[ActiveDir] Wierdness with IE Proxy GPO settings

[Frost . David]

I am having trouble making sense of IE proxy GPO settings.  Any Thoughts much appreciated.

 

I have defined the IE proxies in the Default Domain Policy for all Domain Users.  Everything (IE and other apps that use IE proxy config) works fine for normal logins.  The Weird things start happening under two situations.  1) if you have an OU that needs a different set of proxies, and 2) if you have system services that want to go out to the internet for updates (say Symantec AV and Windows Updates) automatically.

 

Under situation 1) If you create a new Policy linked to the OU that holds only computer objects (users in other OUs) and has a bunch of OU specific settings  both under the Computer and User , and you enable loopback processing in Replace Mode, all the User settings, like display, themes, screensaver etc, get applied properly EXCEPT the IE proxy Setting from the OU policy.  Using the GPMC RSoP the IE proxies are always applied from the Default Domain Policy even though the Default policy in not set to enforced.  I have set the Mode to Preference and enabled the computer setting make proxies per machine rather than Per user. (this strikes me as a odd setting, as there is nowhere in the computer section to set the proxies, it only appears as a user setting.)

 

2)  When we upgraded our SAV to V8.1, live update on member servers stopped working to the Internet automatically.  If you logged on to the server and manually launched live update it worked fine.  On of my co-workers tracked this back to a Symantec bulletin that indicated proxies were the issue.  When you run RSoP on the server for Computer settings only, there is no user data (and therefore IE proxy settings) shown.  If you run the Modeling from GPMC on the server for computer settings only without loopback processing, no IP proxy settings.  With Loopback enabled, low and behold, IE proxy settings show up.  So the obvious answer is to enable loopback processing.  Based on my experience in scenario 1, I can say that loopback processing for IE proxies on an OU specific policy does not work for me.  That would mean I would have to enable loopback processing on the default domain policy.  Based on our initial lab tests, this does not seem to work.  Even if it did, I am not sure I want to enable loopback on the default domain policy.