akioo
asked on
Removing Restricted Sites - GPO Security Zone replication issue
Hi,
I'm attempting to remove all restricted sites from the default domain policy. This list was previously imported and contains about 1000 websites. On a DC, navigating to <User Configuration, Windows Settings, Internet Explorer Maintenance, Security, Security Zones and Content Ratings>, I am able to remove the list of sites. However, the policy update is only applying to this DC and any client workstations authenticating to it. I'm finding this policy change is not replicating out to any other DC's.
I've verified the seczones.inf and seczrsop.inf files are being updated and replicated to other DC's sysvol folder, however the default domain policy still contains the list of restricted sites. Adding sites to the trusted/restricted list is not an issue, they replicate ok...the issue seems to be specific to removing websites from either list.
In a newly created lab, I've been able to replicate the issue. This leads me to believe it may not be an issue with our domain/replication, however a Windows setting. This is a Windows 2000 domain environment with XP clients
Thanks
I'm attempting to remove all restricted sites from the default domain policy. This list was previously imported and contains about 1000 websites. On a DC, navigating to <User Configuration, Windows Settings, Internet Explorer Maintenance, Security, Security Zones and Content Ratings>, I am able to remove the list of sites. However, the policy update is only applying to this DC and any client workstations authenticating to it. I'm finding this policy change is not replicating out to any other DC's.
I've verified the seczones.inf and seczrsop.inf files are being updated and replicated to other DC's sysvol folder, however the default domain policy still contains the list of restricted sites. Adding sites to the trusted/restricted list is not an issue, they replicate ok...the issue seems to be specific to removing websites from either list.
In a newly created lab, I've been able to replicate the issue. This leads me to believe it may not be an issue with our domain/replication, however a Windows setting. This is a Windows 2000 domain environment with XP clients
Thanks
Did you try right clicking on Internet Explorer Maintenance and selecting "Reset" ?
In know this will not solve your problem immediately, but the maintenance of content filtering using MS provided tools is very tedious.
You may want to look into a content filtering device - many Content filtering devices integrate with Active Directory --> who are you (account) and where you can go. There is also functions such as traffice shaping, bypass filtering for specific folks, etc..
check out... www.bluecoat.com and www.cymphonix.com
You may want to look into a content filtering device - many Content filtering devices integrate with Active Directory --> who are you (account) and where you can go. There is also functions such as traffice shaping, bypass filtering for specific folks, etc..
check out... www.bluecoat.com and www.cymphonix.com
soemtimes rebooting the DC (if you can ) can force replication...
akioo--The Restricted Sites are in HKEY_CURRENT_USER\Software \Microsoft \Windows\C urrentVers ion\Intern et Settings\ZoneMap\Domains
And HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Windows\ CurrentVer sion\Inter net
Settings\ZoneMap\Domains
http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.inetexplorer.ie6.browser/2006-07/msg00464.html
Using the Reset button (actually in IE Tools|Internet Options
Advanced tab) will delete Trusted Sites as well as Restricted Sites.
http://www.mvps.org/winhelp2002/restricted.htm
And HKEY_LOCAL_MACHINE\Softwar
Settings\ZoneMap\Domains
http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.inetexplorer.ie6.browser/2006-07/msg00464.html
Using the Reset button (actually in IE Tools|Internet Options
Advanced tab) will delete Trusted Sites as well as Restricted Sites.
http://www.mvps.org/winhelp2002/restricted.htm
akioo--I forgot to mention that whichever sites have been entered into Restricted Sites by SpywareBlaster, can be removed (without affecting Trusted Sites) by clicking "Disable All Protection" at the bottom of the SpywareBlaster window.
As I first mentioned
How to reset Internet Explorer settings
Group Policy
The Reset Internet Explorer Settings feature does not affect Group Policy. However, you can also use the Internet Explorer Maintenance Extension in the Group Policy Management Console to apply branding settings. Most of these branding settings are preferences and not policies. Therefore, after you use the Reset Internet Explorer Settings feature, these settings are lost.
The Reset Internet Explorer Settings feature restores the preference settings that are created by the Internet Explorer Administration Kit or by the OEM Preinstallation Kit only.
