We help IT Professionals succeed at work.

How to control IE7 Privacy level with group policy?

In Internet Explorer 7, there's a slider in the internet options tab "Privacy". We need to set the level to "Medium" (which is default) to adjust this setting in all user profiles (TS environment, W2k8 Server). Is there a way to do this with a GPO?

Thank you
Comment
Watch Question

Justin OwensITIL Problem Manager

Commented:
Yes, IE7 can be managed with GPO.  Possible settings:
http://www.ie-vista.com/group_policy.html
Here is the administrative template for IE7 in GPO if you need it:
http://www.microsoft.com/downloads/details.aspx?FamilyID=11ab3e81-6462-4fda-8ee5-fcb8264c44b1&displaylang=en
Justin

Author

Commented:
Thanks, but I already took a look at this ADM file. There's no possibility to set the privacy level...

Chris
Justin OwensITIL Problem Manager

Commented:
Yes, it does, but indirectly...
User Settings --> Windows Components --> Internet Explorer --> Internet Control Panel --> Security Page --> Internet Zone
You can set the policies individually here to be the same as what a "Medium" privacy setting would produce.
 

Author

Commented:
So, can you tell me which setting(s) affect the cookie handling? I can't find any.

Chris
Justin OwensITIL Problem Manager

Commented:

The settings which control cookies are under the HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Internet Settings\P3P\ History registry key.
To accept cookies from a domain, create a new subkey and give it a default DWORD value of 1. For example, to accept cookies from the microsoft.com domain, create the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\P3P\History\microsoft. com subkey and gave it a default DWORD value of 1.
You can't use regedit to create a subkey with a default DWORD. (When you create a subkey, regedit automatically creates a default REG_SZ value.) So, use .reg files to create the subkeys. For example, Figure 1 shows the .reg file for creating the microsoft. com subkey.
Then write a batch file that uses the reg. exe utility to read and apply the .reg files. (Reg .exe is built into Windows Server 2003 and is part of the Windows 2000 Support Tools.)
Finally, insert the batch file in a Group Policy Object (GPO) under User Configuration\Window Settings\Script\Logon Scripts.
With this solution, you can allow cookies but prevent users from downloading unwanted and possibly malicious files and ActiveX objects. Because the solution uses Group Policy, it's easy and quick to implement.


Figure-01.jpg

Author

Commented:
Thank you for these instructions, but we don't want the IE to accept cookies from a list of domains. The cookie handling should generally be set to the "medium" level, as shown in the following screenshot of the IE7 privacy tab. Can this be done with GPO?

ie7-privacy.png
ITIL Problem Manager
Commented:
In that case, the only way to handle that via GPO is to snapshot your registry with the setting on something else, compare that to a snapshot of the registry with the same setting.  Find the key(s) which changed.  Write a login script to facilitate that change in the registry.  I don't have an IE7 machine handy to test with, or else I would tell you where those keys were.
Justin

Author

Commented:
The "solution" I got was the one that I hoped not to get, because I assumed that there must be another way to handle this.