If you haven't already done so, try running the Group Policy Results tool
from the GP MMC. That will tell you what settings are being applied from
your various policies, and what settings are ultimately "winning" due to the
order of precedence. One possibility is that you have two conflicting
policies, and the end result is that your policy to restrict enabling and
disabling the proxy settings is being applied and is "winning," but your
exceptions to the proxy rule are being overwritten by another policy that
has a higher precedence. I'd look at that, for starters.
Devin
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Jon Petre
Sent: Thursday, September 27, 2007 6:50 PM
To: security-basics@lists.securityfocus.com
Subject: Group Policy Connundrum - Stick with it, its confusing!!!
Hello List,
I have an issue at a customers site regarding GP that goes a little like
this:
I have created a policy named no internet. I have created a security group
named the same. In this group are so many users based across the country
that I want to limit the internet usage, therefore I have created a false
proxy @ 0.0.0.0 that all their internet use has to pass through. This gives
the expected result where no pages are displayed regardless of which site
the user goes to. I have also created some exceptions for this policy, which
do not use the proxy, i.e.
www.homepageofcompany.com, www.siteiwanttoallow.com,
www.theusercangohere.co.uk.
This is done by setting the 'user configuration > Internet Explorer >
Connection > Proxy Settings > Exceptions'. The desired output is that user's
logon and can access these sites, but any other non specified site wont
work.
----I hope this makes sense so far----
Then by setting the 'Admin Template > Windows Components > Internet Explorer
Disable Changing Proxy Settings' to enabled effectively grays out the
proxy settings in internet explorer and stops the user from altering the
settings.
OK, this is where the issues start. When I toggle the 'Admin Template >
Windows Components > Internet Explorer > Disable Changing Proxy Settings'
between enable and disable, and update the policy on the local machine via
GPUPDATE, or even from the server by forcing the update, everything works
and the proxy is enabled and disabled as specified.
However, when I try to make changes to any part of the user config, the
policy does not seem to initialise. What I mean is any sites I add to the
exception list do not appear and the end result is the user can not access
any sites at all. I have logged on and off, and re-booted workstation all to
no effect.
Any suggestions on why the user configuration portion of the Group Policy
does not work would be much appreciated. I am sure all the permissions are
set correctly, i.e. the apply GP settings, read settings etc. If they
wasn't, then surely no part of the policy would work, would it?
TIA,
Jono
_________________________________________________________________
Get Pimped! FREE emoticon packs from Windows Live -
http://www.pimpmylive.co.uk
