Help Overriding Group Policy IE Settings

[Kael_Sidhe]

My company has recently adopted a "one size fits all" group policy
regarding IE settings. I however, belong to a very small group of
DBA's and Unix Admins who use our own proxy server. At least, that's
the way it USED to work.

Two weeks ago the group policy was implemented with refreshes scheduled
every 10 mins. I've taken the issue through the appropriate channels
but we've been told we're on our own. We are free to do whatever we
want but THEY are not going to administer a separate group policy for
us. Teamwork at it's best.

So every 10 mins our proxy settings get reset and we have to manually
set them back. Also it seems to be resetting the warning message that
IE gives the first time you send unencrypted data through a form.
(like a google search) So even though I click the box that says never
show this message again, it keeps popping up.

Now, I'm a DBA so I don't really know anything about this stuff. Can
someone suggest a way to lock down the particular registry keys that
are being reset or otherwise block the group policy refreshes from
taking place?

And yes I do use Firefox occasionally but it seems to give me problems
on certain internal sites so I would rather use IE than have to switch
back and forth between them.

Thanks in advance for whatever help you can provide!

 

[Mark Renoden [MSFT]]

Hi

My suggestion would be to request that you and your machine be moved to an
OU that is not subject to the GPO. Once this is done, you'll be free to do
as you like and they won't have to implement further administration.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Kael_Sidhe]

We have been told we can do whatever we want but they will not make any
administrative changes to support us. They are simply not interested
in "making it work" for us. It is only because we are all "I.S." that
we are allowed to do what we want on the client side.

 

[Andrew Mitchell]

(e-mail address removed) said

We have been told we can do whatever we want but they will not make any
administrative changes to support us. They are simply not interested
in "making it work" for us. It is only because we are all "I.S." that
we are allowed to do what we want on the client side.

You can set your settings to what you want them to be, then quickly run
regedit (before the next refresh) and export the settings you want to a .reg
file.
Then set a scheduled task to run every 30 seconds that calls regedit /s with
your reg file as an argument to import the settings back in again.

 

[Kael_Sidhe]

Hmm, that might just do the trick. Is there any way to actually deny
access to the affected registry values? I've done that before but that
was denying user SYSTEM from making certain changes as executed from
the WINLOGON process. It worked great but I'm not sure how to
accomplish the same thing here. Winlogon was executing as user SYSTEM
and I suspect that is not the case here. Also I found the registry key
and there is a bunch of other stuff in that branch. Even if it is
possible to deny access to the process or service that is making the
change, I don't know what would happen if I locked down that entire
branch.

Thanks again!

 

[Andrew Mitchell]

(e-mail address removed) said

Hmm, that might just do the trick. Is there any way to actually deny
access to the affected registry values? I've done that before but that
was denying user SYSTEM from making certain changes as executed from
the WINLOGON process. It worked great but I'm not sure how to
accomplish the same thing here. Winlogon was executing as user SYSTEM
and I suspect that is not the case here. Also I found the registry key
and there is a bunch of other stuff in that branch. Even if it is
possible to deny access to the process or service that is making the
change, I don't know what would happen if I locked down that entire
branch.

The other way you could do it is to write a small DLL that loads at startup
and hooks all calls to the registry API's. If the parameters indicate the
calls are making changes to proxy settings return 0 and drop the call. Any
other calls can be passed to windows as normal.