none
Batch file for IE settings RRS feed

  • Question

  • Hi everybody,

    I want to make some changes to IE settings of many PCs to be able to open a tool which willl be used by all users using the systems..
    Since same settings are to be applied to different systems. I want to create a batch file for it .


    Settings are :

    1.Go to internet Options-- security--sites--trusted sites and and the site https://abc.com under it
    2.Set security level for this zone as Low
    3.Check enable protected mode
    4.Go to internet options--settings--privacy and uncheck Turn on Pop-up blocker
    5.Go to tools--compatibility view settings and the site https://abc.com under it . Check option - display intranet sites
    in compatibility view

    I did some research on net and found that all these settings are done by changing entries in registery.
    The site http://support.microsoft.com/kb/182569 gave lot of info on what various codes mean . But since I am new to creating
    batch files , it does not help me in writing commands. Little more research showed me that my commands would be something like
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /.....................
    However I cannot use trial and error as any unwanted change to registery may cause damage to my systems .
    It would really be very helpful if anyone can help me with his/her expertise in batch files and reg files.
    My target will be for IE8/9/10/11 preview . I am assuming the commands would be same for these versions which are comparitively new.

    Thanks,
    Mani


    manISRT

    Saturday, March 1, 2014 10:12 AM

Answers

  • Hi,

    Internet Options>Security tab, click "Reset all zones to default"...

    file>Properties to find out which zone your site maps to....

    instead of changing the security zone settings for a site that maps to a particular zone...

    Use the Slider control on the Security tab of Internet Options to change the 'level' of security of the zone that your site maps to, rather than the security zone that your site maps to.

    After you have finished testing your site, click the reset button to set YOUR security settings back to their factory (or company) defaults.

    Publicly accessible websites should target the Internet zone security settings... https protocols work just as well in the Internet zone...the Trusted sites zone actually has slacker security requirements (that's why user should only place 'Trusted' sites there).

    If your site requires users to place the domain in the trusted zone, place specific instructions on your site for your MSIE visitors.

    In testing web sites... the assumption is that visitors will 'always' be using the factory default settings for security zones.... quite often users will tweak the security zone settings in the hope of 'getting' things to work...this breaks other sites mapping to the same zone and may put the computer at risk.

    Post questions about website development (html, css and scripting) to the IE Web development forum. Include with your question a link to your website or mashup.

    this forum is for questions about IEAK and GPO administration of windows computers and IE on domain networks.


    Rob^_^

    Sunday, March 2, 2014 4:53 AM
  • Hi,

    this is a very broad topic, with quite a few scenarios, and potentially lots of complexity.

    Here are some thoughts I have written down for you to consider:

    Firstly, you really need to understand the basics of IE Zones, and how it is that addresses are categorised into each zone.
    There are default settings for each zone, and these are initially defined by MS, but you, or the user can, and may, have changed which zone is active, in which situation.
    E.g., if you are dealing with pc's in your organisation and under your control, vs pc's not in your organisation and/or not under your control.
    For pc's which are in your organisation, are they used only inside your office network, or are they also used outside your office network?
    Are the pc's under your control managed by Active Directory (are they members of your organisation's AD Domain?
    Does your office network use a network firewall or proxy, and the pc's inside gain access to the internet by "traversing" this proxy?
    Is the website you mention, "inside" your organisation's network, or, "outside" your organisation's network?
    If outside, how do your organisation's pc's currently become configured for internet access?
    Do they have configurations applied to the pc's, such as proxy settings? If so, does this use Proxy Auto Configuration (PAC) or INS, such as wpad.dat or proxy.pac?

    Note that if you adjust site-to-zone settings, and/or settings for a particular zone, other websites which are categorised into that zone will also attract the adjusted settings, so you need to ensure that any changes you make, are suitable for those other websites too.

    Is the website address part of your organisation's domain name, or a domain name that you already have particular settings for?
    Is the website/address and the content upon it controlled by your organisation?


