|
Hi,
We have (finally) decided that we need to control
all Interent Explorer settings on workstations but have run into the following
issues. I would appreciate other peoples comments on them:-
1. We are selecting the Microsoft defaults as a
starting point. Can anyone provide a resource which explains what each of the
settings means and why you would choose particular values in particular
zones
2. We find the policy managment of IE too
constricting. It enforces all settings or none. You can't say "Manage all
settings except this one". We are looking at writing an ADM Template that
gives you full flexibility to set any setting to any value or to leave it alone.
Does anyone have such an ADM template and is it a "bad idea".
3. We have a rogue user who has added sites to
the trusted list and activated "Initialize and script ActiveX controls not
marked as safe" we have explained to him that this means any sited in the
trusted list can then do anything on the workstation but to no avail. (We
even warned that they can run active-X controls to delete domain accounts etc if
the user is an administrator, which I hope is correct!) We are proposing a
compromise of creating a 5th IE Zone which:-
- is locked down to their two
sites
- has "Initialize and
script ActiveX controls not marked as safe" activated
- is not visible in the security
tab of IE options
- Has all other IE settings
disabled
Although still dangerous, is there any other
problems going this route?
Alan Cuthbertson
|
Title: Schema recovery
