In this edition of Group Policy Quick Tips, I’ll be covering a policy that has been around a while, but was renamed and might be hard to find if you haven’t configured it before. In Windows 7/Server 2008 R2, this setting was called “Exclude files from being cached.” With Windows 8.x/Server 2012, the name changed to “Enable file screens.” Same thing; different name.
KB2862565 – AppLocker blocks administrators and other high privileged group’s users from executing files on a Windows 7 SP1-based or Windows Server 2008 R2 SP1-based computer
KB2849027 – Internet Explorer 10 security settings are silently applied to client computers when you use GPMC to view the Group Policy Preferences settings in Windows 8 or Windows Server 2012
KB2466373 – BACKSPACE or arrow keys do not work in MMC [especially in the Group Policy Management Console (GPMC)!!!!] on a computer that is running Windows 7 or Windows Server 2008 R2
KB2816253 – Known issues with Office if Desktop or My Documents is redirected
KB981177 – You can still unpin a program from the taskbar unexpectedly when you enable the “Do not allow pinning programs to the Taskbar” Group Policy on a computer that is running Windows 7 or Windows Server 2008 R2
KB981750 – Error message occurs when you use GPMC to view a software restriction Group Policy setting in Windows 7 and in Windows Server 2008 R2: “An error has occurred while collecting data for Software Restriction Policies”
In a previous post, I covered disabling/enabling the Internet Explorer Enhanced Security Configuration (IE ESC) for Administrators via Group Policy. Disabling the IE ESC for Administrators is usually something I don’t recommend in a production environment. However, disabling it for Users/Non-Administrators is a different story. In most cases, you won’t have someone logging in to a console or over Remote Desktop (RDP) to your servers that doesn’t have Admin rights… that is unless your running Terminal Services/Remote Desktop Services or a third-party product like XenApp. In those environments, it is very normal to have users logged into a remote session that do need access to fully functional web browser. Microsoft didn’t give us any kind of obvious Group Policy setting to enable or disable the IE ESC. Like the setting for Admins, it is a Registry entry that can be tweaked with Group Policy Preferences for deployment to groups of servers so than you can make sure your end users are receiving a consistent environment.
One of the biggest security threats to a server is having a web browser installed. Running a server in Server Core mode resolves this problem; but, what do you do when you need the GUI enabled? This is the reason that Microsoft introduced Internet Explorer Enhanced Security Configuration in Windows Server 2003. Unfortunately, like a lot of other great features, Microsoft didn’t give us any kind of obvious Group Policy setting to enable or disable the feature. The good news? It is just a Registry entry that can be tweaked with Group Policy Preferences.