Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1517
  • Last Modified:

Removing Restricted Sites - GPO Security Zone replication issue

Hi,

I'm attempting to remove all restricted sites from the default domain policy. This list was previously imported and contains about 1000 websites. On a DC, navigating to <User Configuration, Windows Settings, Internet Explorer Maintenance, Security, Security Zones and Content Ratings>, I am able to remove the list of sites. However, the policy update is only applying to this DC and any client workstations authenticating to it. I'm finding this policy change is not replicating out to any other DC's.

I've verified the seczones.inf and seczrsop.inf files are being updated and replicated to other DC's sysvol folder, however the default domain policy still contains the list of restricted sites. Adding sites to the trusted/restricted list is not an issue, they replicate ok...the issue seems to be specific to removing websites from either list.

In a newly created lab, I've been able to replicate the issue. This leads me to believe it may not be an issue with our domain/replication, however a Windows setting. This is a Windows 2000 domain environment with XP clients

Thanks
0
akioo
Asked:
akioo
  • 4
  • 4
  • 3
  • +1
1 Solution
 
Donald StewartNetwork AdministratorCommented:
Did you try right clicking on Internet Explorer Maintenance and selecting "Reset" ?
0
 
tl121000Commented:
In know this will not solve your problem immediately, but the maintenance of content filtering using MS provided tools is very tedious.
 
You may want to look into a content filtering device - many Content filtering devices integrate with Active Directory --> who are you (account) and where you can go.  There is also functions such as traffice shaping, bypass filtering for specific folks, etc..
check out... www.bluecoat.com and www.cymphonix.com
 
0
 
tl121000Commented:
soemtimes rebooting the DC (if you can ) can force replication...
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
jcimarronCommented:
akioo--The Restricted Sites are in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
And HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains
http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.inetexplorer.ie6.browser/2006-07/msg00464.html

Using the Reset button (actually in IE Tools|Internet Options
Advanced tab) will delete Trusted Sites as well as Restricted Sites.
http://www.mvps.org/winhelp2002/restricted.htm
0
 
jcimarronCommented:
akioo--I forgot to mention that whichever sites have been entered into Restricted Sites by SpywareBlaster, can be removed (without affecting Trusted Sites) by clicking "Disable All Protection" at the bottom of the SpywareBlaster window.
0
 
Donald StewartNetwork AdministratorCommented:
As I first mentioned


How to reset Internet Explorer settings
Group Policy
The Reset Internet Explorer Settings feature does not affect Group Policy. However, you can also use the Internet Explorer Maintenance Extension in the Group Policy Management Console to apply branding settings. Most of these branding settings are preferences and not policies. Therefore, after you use the Reset Internet Explorer Settings feature, these settings are lost.

The Reset Internet Explorer Settings feature restores the preference settings that are created by the Internet Explorer Administration Kit or by the OEM Preinstallation Kit only.

0
 
jcimarronCommented:
dstewartjr--In case you thought I was duplicating your advice, I was not.  Rather I wanted aikoo to know that using it will delete the sites in Trusted Sites as well.  Sorry if that was not clear.
0
 
Donald StewartNetwork AdministratorCommented:
You said

"Using the Reset button (actually in IE Tools|Internet Options
Advanced tab) will delete Trusted Sites as well as Restricted Sites.
http://www.mvps.org/winhelp2002/restricted.htm    "

So I was pointing out/stressing that it can be done in group policy rather than individually.
0
 
akiooAuthor Commented:
dstewartjr - I'd like to avoid reseting the browser settings, as this effects all Internet Explorer Maintenance configurations. Since there are multiple settings already configured, I'd like to only remove the restricted sites.

tl121000 - we have 3rd party content filtering in place, one of the reasons why the restricted sites in IE can be removed. Yes, I've tried rebooting the DC...though the .inf files had already replicated to all other DC's.

jcimarron - I had previously come across the document you posted. On the original DC which I had removed the restricted sites from in the default domain policy, they no longer exist in the registry. However they still exist in all other DC's which the policy is not being applied too. Also, the application used to import the restricted sites originally is unknown...currently there are no applications installed on this dc which have had the functionality.

I've tried playing with the DelDomains.inf file, although I still have the issue with the policy not being applied to other DC's, again the .inf files are being updated and replicated ok.

At this point, I'm beginning to think the best way to tackle this would be to remove the security zones policy and privacy settings from the default domain gpo. Then, re-import the Internet/Local Intranet/Trusted sites w/out any restricted sites (since adding sites has not been an issue). Any thoughts?
0
 
Donald StewartNetwork AdministratorCommented:
I realize that, but you may not be left with any other choice. Since they are preferences simply removing the policy doesnt return to the default setting(as you found out). So you would have to reset and reapply the differences.
0
 
jcimarronCommented:
akioo--You have little to lose by using SpywareBlaster to see what it removes.
http://www.javacoolsoftware.com/spywareblaster.html
You might even want to keep it for the other KillBit function it performs.
SpywareBlaster will not remove Trusted Sites or Ranges.
0
 
tl121000Commented:
How many DCs are in the domain...
 
Maybe connect to  each DC through gpmc  and configure the zone settings explicitly (for each GPO - one by one - kind of grudy but will suffice.
0
 
akiooAuthor Commented:
i had ended up deleting all security zone settings and recreated w/out the restricted sites.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now