Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Prevent users from changing proxy settings in Windows 10 Settings app/Edge browser

Posted on 2016-10-11
22
Medium Priority
?
2,367 Views
Last Modified: 2016-10-12
I use Group Policy to control Internet Explorer proxy settings.
The Connections tab is disabled, to prevent users circumventing the proxy filter by changing or turning off the settings.

In Windows 10, the Edge browser appears to use the same proxy settings - which is brilliant.
However, Windows 10 has a Settings app and in within here, users can freely change proxy settings (Settings > Network & Internet > Proxy.)

How do we disable this section from standard users?

A couple of options I have at the moment are
1. Use a Software restriction Policy or AppBlocker to restrict/block the Settings executable
2. Remove a user's "write" permission to the proxy settings within the Registry

I guess I'm after a more official approach than those 2 options.

Please, only comment if you are familiar with Group Policy and domain based environments.

Kindest regards
Antonio
0
Comment
Question by:antonioking
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 11
22 Comments
 
LVL 56

Expert Comment

by:McKnife
ID: 41838781
"I guess I'm after a more official approach than those 2 options." - I wonder why you don't consider those 2 to be official. If I am not mistaken, I have seen this question frequently throughout the years and the solution was always to deploy an adapted registry key ACL.
0
 

Author Comment

by:antonioking
ID: 41838796
Good point, if there isn't any official Microsoft method yo managing access then scripting or registry "hacks" would be a more favoured approach.

Registry hacks or scripts to manage settings are difficult to keep track of and manage, compared to an offficial GPO released by the software vendor
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41838803
"Registry hacks or scripts to manage settings are difficult to keep track of" - I disagree. The reporting tools find them. You can document them. No difference to official GPOs.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:antonioking
ID: 41838817
I guess once the GPP is set it isnt going anywhere. Also I think it's possible to store comments on GPPs too so at least i can explain in the comment why the GPP is there.

So to your, knowledge there isnt an official GPO setting to fover what I'm after?
0
 
LVL 56

Accepted Solution

by:
McKnife earned 2000 total points
ID: 41838830
I revisited those settings and was successful using this:
Prevent changing proxy settings @ User settings, Windows Components\Internet Explorer
It will also stop the settings app.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41838839
LOL!

Re-revisited the setting. Now I remember why my brain had saved the "use the registry-ACL": though this GPO prevents changes via the GUI, it sets no ACL, so users may open regedit and change their proxy setting.

->DO deploy a registry ACL on that key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
0
 

Author Comment

by:antonioking
ID: 41838857
We block access to the Registry for this reason!

But looks like changing registry permissions will ensure no other applications or "Windows 10 Settings app" can adjust them!

Thank you
0
 

Author Comment

by:antonioking
ID: 41839687
How do you deploy registry permissions for HKCU keys via GPO?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41839692
0
 

Author Comment

by:antonioking
ID: 41839696
Thanks, that covers of HKLM keys. But what about HKCU?

IE/Edge proxy setting are saved within the HKCU.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41839820
It covers both, please look again.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41839824
Wait, give me an hour to look into this again.
0
 

Author Comment

by:antonioking
ID: 41839844
Step 10: Expand “Computer Configuration”, “Windows Settings” and select “Registry”
Step 12: Select the Registry Key that you want to set permissions on and click OK

Only options are CLASSES_ROOT, MACHINE and USERS.
I can't see any options for Current user or HKCU
0
 

Author Comment

by:antonioking
ID: 41839848
Wait, give me an hour to look into this again.
OK :)

I think the only option is to use AppBlocker or SRP to restrict the Settings executable from running.

If I removed users write permissions on the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings key the user won't be able to save any other settings. Also, any other changes (that are stored in that key) deployed by GP to the user won't be able to be written to the registry.
0
 

Author Comment

by:antonioking
ID: 41839862
On second thoughts, blocking the SystemSettings.exe from executing is a bad move.
Users won't be able to change hundreds of harmless settings - such as display resolution.

There must be a way of locking down the Proxy settings within the app.
Windows is built for domains and corporate environments, why would they not allow administrators to lock down a function that could allow users to circumvent a corporations web filtering!
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41839882
Ok. You cannot use GPO to set an ACL of HKCU unless you use a logon script for it.
Since the user has full access on that very key, he may change his own permissions to read.
As tool, I would use setacl, as shown in https://helgeklein.com/help-center/topic/batch-file-automating-windows-hkcu-registry-permissions
0
 

Author Comment

by:antonioking
ID: 41839933
As mentioned above, I do not want to adjust registry permissions.
If I removed users write permissions on the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings key the user won't be able to save any other settings. Also, any other changes (that are stored in that key) deployed by GP to the user won't be able to be written to the registry.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41839950
Look, let me sort this:
You would like to prevent changing through the settings app: I showed a way using the aforementioned GPO. Then, I told you that although the GPO blocks changes through the GUI, the user could still edit the registry. You told me, you even disallow registry editing tools, so: problem solved.

If you wanted to block the registry changes without disallowing registry editing tools, you would need to use scripts and yes, those have the side effects that you describe, since we cannot write permissions on single regvalues, but only on keys.
0
 

Author Comment

by:antonioking
ID: 41839975
You told me, you even disallow registry editing tools, so: problem solved.
We prohibit registry editing tools - but this does not stop the Settings app from writing to the registry when the user changes settings.

If you wanted to block the registry changes
On reflection, and as previously mentioned. I do not wan to block registry changes.
Blocking that key will prevent Group Policy settings taking affect. It will also restrict many other settings within IE that the user may wish to customise.


Thanks for your assistance so far but I will continue pursuing a more "official" approach.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41839981
Sorry, you seem to overlook something. I tried it and found already in my third comment ( https://www.experts-exchange.com/questions/28975724/Prevent-users-from-changing-proxy-settings-in-Windows-10-Settings-app-Edge-browser.html?anchor=a41839975#a41838830 ) how to stop the settings app. I thought you had read that.
0
 

Author Closing Comment

by:antonioking
ID: 41840002
Apologies, I thought your 4th comment was in reply to your 3rd comment.
I have set Prevent changing proxy settings to enabled and it disables the fields within the Settings app!

Thank you very much for your assistance, and apologies I overlooked one of your very first suggestions!
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41840006
You are welcome.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question