Why is my Internet Explorer group policy ignored?

In light of the recently discovered MSHTML vulnerability (and because it's a good idea in general), I want to disallow downloading of ActiveX components via group policy. However, it appears that my policy settings are ignored.

Here's my group policy setting:

Then I refresh the group policy on my client PC (in a non-elevated shell, since this is a user policy):

C:\Users\{redacted}>gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

Yet IE seems to ignore my new settings:

I'm sure I'm overlooking something obvious. What is it?

Solution 1:

You disabled the policy setting. This means that the group policy setting is not applied.

What you need to do instead is to enable the policy setting and then configure the policy setting to disabled. In other words, instead of this:

you should do that:

You can also see the difference in the summary view. This is wrong:

And this is correct:

Unfortunately, the name of the setting (which needs to be enabled) and the name of the option inside the setting (which needs to be disabled) are exactly the same, which makes such an error easy to overlook. As @Swisstone mentioned in the comments, gpresult can help here. This is the output of gpresult /Z (/Z for super-verbose) in the "wrong" case:

GPO: Internet Explorer
    Folder Id: Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1001
    State:       disabled

And this in the correct case:

GPO: Internet Explorer
    Folder Id: Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1001
    Value:       3, 0, 0, 0
    State:       Enabled

The latter entry sets this registry value to dword:00000003, which is your intended result. Note that IE respects this setting now: