At my workplace, users regularly visit some Web sites in which they have to
register. These sites require users to enable cookies in Microsoft Internet
Explorer (IE) so that they can sign in. However, we use Group Policy, and our
domain's default policy disables all cookies.
Because cookies from Web sites in IE's Local intranet and Trusted
sites zones are accepted, you can typically enable cookies for certain Web
sites by using Group Policy to add those sites to one of those zones. But what
if you want to allow cookies but not all the other content that goes along with
trusting a site? For example, you might want users to be able to log on to a
site that requires registration (and therefore allow cookies), but you don't
want users to be able to download files or install ActiveX objects from the
site. This was the case at my company.
Because adding Web sites to the Local
intranet or Trusted sites zone wasn't an option,
I looked into whether I could use a Group
Policy setting to centrally define exceptions for
cookies. I was unable to find such a setting.
Not wanting to have to teach each user how to define exceptions in IE, I decided
to come up with my own solution. I used RegMon (http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx)
to track where IE stores cookie settings. I found that the settings are under
the HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Internet Settings\P3P\
History registry key.
To accept cookies from a domain, I created a new subkey and gave it a default
DWORD value of 1. For example, to accept cookies from the microsoft.com domain,
I created the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Internet
Settings\P3P\History\microsoft. com subkey and gave it a default DWORD value
of 1.
You can't use regedit to create a subkey with a default DWORD. (When you create
a subkey, regedit automatically creates a default REG_SZ value.) So, I used
.reg files to create the subkeys. For example, Figure
1 shows the .reg file for creating the microsoft. com subkey.
I then wrote a batch file that uses the reg. exe utility to read and apply
the .reg files. (Reg .exe is built into Windows Server 2003 and is part of the
Windows 2000 Support Tools.)
I inserted the batch file in a Group Policy
Object (GPO) under User Configuration\Window Settings\Script\Logon Scripts.
With this solution, I can allow cookies but
prevent users from downloading unwanted
and possibly malicious files and ActiveX
objects. Because the solution uses Group
Policy, it's easy and quick to implement.
See Associated Figure
Register
