At my workplace, users regularly visit some Web sites in which they have to register. These sites require users to enable cookies in Microsoft Internet Explorer (IE) so that they can sign in. However, we use Group Policy, and our domain's default policy disables all cookies.

Because cookies from Web sites in IE's Local intranet and Trusted sites zones are accepted, you can typically enable cookies for certain Web sites by using Group Policy to add those sites to one of those zones. But what if you want to allow cookies but not all the other content that goes along with trusting a site? For example, you might want users to be able to log on to a site that requires registration (and therefore allow cookies), but you don't want users to be able to download files or install ActiveX objects from the site. This was the case at my company.

Because adding Web sites to the Local intranet or Trusted sites zone wasn't an option, I looked into whether I could use a Group Policy setting to centrally define exceptions for cookies. I was unable to find such a setting.

Not wanting to have to teach each user how to define exceptions in IE, I decided to come up with my own solution. I used RegMon (http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx) to track where IE stores cookie settings. I found that the settings are under the HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Internet Settings\P3P\ History registry key.

To accept cookies from a domain, I created a new subkey and gave it a default DWORD value of 1. For example, to accept cookies from the microsoft.com domain, I created the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\P3P\History\microsoft. com subkey and gave it a default DWORD value of 1.

You can't use regedit to create a subkey with a default DWORD. (When you create a subkey, regedit automatically creates a default REG_SZ value.) So, I used .reg files to create the subkeys. For example, Figure 1 shows the .reg file for creating the microsoft. com subkey.

I then wrote a batch file that uses the reg. exe utility to read and apply the .reg files. (Reg .exe is built into Windows Server 2003 and is part of the Windows 2000 Support Tools.)

I inserted the batch file in a Group Policy Object (GPO) under User Configuration\Window Settings\Script\Logon Scripts.

With this solution, I can allow cookies but prevent users from downloading unwanted and possibly malicious files and ActiveX objects. Because the solution uses Group Policy, it's easy and quick to implement.

See Associated Figure