John, Interesting that you even mention this. I have a reg file that sets the zones on IE via directly modding the registry in just this manner. We've got about 25k seats of Inbound/Outbound 'Out-sourced marketers' (yeah, I can even put lipstick on a pig like Telemarketing!) and we have to lock them down to ONLY what we want them to do.
If anyone wants a copy o it, let me know. I'll shoot it off to you... Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Bjelke John A Contr AFRL/VSIO > Sent: Wednesday, October 16, 2002 12:12 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Disable IE via GPO > > > Well, you *could* write code into his login script that sets > the IE security preferences for the Restricted Zones, and > then undoes it in the "standard" login script so that others > are not affected... > That would probably be a good script to hang onto for future > offenders as well. > Add his web-mail site to the restricted zones on a test pc, > then export HKEY_CURRENT_USER\Software\ > Microsoft\Windows\Current Version\Internet > Settings\ZoneMap\Domains to a REG file. In his logon script, > copy this reg file to a temp on the system and run it. For > the "clean up" in the normal script, find the specific entry > and delete it, maybe? > > I would also suggest drafting an "acceptable use" policy to > run by the powers that be, maybe through your IT boss... the > worst they can do is say "We're not concerned". At best, you > might gain some leverage on stopping things like this. > Good luck! -JB > > -----Original Message----- > From: James Liddil [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 16, 2002 9:28 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Disable IE via GPO > > > "We" don't have a policy in place the prevents folks from > reading yahoo, hotmail etc. So if I have our firewall > configured to block this I'm sure I'd immediately be > blacklisted by end users. I could just as easily use McAffee > EPO and add these various webmail URLs and block them. Until > management decides this is a business critical issue I won't > go there. But I certainly have considered the idea along > with blocking IM traffic. > > Jim Liddil > > > -----Original Message----- > > From: Bjelke John A Contr AFRL/VSIO > > [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, October 15, 2002 4:22 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Disable IE via GPO > > > > > > Why not block his web-mail site @ the firewall? He might have > > legitimate project related need for web access, but if you > > can point to virus infections from his web-based email you > > should be able to justify blocking the site for everyone. > > John A. Bjelke > > Unisys > > 505.853.6774 > > [EMAIL PROTECTED] > > Man will occasionally stumble over the truth, but most times > > he will pick > > himself up and carry on... - Winston Churchill > > > > > > -----Original Message----- > > From: James Liddil [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, October 15, 2002 1:54 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Disable IE via GPO > > > > > > W2K/Exchange2K Environment. We have a visiting scientist who > > I was asked to give an account to. Turns out he has been > > reading his web mail and it is highly infected based on the > > number of alerts I got. The one machine he uses I have > > pulled of the internet. But I now find he went to another > > machine and did some web mail (virus alert again). So at > > this point my hands are tied by the managements lack of > > policies. So I need a way to prevent him from using IE > > regardless of the machine. It seems in GPO I can lock it > > down but not totally disable it. Or is there a way? > > > > Jim Liddil > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/