In this post, I’ll show you an easy way to prevent users without administrator privileges from changing the proxy server settings by blocking corresponding elements Internet Explorer dialog window using GPO.
Today Internet Explorer 11 is the only browser version that is officially supported by MSFT (besides Edge) and many users should have to update to this browser version. If in previous versions IE supposed its settings to be configured in Internet Explorer Maintenance(IEM) section of GPO, starting from Internet Explorer 10 (released in Windows Server 2012 / Windows 8), browser settings can be centrally configured only through the section User Configuration -> Preferences -> Control Panel Settings -> Internet Settings (read more here).
After the policy containing IE settings has been applied to a user (in our example, we configure only proxy settings), he can change the assigned proxy parameters any time if necessary. However, these changes are overridden every 90 minutes during next policy update cycle. I would like to completely block this dialog box and prevent users without the administrator privileges from changing proxy server settings configured in the domain GPO.
In GPMC.msc console, create a new GPO and switch to the Edit mode. Open User Configuration ->Administrative Templates -> Windows Components -> Internet Explorer section and enable the policy Prevent changing proxy settings.
Assign the policy to the OU containing users and update the policy on the clients. Check proxy server settings in IE. As you can see, text fields containing the settings are locked.
In addition to the existing policy, you can also prevent proxy server settings from being changed through the registry. To do it, go to User Configuration -> Preferences ->Windows Settings -> Registry section and create a DWORD parameter with the name Proxy and the value 00000001 in the key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel.
In order the policy is not applied to administrators, add the necessary admin groups on the GPOs Delegation tab (e. g., corp_srvadmins) and check Deny next to Apply Group policy for them.