name” field with the >* on the far left and then type the zone number (see table below) you want to assign to that zone.
| Zone Number | Zone Name |
| 1 | Intranet Zone |
| 2 | Trusted Sites zone |
| 3 | Internet zone |
| 4 | Restricted Sites zone |
As soon as you start typing the URL a new line will appear for the next URL.
Step 4. One you have finished assigning adding the URL’s and site zone number click OK
Tip: If you want to delete a row click on the button on the far left to select the row you want to delete (see image below) and then press the “Delete” key.
(sites in above list are example only)
Now the Internet Explorer Site zone list will now be populated with the zone you configured above and as you can see in the images below the Internet Explorer status bar now show the correct zone based on the that the URL’s in the address bar.
