There doesn't appear to be a GUI-based way of doing this unless you're joined to a domain - at least not one I could find anywhere - so I did a bit more digging and I've found an answer that works for our situation.
I didn't understand what the string representation meant in the knowledge base article, but doing a bit of digging led me to discover that it's SDDL syntax. Further digging led me to this article by Alun Jones which explains how to get the security descriptor for a service and what each bit means. MS KB914392 has more details.
To append to the service's existing security descriptor, use sc sdshow "Service Name"
to get the existing descriptor. If this is a plain old .NET Windows Service - as is the case with ours - the security descriptor should look something like this:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOC
RRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA
;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
We needed to grant permissions RP
(to start the service), WP
(to stop the service), DT
(to pause/continue the service) and LO
(to query the service's current status). This could be done by adding our service account to the Power Users group, but I only want to grant individual access to the account under which the maintenance service runs.
Using runas
to open a command prompt under the service account, I ran whoami /all
which gave me the SID of the service account, and then constructed the additional SDDL below:
(A;;RPWPDTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)
This then gets added to the D: section of the SDDL string above:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOC
RRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;RPWP
DTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)S:(AU;FA;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;WD)
This is then applied to the service using the sc sdset
command (before the S:
text):
sc sdset "Service Name" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;
CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU
)(A;;RPWPDTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)S:(AU;FA;CCDCLCSW
RPWPDTLOCRSDRCWDWO;;;WD)
If all goes according to plan, the service can then be started, stopped, paused and have it's status queried by the user defined by the SID above.
I think what that means is the Internet Explorer zones, and how the proxy bypass settings apply to the local intranet zone. This article explains it in more detail than should be gone into here, but essentially every website is classified into a zone so that the various security settings can be adjusted. By default the proxy bypass list is automatically included in the Local Intranet zone.
EDIT: To answer your question directly - Drawing from the information above, you cannot and do not need to configure proxy settings per-zone. However, your users might choose to exclude a URI from being proxyed, hence adding it to the Local Intranet zone.
For the proxy configuration, I seem to remember having quite a bit of success with the IE Maintenance feature in Group Policy, which incidentally has now been superseded in 2012 by GPP. Unfortunately because of that I can't share my own how-to because I haven't got the relevant server edition in my test environment. Below are a couple of solutions (of which you may already be aware), it's up to you to decide which is most suitable to your organisation:
Unfortunately, I don't think there is a way to set proxy on a computer level using Group Policy. However, as you say in your own answer restricting changes to that section of the control panel is the usual practise to stop changed to proxy. Perhaps, better still, you could use an auto-configuration script.
Best Answer
You could theoretically do this easily with the Files section of Group Policy Preferences. In Windows 7, information about user account pictures is stored in
%ProgramData%\Microsoft\User Account Pictures
. Each user has a .DAT binary file that contains the path and information about a picture that has been set.You could set a user's picture, making sure to store it on a network location so it would be accessible from any system. Then, simply make a copy of the .DAT file, throw it on a network share, and make a GPP Files entry to push it to every computer.
Users wouldn't be able to set their own picture without assistance, but after they did it the first time, it would follow them around.