How to reset Internet Explorer settings
Group Policy
The Reset Internet Explorer Settings feature does not affect Group Policy. However, you can also use the Internet Explorer Maintenance Extension in the Group Policy Management Console to apply branding settings. Most of these branding settings are preferences and not policies. Therefore, after you use the Reset Internet Explorer Settings feature, these settings are lost.
The Reset Internet Explorer Settings feature restores the preference settings that are created by the Internet Explorer Administration Kit or by the OEM Preinstallation Kit only.
dstewartjr--In case you thought I was duplicating your advice, I was not. Rather I wanted aikoo to know that using it will delete the sites in Trusted Sites as well. Sorry if that was not clear.
You said
"Using the Reset button (actually in IE Tools|Internet Options
Advanced tab) will delete Trusted Sites as well as Restricted Sites.
http://www.mvps.org/winhelp2002/restricted.htm "
So I was pointing out/stressing that it can be done in group policy rather than individually.
"Using the Reset button (actually in IE Tools|Internet Options
Advanced tab) will delete Trusted Sites as well as Restricted Sites.
http://www.mvps.org/winhelp2002/restricted.htm "
So I was pointing out/stressing that it can be done in group policy rather than individually.
ASKER
dstewartjr - I'd like to avoid reseting the browser settings, as this effects all Internet Explorer Maintenance configurations. Since there are multiple settings already configured, I'd like to only remove the restricted sites.
tl121000 - we have 3rd party content filtering in place, one of the reasons why the restricted sites in IE can be removed. Yes, I've tried rebooting the DC...though the .inf files had already replicated to all other DC's.
jcimarron - I had previously come across the document you posted. On the original DC which I had removed the restricted sites from in the default domain policy, they no longer exist in the registry. However they still exist in all other DC's which the policy is not being applied too. Also, the application used to import the restricted sites originally is unknown...currently there are no applications installed on this dc which have had the functionality.
I've tried playing with the DelDomains.inf file, although I still have the issue with the policy not being applied to other DC's, again the .inf files are being updated and replicated ok.
At this point, I'm beginning to think the best way to tackle this would be to remove the security zones policy and privacy settings from the default domain gpo. Then, re-import the Internet/Local Intranet/Trusted sites w/out any restricted sites (since adding sites has not been an issue). Any thoughts?
tl121000 - we have 3rd party content filtering in place, one of the reasons why the restricted sites in IE can be removed. Yes, I've tried rebooting the DC...though the .inf files had already replicated to all other DC's.
jcimarron - I had previously come across the document you posted. On the original DC which I had removed the restricted sites from in the default domain policy, they no longer exist in the registry. However they still exist in all other DC's which the policy is not being applied too. Also, the application used to import the restricted sites originally is unknown...currently there are no applications installed on this dc which have had the functionality.
I've tried playing with the DelDomains.inf file, although I still have the issue with the policy not being applied to other DC's, again the .inf files are being updated and replicated ok.
At this point, I'm beginning to think the best way to tackle this would be to remove the security zones policy and privacy settings from the default domain gpo. Then, re-import the Internet/Local Intranet/Trusted sites w/out any restricted sites (since adding sites has not been an issue). Any thoughts?
I realize that, but you may not be left with any other choice. Since they are preferences simply removing the policy doesnt return to the default setting(as you found out). So you would have to reset and reapply the differences.
akioo--You have little to lose by using SpywareBlaster to see what it removes.
http://www.javacoolsoftware.com/spywareblaster.html
You might even want to keep it for the other KillBit function it performs.
SpywareBlaster will not remove Trusted Sites or Ranges.
http://www.javacoolsoftware.com/spywareblaster.html
You might even want to keep it for the other KillBit function it performs.
SpywareBlaster will not remove Trusted Sites or Ranges.
How many DCs are in the domain...
Maybe connect to each DC through gpmc and configure the zone settings explicitly (for each GPO - one by one - kind of grudy but will suffice.
Maybe connect to each DC through gpmc and configure the zone settings explicitly (for each GPO - one by one - kind of grudy but will suffice.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.