Solved

Enabling 2 GPO politics for users

Posted on 2011-09-26
2
1,785 Views
Last Modified: 2012-05-12
Hi,

we want to enable two GPO politics for all users :
1. - Automatic prompting for file downloads
2. - "Use SSL 3.0" and "Use TLS 1.0"

When we enabled them in location - see below, options in internet explorer are grayed out for all users and they cannot change it (enable/disable/uncheck USE TLS 1.0)
1. Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zoneshow/Automatic prompting for file downloads
2. Windows Components/Internet Explorer/Internet Control Panel/Advanced Page/Turn off encryption Support

Question is : How can we achieve that the settings will be set according description and users will have still option to change it.

Thank you.
0
Comment
Question by:ZUNO
2 Comments
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
ID: 36600648
Policies are firmly set and cannot be changed by design.  You will have to use a login script to acheive your goal.  You can run a simple script to set this flag, but your problem will be that the IE setting will be reset the next time the user logs on.  

If the user changes it, after the script is run, then once the user logs on the next time, it will re-apply.

Do you want this to happen, or would you like to just set this one time only?

The two registry values you want for the second policy are:

1.   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHTTP1_1

The SSL/TLS settings (USE SSL 2.0, USE SSL 3.0, USE TLS 1.0) are all combined into the following key...you want the second option:

2.   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols

1.   A value of "0" means that all 3 are unchecked
2.   A value of "160" means that USE SSL 3.0 and USE TLS 1.0 are checked and USE SSL 2.0 is not
3.   A value of "168" means that all 3 are checked.

Automatic prompting for file downloads is actually ZONE-specific.  Do you want to enable this for the "Internet" zone?

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones contains the zones:

0 = My Computer
1 = Local Intranet
2 = Trusted Sites
3 = Internet
4 = Restricted Sites
0
 

Author Closing Comment

by:ZUNO
ID: 36709656
Thank you for solution.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question