How to Prevent Users from Changing GFI WebMonitor® Proxy Settings in Firefox® Using Group Policies
If you’re in an environment where users are allowed to use browsers other than the default Internet Explorer (IE), you should know that these programs will use settings outside of the Microsoft defaults. Employees using other browsers will also need to have all their traffic sent through GFI WebMonitor. In this post we’ll go through the procedure needed to ensure employees don’t get around security policies when using Firefox.
Unlike IE, Mozilla Firefox is a third-party browser with no integration with Microsoft Windows, and it does not support remote administration by default. Nevertheless, there are ways to remotely configure Firefox like IE. In order to use this procedure you will need a freeware package FirefoxADM. It can be downloaded from the repository SourceForge.
Note: GFI provides this for customers’ convenience. We do not support the FirefoxADM package.
Before deploying the proxy settings for Firefox, download and extract the package FirefoxADM on a server with Active Directory.
Pushing out Firefox proxy settings with GPO
- Open the relevant GPO for the site, domain or organizational unit in the Group Policy Object Editor
- Expand the following levels within the tree: User Configuration > Windows Settings > Scripts (Logon/Logoff)
- Double-click Proxy-settings in the main policy area
- Click the Show Files button; this will display the folder the script will be stored in
- Copy and paste the script firefox_login.vbs from the FirefoxADM package into the folder
- Return to the Logon Properties window and click Add
- Browse to the location of the start scripts folder where the script was just copied to, select the file and click the Open button
- Click OK and then OK again to save the changes.
This has now configured the GPO to run a script which locks down the Firefox settings when the machine first starts up. You now need to add and configure the Administrative Templates which will be used to define the locked down proxy settings:
- Expand the User Configuration level in the tree
- Right-click Administrative Templates and select Add/Remove Templates
- Click the Add button and browse to the location of the startup template firefoxdefaults.adm, select the file and click Open, then Click Close
- Expand the Administrative Templates level under Computer Configuration
- Select Mozilla Firefox Default Settings in the tree
- Double-click Proxy Settings in the main policy area
- Select the radio button Enabled
- At this point you can begin entering the proxy settings that are to be pushed to users; this information can be found in your provisioning email
- Once finished click OK.
This policy and any subsequent changes will only be refreshed on user login, or alternatively you can force a GPO update from command prompt if available (the command is: gpupdate /force).
Locking down Firefox proxy settings with GPO
- Open the relevant GPO for the site, domain or organizational unit in the Group Policy Object Editor
- Expand the following levels within the tree: Computer Configuration > Windows Settings > Scripts (Logon/Logoff)
- Double-click Startup in the main policy area
- Click the Show Files button, this will display the folder the script will be stored in
- Copy and paste the script firefox_startup.vbs from the FirefoxADM package into the folder
- Returning to the window, click Add in Startup properties
- Browse to the location of the start scripts folder where the script was just copied to, select the file and click the Open button
- Click OK and then OK again to save the changes.
This has now configured the GPO to run a script which will lockdown the Firefox settings when the machine first starts up. You now need to add and configure the Administrative Templates which will be used to define the locked down proxy settings:
- Expand the Computer Configuration level in the tree
- Right-click Administrative Templates and select Add/Remove Templates
- Click the Add button and browse to the location of the startup template firefoxlock.adm, select the file and click Open, then click Close
- Expand the Administrative Templates level under Computer Configuration
- Select Mozilla Firefox Locked Settings in the tree
- Double-click Proxy Settings in the main policy area
- Select the radio button Enabled
- At this point you can begin entering the proxy settings that are to be pushed to users; this information can be found in your provisioning email
- Once finished click OK.
This policy and any subsequent changes will only be refreshed on system start up.
Do you have any questions? Leave us a comment below and I’ll reply to your query.
Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!
We have configured the above settings, but somehow users are still able to change the proxy settings. IT seems like startup.vbs and firefoxlock.adm is not working on xp sp3 clients.
firfox_login.vbs and firefoxDefaults.adm is giving desired results when setup under user configuration part of the GPO but it still allows users to change these pushed settings.
The computer configuration part of the adm and startup script is not locking the settings.
Can we troubleshoot this issue. Your help will be greatly appreciative
Hi Deepak,
Thank you for your comment.
Have you tried deploying the GPO to other computers, apart from the Windows XP machines? Would it also be possible to send us screenshots illustrating the issue so that we can understand better?
However, since the issue is with the GPO part of the procedure, there is limited support we can provide from a GFI support perspective. The issue may need to be tackled by Microsoft Support (http://support.microsoft.com/?ln=en-gb).
Thanks and regards,
Ben Vincenti
followed your steps but
this only works on firefox version 3.6.26 but not in version 10.
Hi secret,
Thank you for your comment.
At the time of writing, the procedure was not tested on version 10. We may look into tweaking this procedure to work with newer versions.
Thanks and regards,
Ben