| Author | Messages | |
CKaiser
Posts:2
 | | 09/02/2005 10:52 AM |
| This is driving me nuts....
I'm trying to set up a W2K3 SP1 terminal server machine, managed by
group policy, that will allow users to run certain apps that actually
load from another server. Here's the problem...
When I try and launch one of those apps, I get the security warning box
"open file - security warning" "Are you sure you want to run this
software?"
I finally figured out how to disable it; in IE properties, security,
trusted sites, custom level, there's a setting: "Launching applications
and unsafe files". If I set that to enable, the box goes away. (I'm
using software restrictions to only allow certain apps, so the warning
box is irrelevant).
I want to be able to set this value via GP rather than through the IE
interface. The IE ADM template seems to include every setting except for
this one.
Why? I've tried creating a custom ADM for the setting, but I'm getting
nowhere with that. I'll probably try that again next week.
But I'm curious why this particular setting is not available in the
template? Any ideas? Am I missing something?
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| davidadner
Posts:0
| | 09/02/2005 11:14 AM |
| Is the corresponding Registry value a type of reg_binary? If so you can't
set it via an ADM. You would need to use an alternate method to update each
user's Registry like via a login script.
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> Charlie Kaiser
> Sent: Friday, September 02, 2005 5:51 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Group policy security setting
>
> This is driving me nuts....
>
> I'm trying to set up a W2K3 SP1 terminal server machine,
> managed by group policy, that will allow users to run certain
> apps that actually load from another server. Here's the problem...
>
> When I try and launch one of those apps, I get the security
> warning box "open file - security warning" "Are you sure you
> want to run this software?"
> I finally figured out how to disable it; in IE properties,
> security, trusted sites, custom level, there's a setting:
> "Launching applications and unsafe files". If I set that to
> enable, the box goes away. (I'm using software restrictions
> to only allow certain apps, so the warning box is irrelevant).
>
> I want to be able to set this value via GP rather than
> through the IE interface. The IE ADM template seems to
> include every setting except for this one.
>
> Why? I've tried creating a custom ADM for the setting, but
> I'm getting nowhere with that. I'll probably try that again next week.
> But I'm curious why this particular setting is not available
> in the template? Any ideas? Am I missing something?
>
> **********************
> Charlie Kaiser
> W2K3 MCSA/MCSE/Security, CCNA
> Systems Engineer
> Essex Credit / Brickwalk
> 510 595 5083
> **********************
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD00000900
Posts:0
| | 09/03/2005 4:55 AM |
| The other way that works is to add the UNC for the file server
(file://server/share) to the Trusted Sites, under
User Config / Windows Settings / IE Maintenance /Security / Security Zones
and Content ratings
Now that I look, there's the setting you're trying to change - which is why
it probably didn't work with a template.
--------
Roger Seielstad
E-mail Geek
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Charlie Kaiser
Sent: Friday, September 02, 2005 3:51 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Group policy security setting
This is driving me nuts....
I'm trying to set up a W2K3 SP1 terminal server machine, managed by group
policy, that will allow users to run certain apps that actually load from
another server. Here's the problem...
When I try and launch one of those apps, I get the security warning box
"open file - security warning" "Are you sure you want to run this software?"
I finally figured out how to disable it; in IE properties, security, trusted
sites, custom level, there's a setting: "Launching applications and unsafe
files". If I set that to enable, the box goes away. (I'm using software
restrictions to only allow certain apps, so the warning box is irrelevant).
I want to be able to set this value via GP rather than through the IE
interface. The IE ADM template seems to include every setting except for
this one.
Why? I've tried creating a custom ADM for the setting, but I'm getting
nowhere with that. I'll probably try that again next week.
But I'm curious why this particular setting is not available in the
template? Any ideas? Am I missing something?
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD00000777
Posts:0
| | 09/06/2005 12:57 PM |
| Hi Charlie,
If it is a user registry setting (other than Binary) there should be no
problem with a custom ADM template.
Can you explain what registry key it is and exactly what is not working?
Alan Cuthbertson
----- Original Message -----
From: "Charlie Kaiser"
To:
Sent: Saturday, September 03, 2005 8:51 AM
Subject: [ActiveDir] Group policy security setting
This is driving me nuts....
I'm trying to set up a W2K3 SP1 terminal server machine, managed by
group policy, that will allow users to run certain apps that actually
load from another server. Here's the problem...
When I try and launch one of those apps, I get the security warning box
"open file - security warning" "Are you sure you want to run this
software?"
