A Few Group Policy Questions


Tom Baxter

Hi everyone,

I have an XP Pro SP2 machine that will be shared by several family members
and I have a few questions about Group Policies. Active Directory is not
involved here.

In the Group Policy Editor (gpedit.msc) I want to turn off IE's prompt to
download ActiveX Controls. The setting for this is at:

User Configuration
Administrative Templates
Windows Components
Internet Explorer
Security Features
Restrict ActiveX Install
Internet Explorer Process = Enabled

After setting this policy I log off and then log back on but I am still able
to download an ActiveX component (Acrobate Reader, for example). It seems the
GP setting is not taking affect. Any ideas why?

A follow up question is this: My understanding is that, contrary to the
name, "User Configuration" policies apply to *all* users, not individual
users. So, setting the poilicy for one user account affects *all* accounts on
the machine. If this is true, why does the Group Policy editor have separate
sections for "User Configuration" and "System Configuration"?

Perhaps it *is* possible to specify separate policies for different
accounts. This is ultimately what I want to do. I have an idea on how to do
this (by copying .pol files and invoking gpupdate.exe) but the fact that
ActiveX installations cannot be turned off is stopping me dead in my tracks.

Thanks much.

Doug Knox - [MS-MVP]

Hi Tom,

I can't answer your question on the ActiveX issue, but........... Some
Group Policies are machine wide, and others are based on the user level.
Policies may be applied to the Standard User, but not to Power User and etc.
In a domain environment, its usually the Group membership that determines
how policies are applied. I've written a utility that allows application of
a number of Group Policy settings on a per-user basis, in a non-domain

Essentially, Group Policies are nothing more than Registry entries that say
what can be done on a particular computer, or by a user group, or a specific
user. They are enforced because Windows loads the Group Policy entries
before anything else, so these restrictions are applied before the user ever
gets to the Desktop.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question