RE: [ActiveDir] Blocking IE7

[Laura A. Robinson]

" Toolkit Components: The toolkit contains two components: An executable blocker script A Group Policy Administrative Template (.ADM file) Blocker Script The script creates a registry key and sets the associated value to block or unblock (depending on the command-line option used) automatic delivery of Internet Explorer 7 on either the local machine or a remote target machine. Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\7.0 Key value name: DoNotAllowIE70 When the key value name is not defined, distribution is not blocked. When the key value name is set to 0, distribution is not blocked. When the key value name is set to 1, distribution is blocked. The script has the following command-line syntax:      IE70Blocker.cmd [<machine name>] [/B] [/U] [/H] Machine Name The <machine name> parameter is optional. If not specified, the action is performed on the local machine. Otherwise, the remote machine is accessed via the remote registry capabilities of the REG command. If the remote registry can’t be accessed due to security permissions or the remote machine can’t be found, an error message is returned from the REG command. Switches Switches used by the script are mutually exclusive and only the first valid switch from a given command is acted on. The Script can be run multiple times on the same machine without problem. /B - Blocks distribution /U - Unblocks distribution /H or /? - Displays the following summary help:                  This tool can be used to remotely block or unblock the delivery of                  Internet Explorer 7 via Automatic Updates.                  ------------------------------------------------------------                  Usage:                  IE70Blocker.cmd [<machine name>] [/B][/U][/H]                  B = Block Internet Explorer 7 deployment                  U = Allow Internet Explorer 7 deployment                  H = Help                     Examples:                  IE70Blocker.cmd mymachine /B (blocks delivery on machine "mymachine")                  IE70Blocker.cmd /U (unblocks delivery on the local machine)                  ------------------------------------------------------------ Group Policy Administrative Template (.ADM file) The Group Policy Administrative Template (.ADM file) allows administrators to import the new Group Policy settings to block or unblock delivery of Internet Explorer 7 into their Group Policy environment, and use Group Policy to centrally execute the action across systems in their environment. After adding this administrative template to the Group Policy Editor you must uncheck the "Only show policy settings that can be fully managed" in the Filtering dialog before the new policy becomes visible in the Group Policy Editor. This option is found by highlighting "Administrative Templates", then selecting "View" then "Filtering". You will then see the policy under "Computer Configuration / Administrative Templates / Windows Components / Windows Update / Automatic Updates Blockers". This setting is available only as a Computer setting; there is no per-User setting. Note: This registry setting is not stored in a policies key and is thus considered a preference. Therefore if the Group Policy Object that implements the setting is ever removed or the policy is set to "Not Configured", the setting will remain. To unblock distribution of Internet Explorer 7 using Group Policy set the policy to "Disabled". Answers to Frequently Asked Questions can be found here." From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, October 19, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Blocking IE7 I see how to block IE7 from deploying through WSUS, but what I don’t see is a way to block a user from manually installing it.   (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en)   Our users are 90% XP SP2 and managed through GP.  What about building a restricted software GPO that has a hash of iesetup7.exe (if that even exists)?   I want to restrict them from getting it through microsoftupdate.com as well.   Bryan Lucas Server Administrator Texas Christian University