Internet Explorer Security Settings change using registry or vb script
Hi, we need to have some security settings changed in IE. This is in Tools > Internet Options > Security > Custom Level (for internet). We want to change most of those options to either Enable or Prompt.
This is to be deployed to multiple stations, so having a script file to do this will be most convenient. I tried monitoring the registry for changes as I'm making the manual change but can't seem to figure out which values correspond to the change. If someone can provide the entire list of settings in the custom level window and what values to change them to, it will be greatly appreciated. There's probably over 20 settings there to Disable, Enable or Prompt.
Also will this apply to IE6-IE8 or are they different for each version?
Thanks.
This is to be deployed to multiple stations, so having a script file to do this will be most convenient. I tried monitoring the registry for changes as I'm making the manual change but can't seem to figure out which values correspond to the change. If someone can provide the entire list of settings in the custom level window and what values to change them to, it will be greatly appreciated. There's probably over 20 settings there to Disable, Enable or Prompt.
Also will this apply to IE6-IE8 or are they different for each version?
Thanks.
ASKER
As of now, we are not using Active Directory. They are mostly using workgroup names.
I actually need to change a bunch of other options in the Internet Options setting, but a majority of them are in the security level tab.
Is there any other way to accomplish this? It doesn't even need to be a script, as long as it's automated. My manager mentioned creating a .MSI install file to do this, but I'm not at all familiar with this.
Thanks.
I actually need to change a bunch of other options in the Internet Options setting, but a majority of them are in the security level tab.
Is there any other way to accomplish this? It doesn't even need to be a script, as long as it's automated. My manager mentioned creating a .MSI install file to do this, but I'm not at all familiar with this.
Thanks.
You could possibly use a registery monitor app (I believe sysinternals has one) and then use gpedit.msc on a client to make the changes you want. You could then export those settings from regedit and make a .reg file to import onto the rest of your computers.
regedit /s filename.reg would install the registry edits silently.
regedit /s filename.reg would install the registry edits silently.
ASKER
I tried using several different registry monitoring programs (including RegMon from SysInternals) but they don't help out much. RegMon actually displays all kinds of changes live and the list is constantly updating. Not even sure which entry may be responsible for the IE settings changes since it's constantly showing changes on the screen..
what are you looking to set specifically?
And when using Regmon, set the filter at the top to highlight "setvalue;create", and to only include "iexplore.exe;rundll32.exe
Filemon/Process Monitor/Regmon all take some tinkering until you get the right combo of highlighting, and processes down, before they are really easy to work with........
Filemon/Process Monitor/Regmon all take some tinkering until you get the right combo of highlighting, and processes down, before they are really easy to work with........
ASKER
Thanks johnb6767. I will set them to those settings and see how it works out.
I got the full documentation on what to change. It's actually everything in the security settings and more. I will attach it here. Mostly Vista, but needed for XP as well.
Hopefully RegMon will be able to post those specific changes that I'm after.
IE-Settings.doc
I got the full documentation on what to change. It's actually everything in the security settings and more. I will attach it here. Mostly Vista, but needed for XP as well.
Hopefully RegMon will be able to post those specific changes that I'm after.
IE-Settings.doc
ASKER
I tried the filtering and it's still too much data. I went after the red highlighted entries and there are over 20 lines shown. This is just from one change alone in the security settings. Can that many entries be modified with just a single change?
Do you know of any other way to do this (see attached file in earlier reply)? Perhaps a .cab file?
I don't mind doing this manually if I know where in the registry to look for these specific changes.
Thanks again.
Do you know of any other way to do this (see attached file in earlier reply)? Perhaps a .cab file?
I don't mind doing this manually if I know where in the registry to look for these specific changes.
Thanks again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Use the Internet Explorer Maintenance Extension
http://technet.microsoft.c
As an alternative possibly?
http://technet.microsoft.c
As an alternative possibly?
ASKER
Perfect. Never used IEAK before but found it pretty self-explanatory once I installed it.
Anything similar for the Windows settings portion? This part at least I think I can do some searching for and finding out which registry entry is responsible for the changes. Probably a reg or batch file will do the job.
One thing I'm trying to get rid of is the security warning (yellow information bar on top in Internet Explorer). Once I applied these changes, I received the following error:
Your current security settings put your computer at risk. Click here to change your security settings...
Is there a quick method to suppress that message? I searched and saw posts that mention taking ownership of 3 files and then also applying the security changes to inherit those files in system32 folder.
Here's how to nuke Security Center off your system. This has been tested and there are no adverse effects from doing this.1. Go to Start --> Run and type "cmd" without the quotes. 2. Type "cd\" followed by "cd windows\system32". 3. Now run the following commands: takeown /f wscapi.dll takeown /f wscsvc.dll takeown /f wscui.cpl 4.Now you have ownership of the files. Go into the system32 directory inexplorer and right click each file, go to the security tab and add anentry for everyone and give them full access permissions. 5. Disable the Security Center Service via services.msc if you have not already done so. 6. In the system32 folder rename the three mentioned dll's (change their file extension to .bak). 7. To get rid of the Security Center service from services.msc drop to a command prompt and type the following: "REG DELETE HKLM\SYSTEM\CURRENTCONTROL
I don't mind doing that if it's all automated. I can write up a batch file to do a majority of this, but will be stuck in the permission stage where it requires me to inherit it from the Properties > Security tab. It looks like takeown only applies to Vista. Is there a similar command for XP?
There will be a group of computers that we want to apply these changes to. So any steps we can save in between will definitely speed up the deployment process.
All your help is greatly appreciated. Any additional help on the remaining problems will be appreciated as well.
Thanks.
Anything similar for the Windows settings portion? This part at least I think I can do some searching for and finding out which registry entry is responsible for the changes. Probably a reg or batch file will do the job.
One thing I'm trying to get rid of is the security warning (yellow information bar on top in Internet Explorer). Once I applied these changes, I received the following error:
Your current security settings put your computer at risk. Click here to change your security settings...
Is there a quick method to suppress that message? I searched and saw posts that mention taking ownership of 3 files and then also applying the security changes to inherit those files in system32 folder.
Here's how to nuke Security Center off your system. This has been tested and there are no adverse effects from doing this.1. Go to Start --> Run and type "cmd" without the quotes. 2. Type "cd\" followed by "cd windows\system32". 3. Now run the following commands: takeown /f wscapi.dll takeown /f wscsvc.dll takeown /f wscui.cpl 4.Now you have ownership of the files. Go into the system32 directory inexplorer and right click each file, go to the security tab and add anentry for everyone and give them full access permissions. 5. Disable the Security Center Service via services.msc if you have not already done so. 6. In the system32 folder rename the three mentioned dll's (change their file extension to .bak). 7. To get rid of the Security Center service from services.msc drop to a command prompt and type the following: "REG DELETE HKLM\SYSTEM\CURRENTCONTROL
I don't mind doing that if it's all automated. I can write up a batch file to do a majority of this, but will be stuck in the permission stage where it requires me to inherit it from the Properties > Security tab. It looks like takeown only applies to Vista. Is there a similar command for XP?
There will be a group of computers that we want to apply these changes to. So any steps we can save in between will definitely speed up the deployment process.
All your help is greatly appreciated. Any additional help on the remaining problems will be appreciated as well.
Thanks.
ASKER
I think I got most of them down now including the security message. Wrapping it up and will accept solution shortly.
Sorry for not repsonding sooner, wasnt online alot today in my email.....
Your ok now? Got all you needed figured out?
Your ok now? Got all you needed figured out?
User Configuration -> Administrative Template -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.
I don't know about IE6 but the settings works for both IE7 and IE8.