We have a IE Policy GPO, that applies to all of our production computers (it is not enforced). It configures many IE settings, trusted sites, security zone specific settings etc. A normal user on a production computer is unable to change any IE related security setting, basically everything is grayed out. I am trying to see if there are any GPO settings that I can put in a GPO, to apply to a specific securtiy group, that will remove the lockdown on changing IE security settings, on the security tab.
We often have users with random issues where they will need to change one IE setting that is locked down by our IE Policy GPO. Most recently a user needed to be able to disable IE protected mode (They are using IE9) for the internet zone. For something like this (thats a computer setting in admins templates), I will sometimes create a new GPO, change the single setting in this GPO to what the user needs and filter the GPO to a security group with only this users computer.
Then I set the GPO precedence on the OU with our users computers so that it is higher than our main IE Policy GPO. So the effective result of this is that we can add a computer to a group, and then this one settings changes for only that one computer object. This normally works for single policy changes.
I just tried to do this to disable IE protected mode and could not get it to work. I have a new GPO, with the "Turn on Protected Mode" setting disabled that is under Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone. RSOP and gpresult /h on a test computer with Win7/IE9 PC receiveing the policy show it is correctly getting the setting to disable protected mode for the internet zone, and in RSOP it shows it is correctly getting the precedence of the new policy to be higher than our main policy (which enables protected mode), but when I launch IE9 protected mode is still enabled for the internet zone.
So I would like to get protected mode to be correctly disabled for computers in this OU, but in general I'm trying to create a new GPO that allows users to change basically any IE securtiy setting (inIE 9 Security Zone Tab), that I can set with a higher precedence than our normal IE policy, so that it removes the garying out of all the settings, and then users could just change the specific setting they want, while we apply the policy to their computer temporarily.