A Few Group Policy Questions

Tutorials Win: Microsoft Windows Forum

Hi everyone,

I have an XP Pro SP2 machine that will be shared by several family members
and I have a few questions about Group Policies. Active Directory is not
involved here.

In the Group Policy Editor (gpedit.msc) I want to turn off IE's prompt to
download ActiveX Controls. The setting for this is at:

User Configuration
Administrative Templates
Windows Components
Internet Explorer
Security Features
Restrict ActiveX Install
Internet Explorer Process = Enabled

After setting this policy I log off and then log back on but I am still able
to download an ActiveX component (Acrobate Reader, for example). It seems the
GP setting is not taking affect. Any ideas why?

A follow up question is this: My understanding is that, contrary to the
name, "User Configuration" policies apply to *all* users, not individual
users. So, setting the poilicy for one user account affects *all* accounts on
the machine. If this is true, why does the Group Policy editor have separate
sections for "User Configuration" and "System Configuration"?

Perhaps it *is* possible to specify separate policies for different
accounts. This is ultimately what I want to do. I have an idea on how to do
this (by copying .pol files and invoking gpupdate.exe) but the fact that
ActiveX installations cannot be turned off is stopping me dead in my tracks.

Thanks much.
--
Tom Baxter
Top

Re: A Few Group Policy Questions by Doug

Doug
Fri Apr 18 22:53:42 PDT 2008

Hi Tom,

I can't answer your question on the ActiveX issue, but........... Some
Group Policies are machine wide, and others are based on the user level.
Policies may be applied to the Standard User, but not to Power User and etc.
In a domain environment, its usually the Group membership that determines
how policies are applied. I've written a utility that allows application of
a number of Group Policy settings on a per-user basis, in a non-domain
enviroment.

Essentially, Group Policies are nothing more than Registry entries that say
what can be done on a particular computer, or by a user group, or a specific
user. They are enforced because Windows loads the Group Policy entries
before anything else, so these restrictions are applied before the user ever
gets to the Desktop.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart
Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Tom Baxter" <tlbaxter99@newsgroup.nospam> wrote in message
news:983B6EBC-B3C1-4B3B-B5B4-A43A3E3DBE7F@microsoft.com...
> Hi everyone,
>
> I have an XP Pro SP2 machine that will be shared by several family members
> and I have a few questions about Group Policies. Active Directory is not
> involved here.
>
> In the Group Policy Editor (gpedit.msc) I want to turn off IE's prompt to
> download ActiveX Controls. The setting for this is at:
>
> User Configuration
> Administrative Templates
> Windows Components
> Internet Explorer
> Security Features
> Restrict ActiveX Install
> Internet Explorer Process = Enabled
>
> After setting this policy I log off and then log back on but I am still
> able
> to download an ActiveX component (Acrobate Reader, for example). It seems
> the
> GP setting is not taking affect. Any ideas why?
>
> A follow up question is this: My understanding is that, contrary to the
> name, "User Configuration" policies apply to *all* users, not individual
> users. So, setting the poilicy for one user account affects *all* accounts
> on
> the machine. If this is true, why does the Group Policy editor have
> separate
> sections for "User Configuration" and "System Configuration"?
>
> Perhaps it *is* possible to specify separate policies for different
> accounts. This is ultimately what I want to do. I have an idea on how to
> do
> this (by copying .pol files and invoking gpupdate.exe) but the fact that
> ActiveX installations cannot be turned off is stopping me dead in my
> tracks.
>
> Thanks much.
> --
> Tom Baxter

Top