- A Few Group Policy Questions
- Posted by Tom Baxter on April 17th, 2008
Hi everyone,
I have an XP Pro SP2 machine that will be shared by several family members
and I have a few questions about Group Policies. Active Directory is not
involved here.
In the Group Policy Editor (gpedit.msc) I want to turn off IE's prompt to
download ActiveX Controls. The setting for this is at:
User Configuration
Administrative Templates
Windows Components
Internet Explorer
Security Features
Restrict ActiveX Install
Internet Explorer Process = Enabled
After setting this policy I log off and then log back on but I am still able
to download an ActiveX component (Acrobate Reader, for example). It seems the
GP setting is not taking affect. Any ideas why?
A follow up question is this: My understanding is that, contrary to the
name, "User Configuration" policies apply to *all* users, not individual
users. So, setting the poilicy for one user account affects *all* accounts on
the machine. If this is true, why does the Group Policy editor have separate
sections for "User Configuration" and "System Configuration"?
Perhaps it *is* possible to specify separate policies for different
accounts. This is ultimately what I want to do. I have an idea on how to do
this (by copying .pol files and invoking gpupdate.exe) but the fact that
ActiveX installations cannot be turned off is stopping me dead in my tracks.
Thanks much.
--
Tom Baxter
- Posted by Doug Knox - [MS-MVP] on April 19th, 2008
Hi Tom,
I can't answer your question on the ActiveX issue, but........... Some
Group Policies are machine wide, and others are based on the user level.
Policies may be applied to the Standard User, but not to Power User and etc.
In a domain environment, its usually the Group membership that determines
how policies are applied. I've written a utility that allows application of
a number of Group Policy settings on a per-user basis, in a non-domain
enviroment.
Essentially, Group Policies are nothing more than Registry entries that say
what can be done on a particular computer, or by a user group, or a specific
user. They are enforced because Windows loads the Group Policy entries
before anything else, so these restrictions are applied before the user ever
gets to the Desktop.
--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart
Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.
"Tom Baxter" <tlbaxter99@newsgroup.nospam> wrote in message
news:983B6EBC-B3C1-4B3B-B5B4-A43A3E3DBE7F@microsoft.com...
- Group Policy (Security & Administration) by The Saint
- Domain Controller Security Policy / Group Policy Object HELP!!!! (Windows Server) by Adam
- Group Policy (Windows Server) by Sumner Paine
- Group Policy (Windows 2000) by Needs help
- Group Policy only applies to Administrator Group on Profile change (Windows 2000) by Michael Curry
