I have server 2008 R2 running as my domain controllers. All of my users are in one of 2 OU's. With this Zero Day attack and more revelations of the complete uselessness of IE, I want to block all but a few people from using IE. I hastily have it set up more or less the opposite of what I want. I have an ie deny group and then I have a GPO set to prevent iexplore.exe from running. I would rather it be set so that perhaps for all domain users users iexplore will not run, but if you are in the allow group it will run.
I imagine I would have 2 GPO's one for allow and one for deny deny would encompass my 2 OU's and allow would encompass an allow group.
Please help me clear this up.
Thanks in Advance