    For compatibility view, depending upon the IE browser version, there are different methods available, you may not need to adjust the browser settings if the webpages are suitably constructed:
    Does the website specify <!DOCTYPE  ?
    Does the website supply X-UA-Compatible metatag?


    You can deliver most settings for IE in a few different ways:
    - AD GPO (you can use Group Policy Admin Templates, or, Group Policy Preferences)
    - IEAK (you can deploy a settings package with or without deploying a version of the browser)
    - registry settings (which you can deploy using scripts or batch files)
    - get the user to manually apply the settings via the user interface

    Note that some settings may need to be applied per-user (HKCU) and some settings are per-machine (HKLM).
    If you have a multi-user or hotdesk scenario (where more than a single user, uses the same machine), this might require you to re-apply the settings for each and every user.


    E.g.:
    Your organisation is wanting to use a hosted web application, accessed from inside your organisation, but it is hosted outside your ogranisation.
    The address is http://contoso.websales.hosterxyz.com
    You examine your existing pc configurations and determine that the IE Trusted Sites zone is not currently in use by any standard configurations.
    The hosted web application requires IE Protected Mode to be disabled (because of some special functions/features).
    You examine the default settings of the IE Trusted Sites zone, and observe that the Trusted Sites zone already has Protected Mode disabled.
    You decide to categorise the website "http://contoso.websales.hosterxyz.com" as a Trusted Site.
    On a test pc, you manually add the website "http://contoso.websales.hosterxyz.com" to Trusted Sites, and test the web application is operating correctly.
    You then create an AD GPO, which adds this website address into the Trusted Sites zone, and link/apply/deploy this GPO within your AD.
    Your organisations computers automatically read, process and apply this GPO, and all computers are now configured for this website as a Trusted Site.
    Note that if you use the "classic" GPO methods (Admin Templates), users can no longer manually adjust websites in or out of the Trusted Sites zone, because when "classic" GPO is deployed, it removes the ability for users to adjust these settings manually.
    This may be suitable for your organisation, or, unsuitable - it depends upon the degree of "freedom" you wish/need to allow.
    Alternately, you could use IEAK or GP Preferences, to deploy the Trusted Sites settings - these two methods allow the end-user to manually adjust if they choose. This means the end-user can remove the settings you deployed.
    Again, this may (or not) suit your scenario.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Sunday, March 2, 2014 6:03 AM
    • Marked as answer by 暁北Moderator Monday, March 17, 2014 1:20 AM
    Sunday, March 2, 2014 6:02 AM

All replies

  • Hi,

    Internet Options>Security tab, click "Reset all zones to default"...

    file>Properties to find out which zone your site maps to....

    instead of changing the security zone settings for a site that maps to a particular zone...

    Use the Slider control on the Security tab of Internet Options to change the 'level' of security of the zone that your site maps to, rather than the security zone that your site maps to.

    After you have finished testing your site, click the reset button to set YOUR security settings back to their factory (or company) defaults.

    Publicly accessible websites should target the Internet zone security settings... https protocols work just as well in the Internet zone...the Trusted sites zone actually has slacker security requirements (that's why user should only place 'Trusted' sites there).

    If your site requires users to place the domain in the trusted zone, place specific instructions on your site for your MSIE visitors.

    In testing web sites... the assumption is that visitors will 'always' be using the factory default settings for security zones.... quite often users will tweak the security zone settings in the hope of 'getting' things to work...this breaks other sites mapping to the same zone and may put the computer at risk.

    Post questions about website development (html, css and scripting) to the IE Web development forum. Include with your question a link to your website or mashup.

    this forum is for questions about IEAK and GPO administration of windows computers and IE on domain networks.


    Rob^_^

    Sunday, March 2, 2014 4:53 AM
  • Hi,

    this is a very broad topic, with quite a few scenarios, and potentially lots of complexity.

