Disabling IE through GP

  • Thread starter Thread starter Spencer
  • Start date Start date
S

Spencer

Is there a way to disable internet browsing from a workstation based on group policy. In other words, they click on IE and it doesn't work. I know that I can disable the gateway, but I can't turn off DNS it being a Windows 2000 domain, but I want to limit this type of activity by user and not workstation. Is there a way to do it without using ISA? Thanks in advance.
 
Spencer,

This question pops up every once and again. There are two things that you need to do:

1) configure the Proxy Server with a bad / invalid IP Address, and
2) disable the user's ability to change that.

HTH,

Cary

Is there a way to disable internet browsing from a workstation based on group policy. In other words, they click on IE and it doesn't work. I know that I can disable the gateway, but I can't turn off DNS it being a Windows 2000 domain, but I want to limit this type of activity by user and not workstation. Is there a way to do it without using ISA? Thanks in advance.
 
Hi Cary, there is in fact a much better way to do this, use content Advisor to only allow about:blank page.

User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings

Import the current content ratings settings. Click Modify Settings to change settings you are importing. You can then modify your settings using Content Advisor.
Allow only the about:blank page.


--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

"Cary Shultz [A.D. MVP]" <[email protected]> skrev i meddelandet Spencer,

This question pops up every once and again. There are two things that you need to do:

1) configure the Proxy Server with a bad / invalid IP Address, and
2) disable the user's ability to change that.

HTH,

Cary

Is there a way to disable internet browsing from a workstation based on group policy. In other words, they click on IE and it doesn't work. I know that I can disable the gateway, but I can't turn off DNS it being a Windows 2000 domain, but I want to limit this type of activity by user and not workstation. Is there a way to do it without using ISA? Thanks in advance.
 
In Group Policy you can set blocked applications. If you set iexplore.exe to be blocked that should work. It is under User Configuration/Admin Templates, and set the Dont run specified Windows applications to include iexplore.exe
Hi Cary, there is in fact a much better way to do this, use content Advisor to only allow about:blank page.

User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings

Import the current content ratings settings. Click Modify Settings to change settings you are importing. You can then modify your settings using Content Advisor.
Allow only the about:blank page.


--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

"Cary Shultz [A.D. MVP]" <[email protected]> skrev i meddelandet Spencer,

This question pops up every once and again. There are two things that you need to do:

1) configure the Proxy Server with a bad / invalid IP Address, and
2) disable the user's ability to change that.

HTH,

Cary

Is there a way to disable internet browsing from a workstation based on group policy. In other words, they click on IE and it doesn't work. I know that I can disable the gateway, but I can't turn off DNS it being a Windows 2000 domain, but I want to limit this type of activity by user and not workstation. Is there a way to do it without using ISA? Thanks in advance.
 
Chris,

Looks like I learn something new every day! Just two months ago the method that I described was the way to do it (at least what everyone was suggesting ). Looks like I need to spend a little more time in here.

Thank you for the update!

Cary

Hi Cary, there is in fact a much better way to do this, use content Advisor to only allow about:blank page.

User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings

Import the current content ratings settings. Click Modify Settings to change settings you are importing. You can then modify your settings using Content Advisor.
Allow only the about:blank page.


--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

"Cary Shultz [A.D. MVP]" <[email protected]> skrev i meddelandet Spencer,

This question pops up every once and again. There are two things that you need to do:

1) configure the Proxy Server with a bad / invalid IP Address, and
2) disable the user's ability to change that.

HTH,

Cary

Is there a way to disable internet browsing from a workstation based on group policy. In other words, they click on IE and it doesn't work. I know that I can disable the gateway, but I can't turn off DNS it being a Windows 2000 domain, but I want to limit this type of activity by user and not workstation. Is there a way to do it without using ISA? Thanks in advance.
 
I do not see this in my GP:

"...and set the Dont run specified Windows applications to include iexplore.exe"

Would I have to create a new template?

Frank




In Group Policy you can set blocked applications. If you set iexplore.exe to be blocked that should work. It is under User Configuration/Admin Templates, and set the Dont run specified Windows applications to include iexplore.exe
Hi Cary, there is in fact a much better way to do this, use content Advisor to only allow about:blank page.

User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings

Import the current content ratings settings. Click Modify Settings to change settings you are importing. You can then modify your settings using Content Advisor.
Allow only the about:blank page.


--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

"Cary Shultz [A.D. MVP]" <[email protected]> skrev i meddelandet Spencer,

This question pops up every once and again. There are two things that you need to do:

1) configure the Proxy Server with a bad / invalid IP Address, and
2) disable the user's ability to change that.

HTH,

Cary

Is there a way to disable internet browsing from a workstation based on group policy. In other words, they click on IE and it doesn't work. I know that I can disable the gateway, but I can't turn off DNS it being a Windows 2000 domain, but I want to limit this type of activity by user and not workstation. Is there a way to do it without using ISA? Thanks in advance.
 
