I would like to set the IE security zone to Medium-high for all new users on a server.
This is a standalone machine and ultimately I'll need to script it. I don't mind making a registry change or updating the local security policy.
I've had some success updating HKCU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel
but that only applies to the current user. I see that it's possible to set IE to only use HKLM for all users, but I would rather not change that. I want to allow it to continue to use HKCU.
Where is the default key that is used when creating a new user? Or, can I use Local Security Policy, something like: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\something?
In order to change default behaviour for new accounts, you need to edit the Default User profile. However, this is not
As this is the hive for the Local System user account, despite its confusing name. (MSDN Reference)
To edit the Default User Profile, you need to change the NTUSER.DAT from the Default profile directory (Location varies - C:\Documents and Settings\Default or C:\Users\Default etc)
You can do this by using the Registry Editor as follows:
This NTUSER.DAT now gets copied to new profiles, and they in turn get all of the settings.
The key you're after should be:
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevelThis won't apply anything to existing users, but should be copied to new local users when a profile is created.