Un-Apply GPO
- Hi,
I have a GPO set that locks down a users IE settings, which I'd like to partially remove. Users need to be able modify their trusted sites and all other IE settings except for their homepage setting. Setting the "setting" to disabled doesn't seem to make any difference.
Computer Config\Admin Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to zone assignment list
Windows 2003 Domain
Windows Vista clients.
Respuestas
- My understanding is the following:
You have a GPO applied to several users which includes different IE restrictions. Now you want to revoke these settings. Only the "Homepage" setting shall be restricted or predefined for the users.
In this thread you find some hints about how to undo IE GPO settings if just removing the GPO does not do the job:
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/4caa4c91-5cce-49bd-8e92-db04fbdbfa07/
In your case, as you just want to keep one single setting of the orignal GPO, I would remove the complete GPO (e.g. by first unlinking it from the OU) and then reboot the clients.
To set the "Homepage" setting, create a new GPO or include the desired setting in another existing GPO (depending on the desired filtering).
Concering "Site to zone assignment list": if unlinking the GPO is not enough, check GPO settings here:
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
• Security Zones: Do not allow users to change policies prevents all users from changing the Security Zone settings established by an administrator. (HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit)
• Security Zones: Do not allow users to add/delete sites prevents all users from adding or removing sites from Security Zones. (HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_zones_map_edit)
Is any of theses registry values set on your clients?
If yes, for a quick test set them to 0 or remove the values.
Later find the GPO which sets these settings (maybe local policy?)
Patrick- Marcado como respuestaJoson ZhouMSFT, Moderadorlunes, 13 de julio de 2009 3:27
Todas las respuestas
- My understanding is the following:
You have a GPO applied to several users which includes different IE restrictions. Now you want to revoke these settings. Only the "Homepage" setting shall be restricted or predefined for the users.
In this thread you find some hints about how to undo IE GPO settings if just removing the GPO does not do the job:
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/4caa4c91-5cce-49bd-8e92-db04fbdbfa07/
In your case, as you just want to keep one single setting of the orignal GPO, I would remove the complete GPO (e.g. by first unlinking it from the OU) and then reboot the clients.
To set the "Homepage" setting, create a new GPO or include the desired setting in another existing GPO (depending on the desired filtering).
Concering "Site to zone assignment list": if unlinking the GPO is not enough, check GPO settings here:
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
• Security Zones: Do not allow users to change policies prevents all users from changing the Security Zone settings established by an administrator. (HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit)
• Security Zones: Do not allow users to add/delete sites prevents all users from adding or removing sites from Security Zones. (HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_zones_map_edit)
Is any of theses registry values set on your clients?
If yes, for a quick test set them to 0 or remove the values.
Later find the GPO which sets these settings (maybe local policy?)
Patrick- Marcado como respuestaJoson ZhouMSFT, Moderadorlunes, 13 de julio de 2009 3:27
Hi,
I'm wondering if the suggestion has helped. Please feel free to let us know if you have any further questions.
Thanks.- Deleting the GPO and creating a new one seems to have fixed the problem.
Thanks.