You should see a policy titled "Don't run specified Windows applications. You have to double-click on that, enable it, then you can show the disabled apps and add iexplore.exe to that.
I do not see this in my GP:

"...and set the Dont run specified Windows applications to include iexplore.exe"

Would I have to create a new template?

Frank




In Group Policy you can set blocked applications. If you set iexplore.exe to be blocked that should work. It is under User Configuration/Admin Templates, and set the Dont run specified Windows applications to include iexplore.exe
Hi Cary, there is in fact a much better way to do this, use content Advisor to only allow about:blank page.

User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings

Import the current content ratings settings. Click Modify Settings to change settings you are importing. You can then modify your settings using Content Advisor.
Allow only the about:blank page.


--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

"Cary Shultz [A.D. MVP]" <[email protected]> skrev i meddelandet Spencer,

This question pops up every once and again. There are two things that you need to do:

1) configure the Proxy Server with a bad / invalid IP Address, and
2) disable the user's ability to change that.

HTH,

Cary

Is there a way to disable internet browsing from a workstation based on group policy. In other words, they click on IE and it doesn't work. I know that I can disable the gateway, but I can't turn off DNS it being a Windows 2000 domain, but I want to limit this type of activity by user and not workstation. Is there a way to do it without using ISA? Thanks in advance.
 
While that may stop them from starting Internet Explorer, keep in mind that it may not stop access to the internet dues to the way that the internet access is integrated into Windows these days. For instance after a user can no longer use IE, they still may be able to access the internet from Explorer address bar, the run box, or even url links in Word documents. A firewall/proxy server or even ipsec filtering may be a better way to go. --- Steve
You should see a policy titled "Don't run specified Windows applications. You have to double-click on that, enable it, then you can show the disabled apps and add iexplore.exe to that.
I do not see this in my GP:

"...and set the Dont run specified Windows applications to include iexplore.exe"

Would I have to create a new template?

Frank




In Group Policy you can set blocked applications. If you set iexplore.exe to be blocked that should work. It is under User Configuration/Admin Templates, and set the Dont run specified Windows applications to include iexplore.exe
Hi Cary, there is in fact a much better way to do this, use content Advisor to only allow about:blank page.

User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings

Import the current content ratings settings. Click Modify Settings to change settings you are importing. You can then modify your settings using Content Advisor.
Allow only the about:blank page.


--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

"Cary Shultz [A.D. MVP]" <[email protected]> skrev i meddelandet Spencer,

This question pops up every once and again. There are two things that you need to do:

1) configure the Proxy Server with a bad / invalid IP Address, and
2) disable the user's ability to change that.

HTH,

Cary

Is there a way to disable internet browsing from a workstation based on group policy. In other words, they click on IE and it doesn't work. I know that I can disable the gateway, but I can't turn off DNS it being a Windows 2000 domain, but I want to limit this type of activity by user and not workstation. Is there a way to do it without using ISA? Thanks in advance.
 
True...I will have to look into that. Many times though iexplore.exe is called transparently to the user to display those items.
While that may stop them from starting Internet Explorer, keep in mind that it may not stop access to the internet dues to the way that the internet access is integrated into Windows these days. For instance after a user can no longer use IE, they still may be able to access the internet from Explorer address bar, the run box, or even url links in Word documents. A firewall/proxy server or even ipsec filtering may be a better way to go. --- Steve
You should see a policy titled "Don't run specified Windows applications. You have to double-click on that, enable it, then you can show the disabled apps and add iexplore.exe to that.
I do not see this in my GP:

"...and set the Dont run specified Windows applications to include iexplore.exe"

Would I have to create a new template?

Frank




In Group Policy you can set blocked applications. If you set iexplore.exe to be blocked that should work. It is under User Configuration/Admin Templates, and set the Dont run specified Windows applications to include iexplore.exe
Hi Cary, there is in fact a much better way to do this, use content Advisor to only allow about:blank page.

User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings

Import the current content ratings settings. Click Modify Settings to change settings you are importing. You can then modify your settings using Content Advisor.
Allow only the about:blank page.


--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

"Cary Shultz [A.D. MVP]" <[email protected]> skrev i meddelandet Spencer,

This question pops up every once and again. There are two things that you need to do:

1) configure the Proxy Server with a bad / invalid IP Address, and
2) disable the user's ability to change that.

HTH,

Cary

Is there a way to disable internet browsing from a workstation based on group policy. In other words, they click on IE and it doesn't work. I know that I can disable the gateway, but I can't turn off DNS it being a Windows 2000 domain, but I want to limit this type of activity by user and not workstation. Is there a way to do it without using ISA? Thanks in advance.
 
Back
Top