>> Active Directory's Group Policy Objects (GPOs) and Group Policy Preferences (GPPs) offer administrators a simple, centralised, and secure method to lock down Internet Explorer's (IE's) settings.
Take the word "secure" out of that and you'd have a point, there are many ways to bypass settings pushed down by group policy... You should only consider group policies as pushing out default settings, do not rely on them for security!
A much better solution is to force all outbound web traffic through a proxy, where it can be filtered and logged irrespective of the client configuration.
Another even more secure setup, is to only allow internal browsing direct from workstations and require users to login to another system if they want to access public websites. Even with a browser running remotely, you can make it look and behave just like a local application, only any exploit attempts hit the server and not your workstation.
One such example i've seen, used windows desktops connected to a hardened linux box running chromium, the connection was i believe done using nx and the chromium window looked like it was running on the local machine. A hardened and isolated linux box running chromium is far less risky than a windows workstation for browsing the web.
Register
Take out "secure"
>> Active Directory's Group Policy Objects (GPOs) and Group Policy Preferences (GPPs) offer administrators a simple, centralised, and secure method to lock down Internet Explorer's (IE's) settings.
Take the word "secure" out of that and you'd have a point, there are many ways to bypass settings pushed down by group policy... You should only consider group policies as pushing out default settings, do not rely on them for security!
A much better solution is to force all outbound web traffic through a proxy, where it can be filtered and logged irrespective of the client configuration.
Another even more secure setup, is to only allow internal browsing direct from workstations and require users to login to another system if they want to access public websites. Even with a browser running remotely, you can make it look and behave just like a local application, only any exploit attempts hit the server and not your workstation.
One such example i've seen, used windows desktops connected to a hardened linux box running chromium, the connection was i believe done using nx and the chromium window looked like it was running on the local machine. A hardened and isolated linux box running chromium is far less risky than a windows workstation for browsing the web.