Link to home
Start Free TrialLog in
Avatar of akioo
akioo

asked on

Removing Restricted Sites - GPO Security Zone replication issue

Hi,

I'm attempting to remove all restricted sites from the default domain policy. This list was previously imported and contains about 1000 websites. On a DC, navigating to <User Configuration, Windows Settings, Internet Explorer Maintenance, Security, Security Zones and Content Ratings>, I am able to remove the list of sites. However, the policy update is only applying to this DC and any client workstations authenticating to it. I'm finding this policy change is not replicating out to any other DC's.

I've verified the seczones.inf and seczrsop.inf files are being updated and replicated to other DC's sysvol folder, however the default domain policy still contains the list of restricted sites. Adding sites to the trusted/restricted list is not an issue, they replicate ok...the issue seems to be specific to removing websites from either list.

In a newly created lab, I've been able to replicate the issue. This leads me to believe it may not be an issue with our domain/replication, however a Windows setting. This is a Windows 2000 domain environment with XP clients

Thanks
Avatar of Don
Don
Flag of United States of America image

Did you try right clicking on Internet Explorer Maintenance and selecting "Reset" ?
In know this will not solve your problem immediately, but the maintenance of content filtering using MS provided tools is very tedious.
 
You may want to look into a content filtering device - many Content filtering devices integrate with Active Directory --> who are you (account) and where you can go.  There is also functions such as traffice shaping, bypass filtering for specific folks, etc..
check out... www.bluecoat.com and www.cymphonix.com
 
soemtimes rebooting the DC (if you can ) can force replication...
akioo--The Restricted Sites are in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
And HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains
http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.inetexplorer.ie6.browser/2006-07/msg00464.html

Using the Reset button (actually in IE Tools|Internet Options
Advanced tab) will delete Trusted Sites as well as Restricted Sites.
http://www.mvps.org/winhelp2002/restricted.htm
akioo--I forgot to mention that whichever sites have been entered into Restricted Sites by SpywareBlaster, can be removed (without affecting Trusted Sites) by clicking "Disable All Protection" at the bottom of the SpywareBlaster window.
As I first mentioned


How to reset Internet Explorer settings
Group Policy
The Reset Internet Explorer Settings feature does not affect Group Policy. However, you can also use the Internet Explorer Maintenance Extension in the Group Policy Management Console to apply branding settings. Most of these branding settings are preferences and not policies. Therefore, after you use the Reset Internet Explorer Settings feature, these settings are lost.

The Reset Internet Explorer Settings feature restores the preference settings that are created by the Internet Explorer Administration Kit or by the OEM Preinstallation Kit only.

dstewartjr--In case you thought I was duplicating your advice, I was not.  Rather I wanted aikoo to know that using it will delete the sites in Trusted Sites as well.  Sorry if that was not clear.
You said

"Using the Reset button (actually in IE Tools|Internet Options
Advanced tab) will delete Trusted Sites as well as Restricted Sites.
http://www.mvps.org/winhelp2002/restricted.htm    "

So I was pointing out/stressing that it can be done in group policy rather than individually.
Avatar of akioo
akioo

ASKER

dstewartjr - I'd like to avoid reseting the browser settings, as this effects all Internet Explorer Maintenance configurations. Since there are multiple settings already configured, I'd like to only remove the restricted sites.

tl121000 - we have 3rd party content filtering in place, one of the reasons why the restricted sites in IE can be removed. Yes, I've tried rebooting the DC...though the .inf files had already replicated to all other DC's.

jcimarron - I had previously come across the document you posted. On the original DC which I had removed the restricted sites from in the default domain policy, they no longer exist in the registry. However they still exist in all other DC's which the policy is not being applied too. Also, the application used to import the restricted sites originally is unknown...currently there are no applications installed on this dc which have had the functionality.

I've tried playing with the DelDomains.inf file, although I still have the issue with the policy not being applied to other DC's, again the .inf files are being updated and replicated ok.

At this point, I'm beginning to think the best way to tackle this would be to remove the security zones policy and privacy settings from the default domain gpo. Then, re-import the Internet/Local Intranet/Trusted sites w/out any restricted sites (since adding sites has not been an issue). Any thoughts?
I realize that, but you may not be left with any other choice. Since they are preferences simply removing the policy doesnt return to the default setting(as you found out). So you would have to reset and reapply the differences.
akioo--You have little to lose by using SpywareBlaster to see what it removes.
http://www.javacoolsoftware.com/spywareblaster.html
You might even want to keep it for the other KillBit function it performs.
SpywareBlaster will not remove Trusted Sites or Ranges.
How many DCs are in the domain...
 
Maybe connect to  each DC through gpmc  and configure the zone settings explicitly (for each GPO - one by one - kind of grudy but will suffice.
ASKER CERTIFIED SOLUTION
Avatar of akioo
akioo

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial