How do I propagate IE Security settings from 1 user account, to all user accounts?
Hi.
On my pc I have several user accounts (user priviliedges only)in addition to a Administrator account.
I maintain a list of Restricited Sites, Blocked Cookies, Blocked Active X controls etc. (via Spybot Immunise, Spyware blaster, and some manual additions)
If I update the lists on the Administrator account, how do I get WinXP to automatically propagate those restrictions to all of the user accounts?
Also how can I lock the security settings page, so users can not lower security settings, or alter cookie handling, or active x controls etc?
I know this can be done, as most big businesses use this kind of approach, Ijust can't figure it out.
Many Thanks
Kind Regards
Chris
On my pc I have several user accounts (user priviliedges only)in addition to a Administrator account.
I maintain a list of Restricited Sites, Blocked Cookies, Blocked Active X controls etc. (via Spybot Immunise, Spyware blaster, and some manual additions)
If I update the lists on the Administrator account, how do I get WinXP to automatically propagate those restrictions to all of the user accounts?
Also how can I lock the security settings page, so users can not lower security settings, or alter cookie handling, or active x controls etc?
I know this can be done, as most big businesses use this kind of approach, Ijust can't figure it out.
Many Thanks
Kind Regards
Chris
0
Comments
This is what I have found so far.
If I add a site to the restricted site list in IE, it creates it in this registry key.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
This only adds it to the restricted site list for the user who is logged in at the time.
To add it globally, you have to manually add it to the registry - here!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
Note the difference is Current_User to LOCAL_MACHINE.
However this will not make ANY difference to each users restricted sites list, until you enable 'SECURITY ZONES:Use only machine settings' to 'ENABLED' you can do this through GPEDIT (I haven't discovered the registry key for this yet)
If you don't enable the above option then the Local Machine entries are ignored.
So using Spybot, and spyware blaster to maintain the restricted lists, only updates the current user, so to use those programs to maintain the lists for the other users on my PC, I have to do the following.
Make sure the Use only machine settings is enabled
Run Spybot/Spyware blaster
Open registry, export HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ to a text file.
edit the text file replacing HKEY_CURRENT_USER with HKEY_LOCAL_MACHINE
rename the text file so it ends in .reg. Then run it, and it'll add it to the registry.
a bit long winded but it seems to work. Now I need to figure out how to write a script or something to do that automatically. (I have no idea how to write scripts)
Also while trying to figure this out I looked at the Spyware-Shooter File, which also adds sites to the registricted list. This too adds the data to the same key (HKEY_CURRENT_USER) so this will not apply to other user accounts, unless run from those user accounts. so the same with this file needs to be done (except the file is already in txt format)
I have also discovered a conflict when using such programs to maintain these lists. When using domain names everything seems to work hunkydory, however also updated is the range key (IP ADDRESSES)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges
Now unlike the domains key where the subkeys are the names of the website.
The list of IPaddresses is different. Inside the ranges key, sub keys are numbered 1, 2, 3, 4, 5 etc. with the ip address stored as a value, not a key. therefore the ranges installed by spybot, work great until I install the Spyware Shooter file (or any other such file or program) as it will replace the Keys 1, 2, 3, 4, 5, 6, with its own ones storing different ip addresses.
I don't think this is a fault in the applications or the spyware shooters file, just a limitation of the os.
I have spent ALL day on this so far, and do not have anymore time to try and find a work around for this issue.
If anyone knows an easier way of spreading the restricted list through all users on the machine, then please let me know.
Also if anyone knows how to automate the above process (perhaps by way of script), then I'd really appreciate it .
Kind regards
Chris
(Now I have to decide whether to use spybot.spywareblaster or teh spyware-shooterf file to keep my lists upto date., and finally work out how to do the same as this with the privacy settings, all suggestions welcome