Locking Down IE for a terminal server

Hi Experts,

We have a terminal server accessible to clients. Presently internet explorer is not enabled for users. However one user requires access for an application they run

I can restrict access so that she can run IE but i wanted to lock down IE as much as possible for both security and so as to detour her from abusing this access

What gpos would you consider best practice in this matter?
LVL 4
James GlenIT EngineerAsked:
Who is Participating?
 
Hir0Connect With a Mentor Commented:
Here is the policies I use to lock down IE and Control Panel applets as well.
User-Policy---Standard-User---Co.htm
User-Policy---Standard-User---In.htm
0
 
Viral RathodConsultantCommented:
Hi FSIFM,

you create GPO policy for IE to use Proxy server 1.1.1.1

Do not give option for users to change the proxy server.

This way user will able to see the internal website but cant go ouside network..
0
 
James GlenIT EngineerAuthor Commented:
Hi viralrathod,

Unfortunately its an external site they need access to for this application
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Viral RathodConsultantCommented:
Hi FSIFM,

You can use Content Advisor

Content Advisor is a tool for controlling the types of content that your computer can access on the Internet. After you turn on Content Advisor, only rated content that meets or exceeds your criteria can be viewed. You can adjust the settings to suit your preferences.

http://windows.microsoft.com/en-in/windows7/internet-explorer-content-advisor-frequently-asked-questions
0
 
barrykflCommented:
I used policy + Registry hard coded the IE , then no change and no bar, cannot edit the address
0
 
James GlenIT EngineerAuthor Commented:
hi Barry,

what policies did you use?
0
 
James GlenIT EngineerAuthor Commented:
pretty much i need to allow ie access to all sites, but lock it down to be as secure as possible and prevent the user from doing anything that could be malicious
0
 
Hir0Commented:
I usually use a whitelist approach.  Just lock down the Internet Zone and add the sites or sites you wish to allow unrestricted access to your Trusted Sites list.  See attached group policy reports for some ideas.

You can add sites to your "whitelist" by adding domains to User Configuration > Policies > Admin Templates > Windows Components > Internet Explorer > Internet Control Panel > Site to zone assignment list

for instance to add the google domain to the Trusted sites zone you would use http://*.google.com as the domain and 2 as the zone number.

Hope this gets you in the right direction.
User-Policy---Employee---IE---Tr.htm
User-Policy---Employee---IE---In.htm
0
 
ZabagaRCommented:
Aside from policies and content advisor, how about providing this terminal user with a shortcut that launches Internet Explorer in KIOSK mode. Make a shortcut to run iexplorer.exe -k

That removes the toolbar at the top completely.
0
 
Hir0Commented:
What stops the user from creating a hyperlink in any application and launching desired website from there..?
0
 
James GlenIT EngineerAuthor Commented:
Kiosk mode sounds good, but unfortunately the user wont be launching ie from a shortcut. The reason for allowing ie access is the client has an application that automatically wild card searches companies that are entered into it (its a sales type program) and then ties their websites as links against their files

As a result the sites they may visit could be anything, so im not so much concerned with restricting the sites available to them, more locking ie down to limit any damage they could do and detour them from using it outside of the application
0
 
James GlenIT EngineerAuthor Commented:
Hiro,

Cheers for the policies mate, i'll definitely take a look at them and use them as a template
0
 
Hir0Commented:
They are pretty tight so you may have to loosen up a bit or you'll find yourself adding sites to the whitelist all the time but it should be a great place to star.  Glad to help :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.