I finally figured out how to disable it; in IE properties, security,
trusted sites, custom level, there's a setting: "Launching applications
and unsafe files". If I set that to enable, the box goes away. (I'm
using software restrictions to only allow certain apps, so the warning
box is irrelevant).
I want to be able to set this value via GP rather than through the IE
interface. The IE ADM template seems to include every setting except for
this one.
Why? I've tried creating a custom ADM for the setting, but I'm getting
nowhere with that. I'll probably try that again next week.
But I'm curious why this particular setting is not available in the
template? Any ideas? Am I missing something?
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| djambo
Posts:0
| | 09/07/2005 2:19 AM |
| | Message body was not found. | | | |
| CKaiser
Posts:2
| | 09/07/2005 10:06 AM |
| OK; I finally figured this one out; I had to set a couple of other
settings for this to work.
Computer config\admin templates\Internet explorer\internet control
panel\security page.
Intranet sites: Include all local (intranet) sites not listed in
other zones
Intranet sites: Include all network paths (UNCs)
That let it work as expected.
But I'm seeing another problem as well This is one of those things that
bug us when we log on to a new machine for the first time. :-)
I've set the IE home page to our intranet, which is the only site
allowed; everything else goes to a bit-bucket proxy. So in:
User config\windows settings\internet explorer
maintenance\URLs\Important URLs, I've set the home page. But it doesn't
work. With a new user login, IE starts by going to MS site, and since
the proxy won't let it, it doesn't move forward from there. I can type
in the intranet URL manually and get there. If I allow the browser to
reach the internet, it goes to the MS site first, then to windows update
on the second launch, then to the expected home page on the third
launch.
Any way to get around this?
Thanks!
PS: Roger; good to see you back. How's things? Pam and I are moving to
AZ soon. Gimme a call sometime and we can chat...
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> Roger Seielstad
> Sent: Friday, September 02, 2005 9:57 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Group policy security setting
>
> The other way that works is to add the UNC for the file server
> (file://server/share) to the Trusted Sites, under
> User Config / Windows Settings / IE Maintenance /Security /
> Security Zones
> and Content ratings
>
> Now that I look, there's the setting you're trying to change
> - which is why
> it probably didn't work with a template.
>
>
>
>
>
>
> --------
> Roger Seielstad
> E-mail Geek
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> Charlie Kaiser
> Sent: Friday, September 02, 2005 3:51 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Group policy security setting
>
> This is driving me nuts....
>
> I'm trying to set up a W2K3 SP1 terminal server machine,
> managed by group
> policy, that will allow users to run certain apps that
> actually load from
> another server. Here's the problem...
>
> When I try and launch one of those apps, I get the security
> warning box
> "open file - security warning" "Are you sure you want to run
> this software?"
> I finally figured out how to disable it; in IE properties,
> security, trusted
> sites, custom level, there's a setting: "Launching
> applications and unsafe
> files". If I set that to enable, the box goes away. (I'm
> using software
> restrictions to only allow certain apps, so the warning box
> is irrelevant).
>
> I want to be able to set this value via GP rather than through the IE
> interface. The IE ADM template seems to include every setting
> except for
> this one.
>
> Why? I've tried creating a custom ADM for the setting, but I'm getting
> nowhere with that. I'll probably try that again next week.
> But I'm curious why this particular setting is not available in the
> template? Any ideas? Am I missing something?
>
> **********************
> Charlie Kaiser
> W2K3 MCSA/MCSE/Security, CCNA
> Systems Engineer
> Essex Credit / Brickwalk
> 510 595 5083
> **********************
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD00000900
Posts:0
| | 09/10/2005 3:34 AM |
| I *think* there's a policy setting to override that first connect to MS.com
- I just can't remember what it is right now
--------
Roger Seielstad
E-mail Geek
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Charlie Kaiser
Sent: Wednesday, September 07, 2005 3:06 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Group policy security setting
OK; I finally figured this one out; I had to set a couple of other settings
for this to work.
Computer config\admin templates\Internet explorer\internet control
panel\security page.
Intranet sites: Include all local (intranet) sites not listed in
other zones
Intranet sites: Include all network paths (UNCs)
That let it work as expected.
But I'm seeing another problem as well This is one of those things that bug
us when we log on to a new machine for the first time. :-)
I've set the IE home page to our intranet, which is the only site allowed;
everything else goes to a bit-bucket proxy. So in:
User config\windows settings\internet explorer maintenance\URLs\Important
URLs, I've set the home page. But it doesn't work. With a new user login, IE
starts by going to MS site, and since the proxy won't let it, it doesn't
move forward from there. I can type in the intranet URL manually and get
there. If I allow the browser to reach the internet, it goes to the MS site
first, then to windows update on the second launch, then to the expected
home page on the third launch.