    Here are some thoughts I have written down for you to consider:

    Firstly, you really need to understand the basics of IE Zones, and how it is that addresses are categorised into each zone.
    There are default settings for each zone, and these are initially defined by MS, but you, or the user can, and may, have changed which zone is active, in which situation.
    E.g., if you are dealing with pc's in your organisation and under your control, vs pc's not in your organisation and/or not under your control.
    For pc's which are in your organisation, are they used only inside your office network, or are they also used outside your office network?
    Are the pc's under your control managed by Active Directory (are they members of your organisation's AD Domain?
    Does your office network use a network firewall or proxy, and the pc's inside gain access to the internet by "traversing" this proxy?
    Is the website you mention, "inside" your organisation's network, or, "outside" your organisation's network?
    If outside, how do your organisation's pc's currently become configured for internet access?
    Do they have configurations applied to the pc's, such as proxy settings? If so, does this use Proxy Auto Configuration (PAC) or INS, such as wpad.dat or proxy.pac?

    Note that if you adjust site-to-zone settings, and/or settings for a particular zone, other websites which are categorised into that zone will also attract the adjusted settings, so you need to ensure that any changes you make, are suitable for those other websites too.

    Is the website address part of your organisation's domain name, or a domain name that you already have particular settings for?
    Is the website/address and the content upon it controlled by your organisation?


    For compatibility view, depending upon the IE browser version, there are different methods available, you may not need to adjust the browser settings if the webpages are suitably constructed:
    Does the website specify <!DOCTYPE  ?
    Does the website supply X-UA-Compatible metatag?


    You can deliver most settings for IE in a few different ways:
    - AD GPO (you can use Group Policy Admin Templates, or, Group Policy Preferences)
    - IEAK (you can deploy a settings package with or without deploying a version of the browser)
    - registry settings (which you can deploy using scripts or batch files)
    - get the user to manually apply the settings via the user interface

    Note that some settings may need to be applied per-user (HKCU) and some settings are per-machine (HKLM).
    If you have a multi-user or hotdesk scenario (where more than a single user, uses the same machine), this might require you to re-apply the settings for each and every user.


    E.g.:
    Your organisation is wanting to use a hosted web application, accessed from inside your organisation, but it is hosted outside your ogranisation.
    The address is http://contoso.websales.hosterxyz.com
    You examine your existing pc configurations and determine that the IE Trusted Sites zone is not currently in use by any standard configurations.
    The hosted web application requires IE Protected Mode to be disabled (because of some special functions/features).
    You examine the default settings of the IE Trusted Sites zone, and observe that the Trusted Sites zone already has Protected Mode disabled.
    You decide to categorise the website "http://contoso.websales.hosterxyz.com" as a Trusted Site.
    On a test pc, you manually add the website "http://contoso.websales.hosterxyz.com" to Trusted Sites, and test the web application is operating correctly.
    You then create an AD GPO, which adds this website address into the Trusted Sites zone, and link/apply/deploy this GPO within your AD.
    Your organisations computers automatically read, process and apply this GPO, and all computers are now configured for this website as a Trusted Site.
    Note that if you use the "classic" GPO methods (Admin Templates), users can no longer manually adjust websites in or out of the Trusted Sites zone, because when "classic" GPO is deployed, it removes the ability for users to adjust these settings manually.
    This may be suitable for your organisation, or, unsuitable - it depends upon the degree of "freedom" you wish/need to allow.
    Alternately, you could use IEAK or GP Preferences, to deploy the Trusted Sites settings - these two methods allow the end-user to manually adjust if they choose. This means the end-user can remove the settings you deployed.
    Again, this may (or not) suit your scenario.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Sunday, March 2, 2014 6:03 AM
    • Marked as answer by 暁北Moderator Monday, March 17, 2014 1:20 AM
    Sunday, March 2, 2014 6:02 AM
  • Thanks for giving inputs . I have asked the qstn in IE web development forum as suggested .

    Thanks.


    manISRT

    Sunday, March 2, 2014 9:15 AM