User Proxy settings showing up in Local System Account – Correct way to apply Proxy settings


If you are wondering how your local system account is getting proxy settings even though you have applied proxy settings only for users, this post will help you. 

Here you will see the proxy settings set in Local system account:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

The applications which run in system context might stop working if the Local system account contains proxy settings or any undesired settings which are not set by system administrator.

Here is how the user base settings can get written to Local system account registry key.

  • IE maintenance GPO
  • IEAK also has the same ability to import connection settings and deploy to a client PC.  Once established, the SYSTEM registry profile will be tattooed. 

Here I will discuss about the IE maintenance GPO which causes this behavior.

When you use Internet Explorer Maintenance Group Policy to set user based connections settings, it provides you with two options:

IMPORTANT: Windows 8 with Internet Explorer 10 deprecates IEM in favor of a more robust tool called Group Policy Preferences. Read More… 

 

 

If you choose Connection Settings options to set connection settings for the user, it causes this behavior.

To test it yourself, try setting this GPO in your local computer using Local group policy editor.

  • (Run gpedit.msc command to open Local GPO editor)
  • User Configuration – Windows Settings – Internet Explorer Maintenance   – Connection    – Connection Settings – choose [Import the current Connection Settings from this machine] and click [Modify Settings]

 

  
 

  • Once GPO is applied to the user, check this registry:

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

 

Expected Results:
“Proxy Server” settings of connection should not apply to
HKEY_USERS\.DEFAULT. \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections key.

Actual Result:

 “Proxy Server” settings of connection gets added here: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections key.

What we recommend:

The respective proxy settings part of IE Maintenance should be used. User Configuration – Windows SettingsInternet Explorer Maintenance– Connection-Proxy Settings

 

 

 NOTE: If you have configured connection settings and then try to click on proxy settings, you are presented with following warning by the policy editor:

 

It tells you that proxy settings will overwrite the imported connection settings

This warning applies to the user scope only.

It is of no use to profiles that are not in scope to receive user-based Internet Explorer policy settings (such as the SYSTEM registry profile). So remember that the system base settings added by connection settings will still exist and user based proxy settings will be overridden.

Once you click on OK, you are presented with the following dialog box:

 

You can then use following articles to configure proxy settings.

If this is proxy settings for a specific dial-up connection:

If it needs to have the same proxy settings as LAN, then DialUpUseLanSettings is the best approach as mentioned in http://support.microsoft.com/kb/839571

    • If not, maybe CMAK would be a better approach to deploy that connection

Connection Manager Administration Kit

 You can also use PowerShell and GPO.

I hope this helps and solve the mysterious question of why your local system account gets user based proxy settings.

 

This blog has been provided to you by Anshu Vashishta, IE Support Engineer.

Comments (3)

  1. Christophe MORAND says:

    Remark: Concerning use of a pacfile, as explained use "connection settings" will configure local system and if you don't want that, use of "Automatic Browser Configuration" will avoid that (as "proxy settings" part does not allow configuration of a pacfile).

    We had problem of automatic an duncontrolled download of latest IE patch by our IE10 setups.

  2. Mike says:

    Interesting article, but what about to remove the settings if already applied ?

    I'm in the situation where internet explorer maintenance are no more available on client local gpo settings because windows 7 and IE 10 are installed but a  service which runs on local system account still use proxy.

    Do you have please some walkarount ?

  3. Stephen says:

    @Mike, Might be relevant, I pay for my proxy webguard server per user, so it was authenticating as the user and the local machine.

    Find the; HKEY_Current_UserSoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnections  "DefaultConnectionSettings" (first create the right proxy info in your browser)

    And copy it to the path; HKEY_LOCAL_MACHINE\SoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnections

    I don't really know an easy way of copying it apart from just writing it in manually. But that will set any proxy browser settings for the local machine.