Link to home
Create AccountLog in
Avatar of BrianSDG
BrianSDGFlag for United States of America

asked on

Group Policy change to Local Intranet Zone

I want to push a change through Group Policy to alter IE Security Settings.  I want to change the settings for "Download unsigned ActiveX Controls" and "Initialize and Script ActiveX controls not marked as safe for scripting" to Enabled for the Local Intranet zone.  I know I can do this in either Computer Configuration or User Configuration.  Our AD is set up to mainly apply policy to the machine since we are hospital and have so many machines that multiple people use.  My question is how can I configure the GPO to apply the setting to all users who log on to the machine but also allow administrators to change the setting on the local machine?

We have a 2008R2 domain environment.
Avatar of Sudeep Sharma
Sudeep Sharma
Flag of India image

For most of the setting applied via GP, Computer Configuration has preference over User Configuration. So any changes made to Computer Configuration would work no matter what User Configuration is.

Further, does the administrators are local administrator or domain administrator? Group Policy would not apply on Local administrator.

Configure a policy for users to set the settings you want.  Change the security filtering on the policy and grant the permission for Deny: Apply Group Policy to Administrators (or domain admins, whoever).

You will edit the policy, go to the very top of the tree in gpedit, right click on it, and select Security and apply the permissions.  

Avatar of BrianSDG



Can you give me some more detail.  I'm not quite following your comment.  I have already configured a test GPO for the above settings.  I configured the settings in computer configuration / Policies / Administrative templates / Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone.  The GPO works fine but when I, a domain admin, log onto the client PC I cannot change the settings, not that I expected to.  The problem is I want to be able to change them.  I want to have these settings pushed out as the default for any user logging onto the machine but also be able to change the setting on the local machine if that user is an Administrator on the machine.  Hope that gives you more detail as to what I am asking.

Thanks for your response.
Avatar of Coralon
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account