September 2, 2015 - Nick
Getting to Internet Explorer internet options without modifying Group Policy
Being someone who takes pride in being able to solve an issue as quickly and thoroughly as possible, it’s led me down a path to find some nifty workarounds, one having to do with troubleshooting Internet Explorer. If you’re in an environment that locks down their Internet Explorer settings menu via Group Policy and doesn’t allow the end user to do any type of configuration to their internet settings, this one may help you. Having access to these settings can be necessary under a regular user so that you’re able to troubleshoot in the security context of that particular user against the exact issue they are experiencing. It’s also just very convenient to apply this fix locally on the workstation or end point you’re troubleshooting from rather than to have to go back to group policy management and block inheritance or modify the group policy in some other way.
That said, in order to make this happen, you’ll need a local administrator account that has local admin permissions to that particular workstation the user is logged into.
- From there, you’ll need to launch regedit as administrator. Once you have your regedit console open, you’ll browse to HKEY_USERS\<USER_SID_YOURE_LOOKING_TO_TROUBLESHOOT_FROM\Software\Policies\Microsoft\Internet Explorer\Control Panel
*Note #1 – If you’re not sure how to get the SID of the user who’s machine you’re sitting in front of, you can launch command prompt in their user context and run a quick ‘whoami /user’ which will yield information like this:
—————-User Name SID
*Note #2 – It’s important to modify the SID for the HKEY_USERS hive you’re looking to manipulate IE from. If you just modify HKEY_CURRENT_USER, you’ll be modifying the administrator account user hive because that’s the security context you’re running regedit from.
- Then you can go in and set each one of the values under here from 1 to 0:
- Now you’ll see if you re-launch the the IE settings menu, you’ll see that you can access and view/edit some of the settings if they’re not enforced via group policy.
- One of the other ways is that you can rename the entire key to ‘Internet Explorer-old’ or some nature and it will just apply default settings until the policy is reapplied based on whatever your group policy application window is or the machine is restarted.
The great thing about this change is that even though you’re going in and making changes to the registry, these changes will be overwritten on the next application of group policy so you don’t have to worry about going back in and fixing the settings. You can just run a gpupdate /force from a command prompt.
Let me know how this works for you!