How do I set default internet zone level with Group policy?
I have been trying for a while to get this done with no success. It looks like my group policy settings are being applied when I run the group policy results wizard.
Here is what I am doing to set the internet zone to medium.
1.Group policy management editor > user configuration > policies > administrative templates > windows components > internet explorer > internet control panel > security page
I log into my xennapp desktop open IE and I see:
I run the result wizard and I see:
It looks to me like it should be working but it is not. Would someone mind working with me to help me find out what I am missing? Something to note is that the computer that is being managed is server 2008 and the computer that has the group policy settings (domain controller) is server 2003. I know that we need to switch from 2003 but that is a project that is on our plate for next year.
Solution 1:
donL,
So I was curious enough about this one to research it out. I don't have a 2003 server environment to test on, so it was up to "Google Fu" to check into this.
Turns out it is a "bug" in the GUI. The policy you applied did work correctly, it just doesn't show up correctly in IE's GUI on the client. Stupid, yes...but true.
Here's an example accepted answer over on EE that mirrors this:
If you see "Some settings are managed by your system administrator" then it was applied successfully and is on Medium. You can verify this by clicking custom level and looking at each security option, they will coincide with what they should be for "Medium".
You can disregard what it says on "Security level for this zone"...it's not accurate.
For example, if you set it to low, it will still still say medium/high or high but if you click on custom level you will see "download unsigned activex controls" is enabled.....which is a option that is enabled on low and disabled on high. - Jake77444 @ EE
And this blog also confirms it:
IE GPO Zone Templates and the “Open File – Security Warning”
In Conclusion
- Security templates are not visually reflected in the security page of Internet Explorer even though they are applied.
- Security zone settings are applied to Internet Explorer by doing a gpupdate but a log off/on is required to apply these settings to the rest of the OS
- The “Launching applications and unsafe files” setting determines whether the “Open File – Security Warning” dialog is displayed when launching applications from a given location
- The “Launching applications and unsafe files” cannot be set with a an indvidual GPO setting. (You could create a custom adm file though)
- When setting zone security via GPO I recommend making the Internet Explorer security page invisible to users to avoid confusion as they can still quite happily adjust the security level slider, it just won’t have any effect!
Hope that helps! It was news to me!