Solved

Enabling 2 GPO politics for users

Posted on 2011-09-26
2
1,809 Views
Last Modified: 2012-05-12
Hi,

we want to enable two GPO politics for all users :
1. - Automatic prompting for file downloads
2. - "Use SSL 3.0" and "Use TLS 1.0"

When we enabled them in location - see below, options in internet explorer are grayed out for all users and they cannot change it (enable/disable/uncheck USE TLS 1.0)
1. Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zoneshow/Automatic prompting for file downloads
2. Windows Components/Internet Explorer/Internet Control Panel/Advanced Page/Turn off encryption Support

Question is : How can we achieve that the settings will be set according description and users will have still option to change it.

Thank you.
0
Comment
Question by:ZUNO
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
ID: 36600648
Policies are firmly set and cannot be changed by design.  You will have to use a login script to acheive your goal.  You can run a simple script to set this flag, but your problem will be that the IE setting will be reset the next time the user logs on.  

If the user changes it, after the script is run, then once the user logs on the next time, it will re-apply.

Do you want this to happen, or would you like to just set this one time only?

The two registry values you want for the second policy are:

1.   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHTTP1_1

The SSL/TLS settings (USE SSL 2.0, USE SSL 3.0, USE TLS 1.0) are all combined into the following key...you want the second option:

2.   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols

1.   A value of "0" means that all 3 are unchecked
2.   A value of "160" means that USE SSL 3.0 and USE TLS 1.0 are checked and USE SSL 2.0 is not
3.   A value of "168" means that all 3 are checked.

Automatic prompting for file downloads is actually ZONE-specific.  Do you want to enable this for the "Internet" zone?

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones contains the zones:

0 = My Computer
1 = Local Intranet
2 = Trusted Sites
3 = Internet
4 = Restricted Sites
0
 

Author Closing Comment

by:ZUNO
ID: 36709656
Thank you for solution.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
A hard and fast method for reducing Active Directory Administrators members.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question