Managing security settings with Group Policy RRS feed

  • General discussion

  • I would like to ask your oppinion about how the security settings of IE should be managed with Group Policy in any enterprice enviroment. Currently, I´m controlling them by setting different zones to different levels. Right now, my intranet and trusted sites zone are set to low level, and internet is medium-high.

    The main idea of locking all level-releated settings is to standardize the behiaviour of IE to end-users. Also, from my experience, if you don´t control your IE settings and deploy IE as-is, lots of stuff and warnings will appear to end user, and some business-related web portals won´t work.

    Just want to ask your opinions, how do you do things in enterprice enviroments with IE?

    Friday, December 21, 2012 7:19 AM

All replies

  • Hi,

    I would accept the default settings and then use GPO to block user access to the Security tab of Internet Options so that users cannot change them... typically novice users will "try fixing things" by adjusting the IE security settings, since there are 100's of security settings, this soon results in utter confusion. In the enterprise environment, the only setting that you may like to adjust from the defaults, is that for User Authentication and ActiveX signing.

    You should however allow your development and administrative staff access to the Security tab so that they can debug, test or troubleshoot issues.

    A common issue is the security setting for navigation into a zone of lower integrity...viz... from the trusted sites to sites not mapped to any zone (default to internet)...which can result in blank pages, "Unable to open web page" errors. Commonly users will place their webmail provider (like google or bing) in their trusted sites list, but more and more sites are using "login from anywhere"  and redirect to sub-domains to perform the user validation....eg..

    google.com uses account.google.com to validate the user.... placing just google.com in the trusted sites list means that user validation sub-domain (account.google.com) is mapped to a zone of lower integrity (the Internet zone). A solution is to use wildcard domain notation eg. *.google.com, but my preferred solution is to NOT place webmail domains in the Trusted sites list and let all google domains map to the internet zone.... the Trusted Sites zone actually has less security than the Internet Zone.

    the default security zone levels and settings were compiled by MS from user telemetry and are designed to give the best surfing experience with security and protection... other browsers do not have the same security model as MSIE.

    Navigation to malware sites or malicious downloads is commonly protected with Smart Screen filtering. Legacy methods such as the Hosts file and the Restricted Sites zone list can impact on performance and are of little use if not maintained, give the volatile nature sus sites. Legacy security programs such as Spybot S&D's teatimer which add 1000's of domains to the Restricted Sites list should be turned off to increase performance, while the Smart Screen filter should be turned on and a reputable AV product installed.

    These are public forums, we do not work for nor represent MS>



    Friday, December 21, 2012 8:35 PM
  • Thanks. I didn´t understand every points you mentioned, because some of your text was confusing, but here comes some comments:

    - It´s a good idea to hide security tab, I have to think about that
    - Users won´t be able to add any sites to trusted list, since it´s controlled with policy
    - My main consern is, should I control and lock down every settins (100 of them) with policy, setting them to lowest level to trusted zone, to provide best user experience? The trusted sites list will be highly controlled.
    Friday, December 21, 2012 10:36 PM
  • It seems like Trusted Sites zone is more certain to use to avoid security conflicts and issues, razther than Local Instranet Zone, whenever the zone profile is set as LOW to both. I don´t understand, but something makes trusted zone to act more compatible, though settings are the same.
    Sunday, January 6, 2013 10:09 PM