troubleshooting Question

Blocking IE with Group Policy

Avatar of j9benoit
j9benoitFlag for Afghanistan asked on
Web BrowsersExchangeActive Directory
7 Comments1 Solution831 ViewsLast Modified:
So the situation is I have a group of computer that I need to restrict internet access on. I would like to do this in Group Policy so that I can just add a computer to the group if I need this to apply to further computers in the future. After trying numerous "solutions" the only one that I have found to work is the following:

In group policy navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Software restrictions

From there I created a new software restriction policy and it created a Security Levels and an Additional Rules. Under the additional rules I tried creating a Network Zone Rule for "internet" and that did not work. I also tried creating a New Hash Rule and navigating to the iexplorer.exe. It populated the data correctly but when I tested it the computers could still open internet explorer. Finaly I added a New Path Rule and selected the entire Internet explorer folder. This worked when I tested it, giving me the message that this application was blocked by group policy.

So after this I noticed that any user could go into that folder and copy the .exe to a different location or bring in a different .exe and run this and it would work fine.

So my question is how do I prevent this from running period, no matter where the executable is? I know I can sit down at each machine and spoof the connection settings to run at a fake proxy and then disable them from changing the connection settings but I don't want to have to go to each computer and change this. I know there is a setting under user configuration to do this but I want it to be on a per computer basis, not per user basis. In addition when I tested this out on a single user account it still did not apply the settings.

I believe that the AD and Group Policy is from a Windows Server 2003 format and the machines that we are doing this on are Windows 7.
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 7 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 7 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros