View Full Version : Win xp & Internet Options

Craig Stewart
29-06-2002, 10:04 AM
I am using Win xp Prof with NTFS file system at home on a single computer. I am the Administrator and I understand how to restrict permissions for Users for things like printer, specific software and so on. Is there any way I can restrict the Users from altering any of the Internet Options in IE6? Things like clearing history, deleting cookies etc. I do have control over the Content settings but would like to restrict the whole thing if I can.

Babe Ruth
29-06-2002, 10:27 AM

On your local WinXP Pro pc use Help and Support Center: doing a search on
Policy Internet Explorer

will/should give a number of results. E.g. "Administering Internet Explorer",
"Using administrative tools in Microsoft Management Console", "Using Group Policy"

If you are connected to the internet at the same time as doing the search you
should also get approximately 15 MS KnowledgeBase articles.

The way I have done what you wish to do is through the settings of GROUP POLICY
using the snap-in with the MMC (Microsoft Management Console) (See under Local Computer Policy,
User Configuration, Windows Settings, Internet Explorer Maintenance and also
Local Computer Policy, User Configuration, Administrative templates, Windows Components,
Internet Explorer)

Take your time and test test test (with a test user or group) when applying GPs
against users and/or groups on your pc.

Cheers, Babe.

Craig Stewart
29-06-2002, 11:01 AM
Sorted. You're a babe, Ruth. Many thanks.

Babe Ruth
29-06-2002, 12:08 PM
Jeessh Craig... you're making me blush!!

Glad to be able to help.

Cheers, Babe.

Craig Stewart
29-06-2002, 05:29 PM
Hey Babe

Thanks again for answering my post. I have now got the Internet Options blanked off for the Users but it is also blanked for the Administrator. I have set this up under User Configuration (rather than Computer Config) in Local Computer Policy (under Group Policy). Is there any way that I can retain the Options for the Administrator but blanked for the Users?

Would appreciate your expert advice.

Craig Stewart
04-07-2002, 06:22 AM
I hope it's OK to re-post my query under this thread.

To summarise: I am a home user with WinXP Pro and NTFS on a single computer. I am keen to disable access by the Users to the Internet Options under 'Tools' in Internet Explorer 6.

Following Babe's lead, I have got as far as being able to do this by enabling various options for Internet Explorer Control Panel under User Configuration in Local Computer Policy. This works pretty much as I wanted but the restriction is applying to all users (as opposed to Users) i.e. including me as the Adminstrator. Is there any way I can have the restriction applying to the Users but not to the Administrator? I have already checked that the Admin account is not inadvertently included in the list of User accounts.

Would appreciate any suggestions.

Craig Stewart
05-07-2002, 07:04 AM
I have to admit to being guilty of also posting my query on the TweakXP.com forum, where a bloke (blokess?) called Binary posted the following answer - which worked perfectly - copied below in case anyone is interested:


Hope this gets you started:

Making Different Settings for Different Users

Centrally managed Group Policy settings—that is, those that are stored in Active Directory in Windows .NET Server or Windows 2000 Server—can be applied to individual users, computers, or groups of either. You can have multiple sets of Active Directory–based Group Policy objects, allowing you to create an entirely different collection of settings for different users or computers.

Such is not the case with local Group Policy. Local Group Policy settings apply to all users who log on to the computer. (If the computer is joined to a domain, however, the local settings might be overridden by Active Directory–based settings. For details, see "How Local Group Policy Settings Interact with Active Directory–Based Group Policy Settings.") You can’t have multiple sets of local Group Policy objects.

Although you can’t have customized settings for each of several different groups, you can effectively have two groups of users: those who are affected by local Group Policy settings and those who are not. This duality affects only the User Configuration settings; Computer Configuration settings are applied before anyone logs on.

You can do this because local Group Policy depends on users having Read access to the local Group Policy object, which is stored in the %SystemRoot%\System32\ GroupPolicy folder. Policies are not applied to users who do not have Read access; therefore, by denying Read access to administrators or others whom you don’t want to restrict, you free those users from control by group policies. To use this method, follow these steps:

Make the Group Policy setting changes that you want.
In Windows Explorer, right-click the %SystemRoot%\System32\GroupPolicy folder and choose Properties. (GroupPolicy is a hidden folder; if you can’t find it in System32, choose Tools, Folder Options, View, Show Hidden Files And Folders.)
On the Security tab of the GroupPolicy Properties dialog box, select the Administrators group and select the Deny check box for the Read permission. (If you want to exclude any other users or groups from Group Policy control, add them to the Group Or User Names list and then deny their Read permission.)

You must deny the Read permission rather than simply clear the Allow check box. Otherwise, all users would continue to inherit Read permission because of their automatic membership in the Authenticated Users group.
At your next logon using one of the Read-disabled user accounts, you’ll find that you’re no longer encumbered by Group Policy settings. Without Read permission, however, you’ll find that you’re also unable to run Group Policy—so you can’t view or modify Group Policy settings. To regain that power, you need to revisit the Group Policy Properties dialog box and grant yourself Full Control permission.

Keep in mind that, even without the aforementioned security shenanigans, the default security settings effectively produce two groups of users. Although the local Group Policy settings apply to all users (clarification: all users who have Read access to the local Group Policy object), only members of the local Administrators group can view or change these settings.

If customizing the effects of Group Policy settings based on group membership is important to you, you should install Windows .NET Server or Windows 2000 Server and set up Active Directory. But the methods described in this section can provide an easy compromise solution.

[From: Windows XP Inside Out]