We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Internet Explorer Security Settings change using registry or vb script

greyknight17
greyknight17 asked
on
Medium Priority
4,031 Views
Last Modified: 2012-05-07
Hi, we need to have some security settings changed in IE. This is in Tools > Internet Options > Security > Custom Level (for internet). We want to change most of those options to either Enable or Prompt.

This is to be deployed to multiple stations, so having a script file to do this will be most convenient. I tried monitoring the registry for changes as I'm making the manual change but can't seem to figure out which values correspond to the change. If someone can provide the entire list of settings in the custom level window and what values to change them to, it will be greatly appreciated. There's probably over 20 settings there to Disable, Enable or Prompt.

Also will this apply to IE6-IE8 or are they different for each version?

Thanks.
Comment
Watch Question

Commented:
If you are using Active Directory you can use a GPO to set these security settings.
User Configuration -> Administrative Template -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.
I don't know about IE6 but the settings works for both IE7 and IE8.

Author

Commented:
As of now, we are not using Active Directory. They are mostly using workgroup names.

I actually need to change a bunch of other options in the Internet Options setting, but a majority of them are in the security level tab.

Is there any other way to accomplish this? It doesn't even need to be a script, as long as it's automated. My manager mentioned creating a .MSI install file to do this, but I'm not at all familiar with this.

Thanks.

Commented:
You could possibly use a registery monitor app (I believe sysinternals has one) and then use gpedit.msc on a client to make the changes you want.  You could then export those settings from regedit and make a .reg file to import onto the rest of your computers.
regedit /s filename.reg would install the registry edits silently.

Author

Commented:
I tried using several different registry monitoring programs (including RegMon from SysInternals) but they don't help out much. RegMon actually displays all kinds of changes live and the list is constantly updating. Not even sure which entry may be responsible for the IE settings changes since it's constantly showing changes on the screen..
CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2011

Commented:
what are you looking to set specifically?
CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2011

Commented:
And when using Regmon, set the filter at the top to highlight "setvalue;create", and to only include "iexplore.exe;rundll32.exe". Change the settigns you want to change, and then clear the list. Then apply your changes, and the list to review (hopefully highlighted in Red) will be MUCH less now.
Filemon/Process Monitor/Regmon all take some tinkering until you get the right combo of highlighting, and processes down, before they are really easy to work with........

Author

Commented:
Thanks johnb6767. I will set them to those settings and see how it works out.

I got the full documentation on what to change. It's actually everything in the security settings and more. I will attach it here. Mostly Vista, but needed for XP as well.

Hopefully RegMon will be able to post those specific changes that I'm after.

IE-Settings.doc

Author

Commented:
I tried the filtering and it's still too much data. I went after the red highlighted entries and there are over 20 lines shown. This is just from one change alone in the security settings. Can that many entries be modified with just a single change?

Do you know of any other way to do this (see attached file in earlier reply)? Perhaps a .cab file?

I don't mind doing this manually if I know where in the registry to look for these specific changes.

Thanks again.
CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2011
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2011

Commented:
Use the Internet Explorer Maintenance Extension
http://technet.microsoft.com/en-us/library/cc817467.aspx
As an alternative possibly?

Author

Commented:
Perfect. Never used IEAK before but found it pretty self-explanatory once I installed it.

Anything similar for the Windows settings portion? This part at least I think I can do some searching for and finding out which registry entry is responsible for the changes. Probably a reg or batch file will do the job.

One thing I'm trying to get rid of is the security warning (yellow information bar on top in Internet Explorer). Once I applied these changes, I received the following error:

Your current security settings put your computer at risk.  Click here to change your security settings...

Is there a quick method to suppress that message? I searched and saw posts that mention taking ownership of 3 files and then also applying the security changes to inherit those files in system32 folder.

Here's how to nuke Security Center off your system. This has been tested and there are no adverse effects from doing this.1.     Go to Start --> Run and type "cmd" without the quotes. 2.     Type "cd\" followed by "cd windows\system32". 3.     Now run the following commands:        takeown /f wscapi.dll        takeown /f wscsvc.dll        takeown /f wscui.cpl 4.Now you have ownership of the files. Go into the system32 directory inexplorer and right click each file, go to the security tab and add anentry for everyone and give them full access permissions. 5.     Disable the Security Center Service via services.msc if you have not already done so. 6.     In the system32 folder rename the three mentioned dll's (change their file extension to .bak). 7.     To get rid of the Security Center service from services.msc drop to a command prompt and type the following: "REG DELETE HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WSCSVC /F", hit enter and reboot. 8.      Enjoy no more nagging or icon in your system tray!

I don't mind doing that if it's all automated. I can write up a batch file to do a majority of this,  but will be stuck in the permission stage where it requires me to inherit it from the Properties > Security tab. It looks like takeown only applies to Vista. Is there a similar command for XP?

 There will be a group of computers that we want to apply these changes to. So any steps we can save in between will definitely speed up the deployment process.

All your help is greatly appreciated. Any additional help on the remaining problems will be appreciated as well.

Thanks.

Author

Commented:
I think I got most of them down now including the security message. Wrapping it up and will accept solution shortly.
CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2011

Commented:
Sorry for not repsonding sooner, wasnt online alot today in my email.....
Your ok now? Got all you needed figured out?
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.