how to enable restrictions in Internet Explorer through scripts

Good day everyone,

most of you know that we can enable restrictions on changing internet explorer settings through a registry key, i used to do it manually with the registry value stated below:


User Key: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\
Restrictions]
System Key: [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\
Restrictions]
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disable restriction, 1 = enable restriction)

so my point is, i want to do this through a login script on roaming profiles, we have windows server 2008 standard and clients are windows xp pro machines

i tried to change this manually but i did not find the registry value after we made roaming profiles, can anyone confirm with me regarding this? or did i miss something
maxi86Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chad HaneyChief Technology OfficerCommented:
Restrictions in accordance to the location you are referencing is a Key value.  The DWORD values that would correspond under the key for that location would be:

NoBrowserClose
NoBrowserContextMenu
NoBrowserOptions
NoBrowserSaveAs
NoFavorites
NoFileNew
NoFileOpen
NoFindFiles
NoHelpItemNetscapeHelp
NoHelpItemSendFeedback
NoHelpItemTipOfTheDay
NoHelpItemTutorial
NoOpeninNewWnd
NoPrinting
NoSelectDownloadDir
NoTheaterMode
NoViewSource

These values do not necessarily have to exits, as they are restrictions and are only needed to be created if the restriction is necessary, otherwise the restriction is assumed false.
0
maxi86Author Commented:
thank you for your answer, but how should i put this into a login script ?
0
Chad HaneyChief Technology OfficerCommented:
Something like this would work for the script file.  Forgive me if it doesn't work on first attempt,  I am on a computer that has the machine permissions locked out right now.
Option Explicit
'Declare variables
Dim WSHShell, nonrestricted, restricted, base, exists, ErrDescription, strComputer, objRegistry, strKeyPath, strValueName
 
Set WSHShell = WScript.CreateObject("WScript.Shell")
base = "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions"
 
nonrestricted= "0"
restricted= "1"
 
On Error Resume Next
 
WSHShell.RegRead(base)
 
Select Case Err
	Case 0:
		exists = true
	Case &h80070002:
		ErrDescription = Replace(Err.description, base, "")
		Err.clear
		WshShell.RegRead "HKEY_ERROR\"
		
		If (ErrDescription <> Replace(Err.description, "HKEY_ERROR\","")) Then
			exists = true
		else
			exists = false
		End If
	Case Else:
		exists = false
End Select
 
If (exists=false) Then
	Const HKEY_LOCAL_MACHINE = &H80000002
	strComputer = "."
	Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\"&_ 
	    strComputer & "\root\default:StdRegProv")
	objReg.CreateKey(HKEY_LOCAL_MACHINE, "Software\Policies\Microsoft\Internet Explorer\Restrictions\")
	
End If
 
Const HKEY_LOCAL_MACHINE = &H80000002
 
strComputer = "."
 
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
 
strKeyPath = "Software\Policies\Microsoft\Internet Explorer\Restrictions"
 
 
'Do this for each restriction you want to set
strValueName = "NoBrowserClose"
objRegistry.SetDWORDValue HKEY_CURRENT_USER, strKeyPath, strValueName, restricted

Open in new window

0
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

maxi86Author Commented:
thank you for your help, i'll check this on sunday since i wont be in office till then then ill get back to you
0
maxi86Author Commented:
can this be in a registry file that i can run through batch file,

the bat file should run "restric.reg" which change this value to 1 to do the restriction

so i just need the registry file i can manage the batch


0
Chad HaneyChief Technology OfficerCommented:
yeah you can convert this to a .reg file   would be similar to as follows.
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions]
"NoBrowserClose"=dword:00000001

Open in new window

0
maxi86Author Commented:
okay mate, i will try this in office and get back to you
0
maxi86Author Commented:
i don't know why this is giving me a hard time,

i made a folder on the server called NTLOGON with read permissions and put all the scripts inside

then i put the script name in the profile logon script  " proxyon.bat"

when i try and logon not all of it is being applied, when i run the .reg files manually on the computers it needs an admin account ,

ill attach my scripts, please check if i miss anything

so i am wondering if need to use the administrator logon anywhere in the bat file? i thought that since it is logon script from the server it doesn't need to
proxyon.bat:
 
@echo off
regedit.exe /s proxyon.reg
regedit.exe /s iestartpagegoogle.reg
regedit.exe /s proxylocaloverideon.reg
regedit.exe /s restrictionson.reg
 
 
--------------------
proxyon.reg: to change the proxy in IE
 
Windows Registry Editor Version 5.00
 
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000001
"ProxyServer"="proxyname:8011"
 
 
 
----------------
iestartpagegoogle.reg: to change IE start page
 
Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
"Start Page"="http://www.google.com/"
 
 
 
-----------------------
proxylocaloverideon.reg: to bypass local addresses
 
Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
 
"ProxyOverride"="192.168.3.*;https://192.168.3.*;<local>"
 
 
-------------------------
restrictionson.reg: restrict changing IE settings
 
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions]
"NoBrowserOptions"=dword:00000001

Open in new window

0
maxi86Author Commented:
i meant some of the .reg files needs an admin account not all of them
0
Chad HaneyChief Technology OfficerCommented:
Which one(s) aren't being applied?  
0
maxi86Author Commented:
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions]
"NoBrowserOptions"=dword:00000001



this one above needs an admin account

-----------------------------------------------------------
i have found a command that do Run As:

runas /user:<domain_name>\<user_name> <program_name>
---------------------------------------------------------

i understood it s used as:  runas /user:mydomain\admin proxyon.bat

so to make it easy for me, ill make a new batch file with this command line and try to run the original batch ( the one which change registry) as admin, messed up ya? so will it run the registry files as admin or can i integrate the RunAs command line somewhere withtin the original proxyon.bat

i will try this later today and give feedback
0
Chad HaneyChief Technology OfficerCommented:
Did the runas command work for you?  if not I can look into something further for you.
0
maxi86Author Commented:
ya its working in running the other batch file, but again this will mean that ill have to run them locally on the computers and enter the password myself to gain admin rights, whats the use of logon scripts if they do not run with admin rights from the server :S
0
maxi86Author Commented:
ya its working in running the other batch file, but again this will mean that ill have to run them locally on the computers and enter the password myself to gain admin rights, whats the use of logon scripts if they do not run with admin rights from the server :S
0
Chad HaneyChief Technology OfficerCommented:
Ok so I just realized I'm a little blind.   The correct location is on the users end for this, unless you manage it through group policies.

http://technet.microsoft.com/en-us/library/cc737915.aspx

Try this instead if you want to do it via .reg still.


Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions]
"NoBrowserOptions"=dword:00000001

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
maxi86Author Commented:
this still needs admin rights, in usibility they both do the same thing, differs whether you disable the internet options for the machine he logs on to or just the specific user

i think this topic is going nowhere..
0
maxi86Author Commented:
so can this be done thru group policies instead of .reg files and apply to specific users that i choose?
0
Chad HaneyChief Technology OfficerCommented:
From what I understand, yes. This could bedone via group policies.  Don't have a system setup to test it on right now.
0
maxi86Author Commented:
no one else?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.