So far, I've used a user group policy object utilizing Internet Explorer maintenance to set a proxy for the user in IE. We have now deployed the Enterprise Client (EC) starter group policy to our domain and this policy affects this behavior.
The EC group policy uses the policy Make proxy settings per-machine (rather than per-user). This policy describes itself as:
This policy is intended to ensure that proxy settings apply uniformly to the same computer and do not vary from user to user.
Great! This seems to be an improvement over my previous setup.
If you enable this policy, users cannot set user-specific proxy settings. They must use the zones created for all users of the computer.
What zones and where do I configure the proxy settings for them?
I assumed the policy would simply take the user settings and apply them, but that's not what's happening. Now no proxy server is set at all. So my previous settings obviously no longer have any effect.
So far, I've only come up with solutions that involved direct manipulation of the Windows registry. Which is fine, I guess, but the way the proxy is configured for users makes it appear as if there could be a higher level approach.
I think what that means is the Internet Explorer zones, and how the proxy bypass settings apply to the local intranet zone. This article explains it in more detail than should be gone into here, but essentially every website is classified into a zone so that the various security settings can be adjusted. By default the proxy bypass list is automatically included in the Local Intranet zone.
EDIT: To answer your question directly - Drawing from the information above, you cannot and do not need to configure proxy settings per-zone. However, your users might choose to exclude a URI from being proxyed, hence adding it to the Local Intranet zone.
For the proxy configuration, I seem to remember having quite a bit of success with the IE Maintenance feature in Group Policy, which incidentally has now been superseded in 2012 by GPP. Unfortunately because of that I can't share my own how-to because I haven't got the relevant server edition in my test environment. Below are a couple of solutions (of which you may already be aware), it's up to you to decide which is most suitable to your organisation:
Unfortunately, I don't think there is a way to set proxy on a computer level using Group Policy. However, as you say in your own answer restricting changes to that section of the control panel is the usual practise to stop changed to proxy. Perhaps, better still, you could use an auto-configuration script.
To set a global proxy via group policy:
To prevent users from changing their proxy settings:
Info from: social.technet.microsoft.com
I have now spent several hours trying several combinations of group policies and the way they are applied. And what I ended up with is:
I have no clue what the point of that policy in question is. I see no benefit at all from using it. Let's have a look at that description again:
Okay, great, I want that. But I can achieve the same by applying a user policy on a site level instead of a OU level.
What zones? It is still not clear what zones they are talking about. Internet Explorer security zones? If so, how are those related to proxy settings. Are they talking about AD sites? That makes no real sense either. Even though I can use the AD sites to apply my policies differently, that's a pretty far stretch assuming that that is what's being hinted at here.
I don't want users to adjust their proxy settings, so I want that. But I can also simply apply the policy Disable changing proxy settings.
Yes, awesome! And I never really fully got the feeling that this settings works as I would expect. However, applying my existing (user-based) proxy policies (optionally at a site level), combined with disabling the ability for the user to change them was fully sufficient.