Why is my Internet Explorer group policy ignored?

nl flag

In light of the recently discovered MSHTML vulnerability (and because it's a good idea in general), I want to disallow downloading of ActiveX components via group policy. However, it appears that my policy settings are ignored.

Here's my group policy setting:

Group Policy Settings

Then I refresh the group policy on my client PC (in a non-elevated shell, since this is a user policy):

C:\Users\{redacted}>gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

Yet IE seems to ignore my new settings:

IE settings

I'm sure I'm overlooking something obvious. What is it?

joeqwerty avatar
cv flag
What is the Security Filtering of the GPO set to?
nl flag
@joeqwerty: It's kept at the default value, "Authenticated Users".
Swisstone avatar
cn flag
Can you generate a `gpresult` report and take a look at it, see if you can see your policy?
cn flag
I believe for IE10+, it may be preferrable/more modern to use Preferences > Control Panel Settings > Internet Settings > right-click > New > Internet Explorer 10.
nl flag
@Swisstone: Thanks, the output of `gpresult /Z` helped me find the root cause. I'll write a self-answer with the details.
nl flag

You disabled the policy setting. This means that the group policy setting is not applied.

What you need to do instead is to enable the policy setting and then configure the policy setting to disabled. In other words, instead of this:


you should do that:


You can also see the difference in the summary view. This is wrong:


And this is correct:


Unfortunately, the name of the setting (which needs to be enabled) and the name of the option inside the setting (which needs to be disabled) are exactly the same, which makes such an error easy to overlook. As @Swisstone mentioned in the comments, gpresult can help here. This is the output of gpresult /Z (/Z for super-verbose) in the "wrong" case:

GPO: Internet Explorer
    Folder Id: Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1001
    State:       disabled

And this in the correct case:

GPO: Internet Explorer
    Folder Id: Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1001
    Value:       3, 0, 0, 0
    State:       Enabled

The latter entry sets this registry value to dword:00000003, which is your intended result. Note that IE respects this setting now:



Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.