none
Windows 2008 R2 DC GPO and IE 11 on Windows 7

    Question

  • Hi,

    I have Windows 2008 R2 DCs and Windows 7 Clients , initaly Clients had IE10 and i applied policy Enable the policy "Turn On Protected Mode" for Trusted Sites and that worked like Charm. Now We have IE11 on Win 7 Clients and i need to Disable that same policy or set to Not Configured but it seems policy is not effecting , How i can solve this issue.

    Note: I also tried from WIN8.1 machine with RSAT but it didn't work as well.

    Regards

    Usman Ghani


    Usman Ghani - MCITP Exchange 2010

    Friday, October 14, 2016 8:28 AM

Answers

All replies

  • you want to disable the policy or disable only for IE11.

    please clear the same.


    Best Regards, Sandeep Poonia

    Friday, October 14, 2016 10:15 AM
  • Hi 

    I want to disable the policy on all clients for that OU , and all Clients in that OU using IE11.

    Regards

    Usman Ghani


    Usman Ghani - MCITP Exchange 2010

    Friday, October 14, 2016 10:25 AM
  • Disabling Portions of a GPO

    Because these GPOs are used solely for user configuration, the computer portion of the GPO can be turned off. Doing so reduces the computer startup time, because the Computer GPOs do not have to be evaluated to determine if any policies exist. In this procedure, no computers are affected by these GPOs. Therefore, disabling a portion of the GPO has no immediate benefit. However, since these GPOs could later be linked to a different OU that may include computers, you may want to disable the computer side of these GPOs.

    To disable the Computer portion of a GPO

    1. Open the saved MMC console GPWalkthrough, and then double-click the Active Directory User and Computers node.

    2. Double-click the reskit.com domain.

    3. Right-click the Accounts OU, select Properties from the context menu, and click the Group Policy tab.

    4. In the Accounts Properties dialog box, click the Group Policy tab, right-click the Enforced User Policies GPO, and selectProperties.

    5. In the Enforced User Policies Properties dialog box, select the General tab, and then select the Disable computer configuration settings check box. In the Confirm Disable dialog box click Yes.

      Note that the General properties page includes two check boxes for disabling a portion of the GPO.

    6. Repeat steps 4 and 5 for the Default Users Policies GPO.

    Blocking Inheritance

    You can block inheritance so that one GPO does not inherit policy from another GPO in the hierarchy. After you block inheritance, only those settings in the Enforced User Policies affect the users in this OU. This is simpler than reversing each individual policy in a GPO scoped at this OU.

    To block inheritance of Group Policy for the Production OU

    1. Open the saved MMC console GPWalkthrough, and then double-click the Active Directory User and Computers node.

    2. Double-click the reskit.com domain, and then double-click the Accounts OU.

    3. Right-click the Production OU, select Properties from the context menu, and then click the Group Policy tab.

    4. Select the Block policy inheritance check box, and click OK.

    To verify that inherited settings are now blocked, you can logon as any user in the Production OU. Notice that the Web tab is present in the Display setting properties page. Also, note that the task manager is still disabled, as it was set to No Override in the parent OU.


    Best Regards, Sandeep Poonia

    Friday, October 14, 2016 10:51 AM
  • Hi 

    I want to disable the policy on all clients for that OU , and all Clients in that OU using IE11.

    Regards

    Usman Ghani


    Usman Ghani - MCITP Exchange 2010

    Hi

     Now We have IE11 on Win 7 Clients and i need to Disable that same policy>>

    Simply you should use wmi filtering :-)

    Check for wmi filtering ; http://woshub.com/group-policy-filtering-using-wmi-filters/

    GPO wmi filter for ie11 ; https://social.technet.microsoft.com/Forums/office/en-US/6623759d-f0d6-4cca-93ce-d56acb0ffa05/gpo-wmi-filter-for-ie11?forum=winserverGP         

    Note: this will be prevent gpo for IE 11(on OU) but not rollback the current setting on clients..                       


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur


    • Edited by Burak Uğur Friday, October 14, 2016 11:03 AM
    Friday, October 14, 2016 10:59 AM
  • Hi,

    I just want to disable one option in that GPO not the whole GPO. Like i said before that i want to disable only "Turn On Protected Mode" for Trusted Site Zone. but I don't want to touch or change other settings in that GPO.

    Regards

    Usman Ghani


    Usman Ghani - MCITP Exchange 2010

    Friday, October 14, 2016 1:39 PM
  • If you want to use a GPO to disable ENHANCED PROTECTED MODE (which is under TOOLS > INTERNET OPTIONS > ADVANCED > security section):

    1. Launch Group Policy Management Console and EDIT and existing policy or CREATE a new policy
    2. Expand: COMPUTER CONFIGURATION > POLICIES > ADMNISTRATIVE TEMPLATES > WINDOWS COMPONENTS > INTERNET EXPLORER > INTERNET CONTROL PANEL > ADVANCED PAGE
    3. Double click TURN ON ENHANCED PROTECTED MODE
    4. Select DISABLED

    Also remember that you need to GPUPDATE /FORCE as an Admin (or reboot) to have this COMPUTER policy take effect.


    Best Regards, Sandeep Poonia

    Saturday, October 15, 2016 4:14 AM
  • Hi Sandeep,

    I wish it will be simple as you say , i told you that i have tried this but its not working , because 2008 R2 GPO doesn't work for IE11.

    Regards

    Usman Ghani


    Usman Ghani - MCITP Exchange 2010

    Saturday, October 15, 2016 4:41 AM
  • Am 15.10.2016 um 06:41 schrieb Usman.Ghani:
    > I wish it will be simple as you say , i told you that i have tried
    > this but its not working , because 2008 R2 GPO doesn't work for
    > IE11.
     
    Bull**it. Just install IE11 on a 2008R2 machine where you edit the GPOs
    or import the IE11 inetres.admx/l into your central store to configure
    it. Or use a member machine, where IE11 is installed.
    There is not dependency on AdministrativeTemplates Settings and AD
    Version or GPEditor machine. Every Maschine Vista and UP can edit ALL
    existing ADMx (no matter what product/version) and can store them even
    on a 2003 AD.
     
    The only thing that is missing, is the GPP Internet settings for IE11,
    but thats only a restriction in the XML behind. Change Version "max" to
    99.0.0.0
     
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Saturday, October 15, 2016 9:52 AM
  • please have a look of below article.

    https://blogs.msdn.microsoft.com/askie/2015/10/12/how-to-configure-proxy-settings-for-ie10-and-ie11-as-iem-is-not-available/


    Best Regards, Sandeep Poonia

    Saturday, October 15, 2016 9:56 AM
  • Hi Usman,
    Regarding to disable Protected Mode, you could configure it via registry. As far as I know, there is a registry key named "2500" under path:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ Setting that value to 0 enables Protected Mode; a setting of 3 disables it. In this case, you could configure this registry item via GPP in a GPO to turn off Protected Mode. https://technet.microsoft.com/en-us/library/cc753092(v=ws.11).aspx
    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, October 17, 2016 6:07 AM
    Moderator