Any way to get around this?
Thanks!
PS: Roger; good to see you back. How's things? Pam and I are moving to AZ
soon. Gimme a call sometime and we can chat...
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Roger
> Seielstad
> Sent: Friday, September 02, 2005 9:57 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Group policy security setting
>
> The other way that works is to add the UNC for the file server
> (file://server/share) to the Trusted Sites, under User Config /
> Windows Settings / IE Maintenance /Security / Security Zones and
> Content ratings
>
> Now that I look, there's the setting you're trying to change
> - which is why
> it probably didn't work with a template.
>
>
>
>
>
>
> --------
> Roger Seielstad
> E-mail Geek
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Charlie
> Kaiser
> Sent: Friday, September 02, 2005 3:51 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Group policy security setting
>
> This is driving me nuts....
>
> I'm trying to set up a W2K3 SP1 terminal server machine, managed by
> group policy, that will allow users to run certain apps that actually
> load from another server. Here's the problem...
>
> When I try and launch one of those apps, I get the security warning
> box "open file - security warning" "Are you sure you want to run this
> software?"
> I finally figured out how to disable it; in IE properties, security,
> trusted sites, custom level, there's a setting: "Launching
> applications and unsafe files". If I set that to enable, the box goes
> away. (I'm using software restrictions to only allow certain apps, so
> the warning box is irrelevant).
>
> I want to be able to set this value via GP rather than through the IE
> interface. The IE ADM template seems to include every setting except
> for this one.
>
> Why? I've tried creating a custom ADM for the setting, but I'm getting
> nowhere with that. I'll probably try that again next week.
> But I'm curious why this particular setting is not available in the
> template? Any ideas? Am I missing something?
>
> **********************
> Charlie Kaiser
> W2K3 MCSA/MCSE/Security, CCNA
> Systems Engineer
> Essex Credit / Brickwalk
> 510 595 5083
> **********************
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| SteveRochford
Posts:10
| | 09/13/2005 5:14 AM |
| > I've set the IE home page to our intranet, which is the only
> site allowed; everything else goes to a bit-bucket proxy. So in:
> User config\windows settings\internet explorer
> maintenance\URLs\Important URLs, I've set the home page. But
> it doesn't work. With a new user login, IE starts by going to
> MS site, and since the proxy won't let it, it doesn't move
> forward from there. I can type in the intranet URL manually
> and get there. If I allow the browser to reach the internet,
> it goes to the MS site first, then to windows update on the
> second launch, then to the expected home page on the third launch.
>
> Any way to get around this?
> Thanks!
Set
HKCU\Software\Microsoft\Internet Explorer\Main\First Home Page
to the page you want to visit first. I can't find this documented
anywhere on the Microsoft web site except for Windows 98 so I'm not
absolutely sure it's still relevant but it's got to be worth a go! (We
set it for all machines in the logon script but I'd guess you could
easily do it in a group policy)
Steve
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| CKaiser
Posts:2
| | 09/13/2005 10:23 AM |
| OK; that's got it. I found another KB article (289902) that talks about
another part of this; it's a file called homepage.inf. I could probably
play with that to get what I need as well, but this worked. Thanks!
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> Steve Rochford
> Sent: Tuesday, September 13, 2005 10:13 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Group policy security setting
>
> > I've set the IE home page to our intranet, which is the only
> > site allowed; everything else goes to a bit-bucket proxy. So in:
> > User config\windows settings\internet explorer
> > maintenance\URLs\Important URLs, I've set the home page. But
> > it doesn't work. With a new user login, IE starts by going to
> > MS site, and since the proxy won't let it, it doesn't move
> > forward from there. I can type in the intranet URL manually
> > and get there. If I allow the browser to reach the internet,
> > it goes to the MS site first, then to windows update on the
> > second launch, then to the expected home page on the third launch.
> >
> > Any way to get around this?
> > Thanks!
>
> Set
>
> HKCU\Software\Microsoft\Internet Explorer\Main\First Home Page
>
> to the page you want to visit first. I can't find this documented
> anywhere on the Microsoft web site except for Windows 98 so I'm not
> absolutely sure it's still relevant but it's got to be worth a go! (We
> set it for all machines in the logon script but I'd guess you could
> easily do it in a group policy)
>
> Steve
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|