Hi.

On my pc I have several user accounts (user priviliedges only)in addition to a Administrator account.

I maintain a list of Restricited Sites, Blocked Cookies, Blocked Active X controls etc. (via Spybot Immunise, Spyware blaster, and some manual additions)

If I update the lists on the Administrator account, how do I get WinXP to automatically propagate those restrictions to all of the user accounts?

Also how can I lock the security settings page, so users can not lower security settings, or alter cookie handling, or active x controls etc?



I know this can be done, as most big businesses use this kind of approach, Ijust can't figure it out.

Many Thanks


Kind Regards

Chris

Profiles, Group Policies, IE Reskit... take your pick!



(Registry hacks too, to selected areas of the registry for IE &/or even Desktop settings... I'll post those later, in a bit of hurry here!)

APK

To lock the security tab, simply add the following dword in the registry.
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
Add reg_dword = SecurityTab dword = 1

For more info, see [link]http://www.jsiinc.com/subk/tip5100/rh5165.htm[/link]

To automatically propogate these security settings, you might need to create a logon(login) script.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
and
HKEY_Local_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Also, this link is helpful. [link]http://www.jsiinc.com/subk/tip5100/rh5130.htm[/link]

Yes, group policy is a good thing to use. Though, becareful with the group policies.....It can be a royal pain setting them up perfectly.

Thanks for covering that for me Theefool! I am in a hurry & don't have time to dig it up here for details... owe ya one!



* Later... "Gotta go, GOTTA GO!"

APK

thanks guys,

I'm very new to this aspect of winxp

The IEAK seems not to be good for other users on the same computer, I only have 1 computer running winXP not a network or domains or anything.

I've been looking at the GPedit.

In Administrative templates, win comp, Internet explorer "use only machine settings to enabled" which should keep a standard set of settings amongst all users, however if I change them on the administrator account they do not propagate to the other limited accounts.

I have set "security Zones: Do not allow users to change policy" to enabled, however that also locks the administrator account from making amendments!

Any more suggestions?


Thanks

Chris

Let me thing. Its been about 4 years since I last a ran a multiple domain NT network.

I'd say, create a group, restric that group within the GPedit. Assign your users to said group.

Propogation, may take some doing. I'm sure there is an easier way to do this, but since I've been outta the loop, I'll tell you the hardway. After setting whatever permissions/restrictions that group has, create a logon script with checks, that updates the security zones and whatnot.

Hmmm, maybe this doesn't exactly answer your question. Hope it gives some ideas....

I can create a group in user accounts, but I can't get GPedit to apply settings just to one group. Just to either all the users, or the whole machine.

Seeing as I am only running 1 machine (not connected to any network or domain, those two configurations have the same effect).

aarrgh

Is this XP home or Pro....

You know, maybe you can't do this on pro, by itself. Might need server to establish this properly. I need to think more on this....

thanks Theefool Its winxp pro.

Update
This is what I have found so far.

If I add a site to the restricted site list in IE, it creates it in this registry key.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\

This only adds it to the restricted site list for the user who is logged in at the time.

To add it globally, you have to manually add it to the registry - here!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\

Note the only difference in the key is CURRENT_USER to LOCAL_MACHINE.

However this will not make ANY difference to each users restricted sites list, until you enable 'SECURITY ZONES:Use only machine settings' to 'ENABLED' you can do this through GPEDIT (I haven't discovered the registry key for this yet)

If you don't enable the above option then the Local Machine entries are ignored, and it won't have anyeffect on the restricted lists.


So using Spybot, and spyware blaster to maintain the restricted lists, only updates the current user, so to use those programs to maintain the restricted site lists for the other users on my PC, (which is the whole point) I have to do the following.
Make sure the 'Use only machine settings' is 'enabled' in GPedit
Run Spybot/Spyware blaster
Open registry, export HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ to a text file.
edit the text file replacing HKEY_CURRENT_USER with HKEY_LOCAL_MACHINE
rename the text file so it ends in .reg. Then run it, and it'll add it to the registry.

a bit long winded but it seems to work. Now I need to figure out how to write a script or something to do that automatically. (I have no idea how to write scripts)


