inquiry on putting a block on changing internet settings on IE7

So I placed some sites in the restricted sites portion of the Internet
settings and I want to make sure they stay there. To put it into more of a
perspective, I want to make sure that a person who is not an administrator
cannot edit the Internet settings, especially by removing sites from the
restricted sites list. I am using IE7, if that helps/makes a difference. I
have limited knowledge on editing registry keys, so if that's what needs to
be done, and you can point me in the right direction, I can probably figure
it out. But I'm having a heck of a time finding any info on how to set up
those restrictions. Thank you in advance for your input.

jwgoerlich
Sun Feb 25 04:00:02 CST 2007

The sites in Internet Explorer's security settings are user-specific
and are stored in the registry under:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap

You can go into the registry, browse to this key, right-click and
select Permissions. Click the [Advanced] button and uncheck [ ] Allow
inheritable permissions. Select copy when prompted, then click [Ok].
Back on the Permissions for ZoneMap dialog box, click to select the
user and change their permissions so that only [x] Read is checked.
This will change it for the currently logged on user.

As a user-level settings, a knowledgeable person can go back into the
registry and reset their permissions. Thus, this is not completely
secure, but a good starting point.

Regards,

J Wolfgang Goerlich





On Feb 25, 3:18 am, RevelationTravis
<RevelationTra...@discussions.microsoft.com> wrote:
> So I placed some sites in the restricted sites portion of the Internet
> settings and I want to make sure they stay there. To put it into more of a
> perspective, I want to make sure that a person who is not an administrator
> cannot edit the Internet settings, especially by removing sites from the
> restricted sites list. I am using IE7, if that helps/makes a difference. I
> have limited knowledge on editing registry keys, so if that's what needs to
> be done, and you can point me in the right direction, I can probably figure
> it out. But I'm having a heck of a time finding any info on how to set up
> those restrictions. Thank you in advance for your input.

siljaline
Sun Feb 25 04:12:50 CST 2007

"RevelationTravis" wrote:
> So I placed some sites in the restricted sites portion of the Internet
> settings and I want to make sure they stay there. To put it into more of a
> perspective, I want to make sure that a person who is not an administrator
> cannot edit the Internet settings, especially by removing sites from the
> restricted sites list. I am using IE7, if that helps/makes a difference. I
> have limited knowledge on editing registry keys, so if that's what needs to
> be done, and you can point me in the right direction, I can probably figure
> it out. But I'm having a heck of a time finding any info on how to set up
> those restrictions. Thank you in advance for your input.

Users of the IE7 Public Release are asked to post their queries:
On the web:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.internetexplorer.general

In your newsreader:
news://msnews.microsoft.com/microsoft.public.internetexplorer.general

Silj

--
siljaline

MS - MVP Windows (IE/OE) & Windows Security, AH-VSOP

Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address is invalid that we may all benefit.

jwgoerlich
Sun Feb 25 04:31:58 CST 2007

I just tried this on my test Win2003 terminal server. You can prevent
the users from making changes providing Administrators are the owner.
So, a revised procedure is as follows:

1) Logon to the computer as Administrator
2) Start Registry Editor (regedit.exe)
3) Open the user's registry hive

File > Load Hive
Browse to the user's profile
Open NTUSER.DAT
Key name: user's name

4) Browse to the appropriate folder

HKEY_USERS\username\Software\
Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

5) Right-click and select Permissions.
6) Click the [Advanced] button, Permissions tab, uncheck [ ] Allow
inheritable permissions, select copy when prompted.
7) Owner tab, set the current owner to Administrators (if it is not
already), then click [Ok]
8) Back on the Permissions for ZoneMap dialog box, click to select the
user and change their permissions so that only [x] Read is checked

That should do the trick.

J Wolfgang Goerlich

Roger
Sun Feb 25 08:21:09 CST 2007

Good post, and resolution, Wolfgang.

Roger
<jwgoerlich@gmail.com> wrote in message
news:1172399518.550184.186010@q2g2000cwa.googlegroups.com...
>I just tried this on my test Win2003 terminal server. You can prevent
> the users from making changes providing Administrators are the owner.
> So, a revised procedure is as follows:
>
> 1) Logon to the computer as Administrator
> 2) Start Registry Editor (regedit.exe)
> 3) Open the user's registry hive
>
> File > Load Hive
> Browse to the user's profile
> Open NTUSER.DAT
> Key name: user's name
>
> 4) Browse to the appropriate folder
>
> HKEY_USERS\username\Software\
> Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
>
> 5) Right-click and select Permissions.
> 6) Click the [Advanced] button, Permissions tab, uncheck [ ] Allow
> inheritable permissions, select copy when prompted.
> 7) Owner tab, set the current owner to Administrators (if it is not
> already), then click [Ok]
> 8) Back on the Permissions for ZoneMap dialog box, click to select the
> user and change their permissions so that only [x] Read is checked
>
> That should do the trick.
>
> J Wolfgang Goerlich
>
>

jwgoerlich
Mon Feb 26 06:11:37 CST 2007

Thank you!

On Feb 25, 9:21 am, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote:
> Good post, and resolution, Wolfgang.