GPO for IE

This should be easy but I have yet to solve it or find a fix.
I would like to use GPO to apply a 'run as' setting so only admins can run IE.
Server2012 dc and WIN7 desktops.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This is a rule you would configure the which application can not be run and only apply this to domain users as long as an account is not a member of the domain users group, they will be permitted to run iexplore.exe.
GPO deny Domain users rights to run iexplore.exe
domain users is the security filter
user configuration\windows settings\security settings\software restriction policies
new policy
under additional rules, add new path and set the app you want to block.
and add here iexplore.exe.

Test it first, apply it to two specific users while using a WMI filter to exclude the user that is an ADMIN.
The WMI filter should exclude all users that are "Admins"
Then see if it works restricting one while allowing the other.
At which point you will be able to apply to the domain users group and be done with it.

Depending on your settings, some users might be able to get chrome running from within their profile.  

Another approach instead of denying the use of an application, restricting who can get through by using a proxy.

Do you have enterprise wide central Anti-virus  product, often those have application restrictions as well.

If you have admins that are part of the domain users, you would need to use WMI filter to exclude them.

Not sure what you mean the run as rule?

First: All users are members of Domain users
Second: Windows explorer can be used like Internet explorer, and firefox portable version can be another solution to conturn this restriction.

If you need to block Web browsing from the servers, do it with your firewall.

Not sure what would break if IE was disabled. I would try setting the NTFS permissions on  iexplore.exe to Administrators and system to full, and remove all other permissions. Do no use the deny permission as that can lean to unintended consequences if not done very carefully.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

brianmultilanguageMIS/NAAuthor Commented:
hi all. Even though a dc with gpo should be able to simple set permissions for exe to users apparently MS has over looked this control feature. Not having control over what a user can run seems a paramount thing to not have these days.

This proved the simple solution followed by using PDQ to push it out to the users.


The solution is used for other than WIndows Pro clients. You can deploy the same using applocker gpo
Anyway if you prefer to do it using registry you can convert all on a GPO then deploy using a "reg2gpo" tools.
All this methods will be centralised, and can be traced and suppresed easy. If not is better that you document all.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.