I have also discovered a conflict when using such programs to maintain these lists. When using domain names everything seems to work hunkydory, however also updated is the range key (IP ADDRESSES)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges

Now unlike the domains key where the subkeys are the names of the website.
The list of IPaddresses is different. Inside the ranges key, sub keys are numbered 1, 2, 3, 4, 5 etc. with the ip address stored as a value, not a key. therefore the ranges installed by one such utility work great but is overwritten by another will replace the Keys 1, 2, 3, 4, 5, 6, with its own ones storing different ip addresses.
This does not happen with the domains, as the domain or website names itself is the key name, so they don't get removed accidentally.

I think this is just a limitation of the os.

I have spent ALL day on this so far, and do not have anymore time to try and find a work around for this issue today.

If anyone knows an easier way of spreading the restricted list through all users on the machine, then please let me know.
Also if anyone knows how to automate the above process (perhaps by way of script), then I'd really appreciate it .


Kind regards

Chris

(Now I have to learn how to do the same, with the privacy settings - ALL SUGGESTIONS NEEDED AND MOST WELCOME)

Originally posted by lammypie:

"If anyone knows an easier way of spreading the restricted list through all users on the machine, then please let me know."

Export whatever entries are made by it in the registry using regedit.exe FILE, EXPORT menus to punch the data from the registry (Exact HIVE FOLDER & VALUES ONLY) to a .reg file first!

Then, by using user LOGIN SCRIPTS to "merge" it into their registries using this commandline put into their roaming profile logon scripts:

regedit.exe /s YOUREXPORTEDREGFILERESTRICTEDSITES.REG



* Quick & dirty, should/might work! This assumes that any GUIDS (Globally Unique Identifiers, 128-bit mishmash strings you see in the registry for stuff like OLEServer registration entries & other stuff in there) that do NOT vary user-to-user/system-to-system are not involved!

(ALSO, assuming you have the right registry entries exported out correctly & totally for this to take in a reg file merge. This is VERY important on the GUIDS stuff I mention last paragraph for merges, & the .reg file data itself. Only put what is ABSOLUTELY necessary from registry hive folders/values/strings/DWORDs etc. in them ONLY!!! You should compare it on @ least 2 systems beforehand... )

APK

P.S.=> Sorry for quick reply, am in hurry once more today & eating lunch too, if anyone mentioned that before me? I am guilty of skimming & missing it... apk

One 'cleaner' /* */ method to export specific registery key is:

"
regedit /e "z:\my_reg_file.reg" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"
"

This will export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ registery path to "z:\my_reg_file.reg".

<edit>

"
...
a bit long winded but it seems to work. Now I need to figure out how to write a script or something to do that automatically. (I have no idea how to write scripts)
...
"

You could try to use Windows Script Host (WSH), as it is built-in to Windows. You need to know something about visual basic, though...
</edit>

Nice Wil!

That's a NEW one on me, & one I wasn't aware of & looks good!

A new "trick" on the /e commandline switch for regedit.exe is OK by me, period!



(Not a wasted day, if I can pickup a new trick! )

* My way WILL work, but like I said "quick & dirty" & "old-school" primitive method though, depending on how you look @ it.

STILL, THIS PART, EITHER METHOD? IS IMPORTANT:

When exporting registry values entries:

This assumes that any GUIDS (Globally Unique Identifiers, 128-bit mishmash strings you see in the registry for stuff like OLEServer registration entries & other stuff in there) do NOT vary user-to-user/system-to-system, for said entries, are not involved! HAVE TO BE SAME ON GUID, if this is about & has those in them.

(Assures uniform operations for involved user, program, or system entities)

ALSO -> Assuming you have the right registry entries exported out correctly & totally for this to take in a reg file merge (or Wil's method)?

This is VERY important on the GUIDS stuff I mention last paragraph for merges (or Wil's method), & the .reg file/exported data itself.

(Only put what is ABSOLUTELY necessary from registry hive folders/values/strings/DWORDs etc. in them ONLY!!! You should compare it on @ least 2 systems beforehand for GUIDS being same, data export area is same, etc. & all that from above )

APK

P.S.=> I like this one though... apk