An astute reader of this blog brought an interesting scenario to my attention, and I spent some time confirming it. For those of you running Windows 8 (or 8.1) there’s a neat “feature” that allows your users to circumvent controls you put in place for controlling proxy server settings in Internet Explorer.
Here’s the scenario. I use GP Preferences to configure a proxy address for my Windows 8.x clients, as shown here:
Next, I lock down the ability for the user to change proxy settings, by setting a Administrative Template policy under User Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Disable Changing Connection Settings. When I do that, the user can no longer get into Internet Options, Connections, LAN Settings, and change their proxy, as shown here:
So, now that the user is locked down they should not be able to change their proxy configuration in IE, correct? Well, not so much. Turns out there are two problems with that, related to Windows 8.x. The first problem is that Microsoft chose not to policy-enable much of their “Modern” UI, which means it’s outside of the control of Group Policy. The second, related problem, is that Microsoft chose to give the user control over IE proxy settings from the “Charms” menu (Windows Key-C). Specifically, if you bring up the Charms menu and select Settings, Change PC Settings, Network, Proxy as shown here:
you’ll note that the UI to change the proxy address is free and clear, unlike the locked out version in IE. If there is a policy setting to lockdown this Charms menu, I’m open to hearing about it, because I haven’t found it yet. The interesting thing about this particular setting is that you might expect that this would only impact the “Modern” version of IE. Not so–both the desktop and Modern versions are impacted by this dialog. Neat!