How do you apply proxy settings per computer instead of per user?
So far, I've used a user group policy object utilizing Internet Explorer maintenance to set a proxy for the user in IE. We have now deployed the Enterprise Client (EC) starter group policy to our domain and this policy affects this behavior.
The EC group policy uses the policy Make proxy settings per-machine (rather than per-user). This policy describes itself as:
This policy is intended to ensure that proxy settings apply uniformly to the same computer and do not vary from user to user.
Great! This seems to be an improvement over my previous setup.
If you enable this policy, users cannot set user-specific proxy settings. They must use the zones created for all users of the computer.
What zones and where do I configure the proxy settings for them?
I assumed the policy would simply take the user settings and apply them, but that's not what's happening. Now no proxy server is set at all. So my previous settings obviously no longer have any effect.
So far, I've only come up with solutions that involved direct manipulation of the Windows registry. Which is fine, I guess, but the way the proxy is configured for users makes it appear as if there could be a higher level approach.
Solution 1:
I think what that means is the Internet Explorer zones, and how the proxy bypass settings apply to the local intranet zone. This article explains it in more detail than should be gone into here, but essentially every website is classified into a zone so that the various security settings can be adjusted. By default the proxy bypass list is automatically included in the Local Intranet zone.
EDIT: To answer your question directly - Drawing from the information above, you cannot and do not need to configure proxy settings per-zone. However, your users might choose to exclude a URI from being proxyed, hence adding it to the Local Intranet zone.
For the proxy configuration, I seem to remember having quite a bit of success with the IE Maintenance feature in Group Policy, which incidentally has now been superseded in 2012 by GPP. Unfortunately because of that I can't share my own how-to because I haven't got the relevant server edition in my test environment. Below are a couple of solutions (of which you may already be aware), it's up to you to decide which is most suitable to your organisation:
- The Internet Explorer Maintenance Extension: Microsoft advise against using this if you want to enforce the proxy settings, but I'm sure I've had trouble using the alternative. Also this is only applied on a user level.
- Internet Explorer Administration Kit 8/9: Maybe a bit overkill just for configuring a proxy, but worth knowing about.
Unfortunately, I don't think there is a way to set proxy on a computer level using Group Policy. However, as you say in your own answer restricting changes to that section of the control panel is the usual practise to stop changed to proxy. Perhaps, better still, you could use an auto-configuration script.
Solution 2:
To set a global proxy via group policy:
Click Start – All programs – Administrative Tools – Group Policy Management.
Create or Edit Group Policy Objects.
Expand User configuration – Policies – Windows Settings – Internet Explorer Maintenance – Connection.
In right Pane Proxy Settings.
To prevent users from changing their proxy settings:
Click Start – All programs – Administrative Tools – Group Policy Management.
Create or Edit Group Policy Objects.
Expand Computer Configuration – Administrative Templates – Windows Components - Internet Explorer – Internet Control Panel
In right Pane Disable the Connections page (Enabled)
Info from: social.technet.microsoft.com