Friday, August 29, 2008

Internet Explorer 7 "Fix My Settings" Domain Group Policy

As part of Internet Explorer 7's security, users are prompted to "Fix My Settings" if the application checks the security settings and sees that they are not the "default" from Microsoft. The prompt is a flashing "Information Bar" when the browser is first opened, and the user is asked if they would like to "Fix My Settings". I needed a way to get rid of this for a specific group of computers, and any user that logs into the computer.

When Internet Explorer 7 is installed on a computer, an administration template is created in the local computer policy (User Configuration->Administrative Templates->Windows Components->Internet Explorer) that adds some new configuration options. One of those options is "Turn off the security settings check feature". Currently, this is not available as a domain policy. To accomplish this I copied the default Internet Explorer 7 administrative template (named inetres.adm), edited it to be the way I wanted, changed the class from USER to COMPUTER so it would apply to the computer instead of the a specific user account, saved it with a different name (so as not to confuse the group policy editor) and imported it to my domain group policy. The template is below.

CATEGORY &#;33;&#;33;WindowsComponents
CATEGORY &#;33;&#;33;InternetExplorer7_Customized
#;if version >= 4 EXPLAIN
POLICY &#;33;&#;33;Disable_Security_Settings_Check
#;if version >= 4 SUPPORTED
KEYNAME "Software\Policies\Microsoft\Internet Explorer\Security"
EXPLAIN &#;33;&#;33;IE_Explain_DisableSecuritySettingsCheck
VALUENAME DisableSecuritySettingsCheck
WindowsComponents [strings]
WindowsComponents="Windows Components"
InternetExplorer7_Customized="Internet Explorer 7 Customized Settings"
Disable_Security_Settings_Check="Turn off the Security Settings Check feature"
IE_Explain_DisableSecuritySettingsCheck="This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk.\n\nIf you enable this policy setting, the security settings check will not be performed.\n\nIf you disable or do not configure this policy setting, the security settings check will be performed."
IE_ExplainCat="Custom config of Internet Explorer 7";
Supported on Information SUPPORTED_IE7="At least Internet Explorer 7.0" ;
Additional strings that will be used to generate Online Help
ADM_TITLE="Group Policy settings for Internet Explorer"
USER="User Configuration"
COMPUTER="Computer Configuration"
COMPUTER_Explain="Contains settings that may only be used to configure Computers"
USER_Explain="Contains settings that may only be used to configure Users"

No comments: