Today I installed an Astaro Web Gateway (Proxy appliance) in an Active Directory enviroment. I made a GPO to force the ad users to sent http traffic to the appliance and not to thier default gateway. The GPO just edits the Internet Explorer proxysettings.
As far as I remember, I found that GPO template in user..window coponent...internet explorer... Proxy settings.
The policy works preddy good, but there is one big unlikly thing, it does not prevent users from clearing that setting out manually.
Is there a way to deny the edit of that setting? Or maybe another GPO which does the job?
In your group policy object that you've already configured the proxy settings within (I'm assuming you're using the Internet Explorer policy extension under "User Configuration", "Windows Settings", and "Internet Explorer"), add the following setting:
This will prevent the user from being able to change the proxy setting.
As an "Administrator" you might prefer not to have this setting enforced. If that's the case, add a "BUILTIN\Administrators - Deny Apply Group Policy" permission to the permissions on the GPO. Then members of the various Administrator groups (Domain Admins, Enterprise Admins, etc) nested within BUILTIN\Administrators won't have this setting enforce. (Handy if you want to logon with your admin. account and see if something acts differently not going thru the proxy.)
You could expand this to making a group, placing users into that group, and denying the group the "Apply Group Policy" right if you wanted to have a special group to put people in who would be allowed to "bypass" the proxy setting and restriction about changing it.
Edit:
I saw your comment re: laptop computers.
Look into proxy auto-config scripts. You'll really like proxy auto-config scripts and how they work on your laptop computers.
http://en.wikipedia.org/wiki/Proxy_auto-config
I moved to proxy auto-config files for my school district Customer a couple of years ago as a result of administrators taking laptops off-site and trying to work on other networks that didn't need an HTTP proxy specified. It's worked like a charm, and is a nice cross-browser and cross-platform compatible solution.
Check User config/admin templates/windows components/internet explorer/disable changing proxy settings. Here are some screenshots.
Kindly advise if this setting can be modified any further. What happens with me is that I can set the GPO to list a specific Proxy and enable this setting. BUT When I add the option to "Disable changing the proxy settings", the Proxy settings are no longer enabled. The GPO modeling and result show that both settings are correctly enforced.
If I just use the GPO to set and enable to the proxy setting, the proxy setting are set and enable correctly, but the user can go into the settings and disenable them.
As soon as the second part of the GPO is added, the tick to enable these settings disappears, and this is greyed out.
I have the same experience on SBS 2003 and SBS 2008.
With thanks
Jonathan