If you are wondering how your local system account is getting proxy settings even though you have applied proxy settings only for users, this post will help you.
Here you will see the proxy settings set in Local system account:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
The applications which run in system context might stop working if the Local system account contains proxy settings or any undesired settings which are not set by system administrator.
Here is how the user base settings can get written to Local system account registry key.
- IE maintenance GPO
- IEAK also has the same ability to import connection settings and deploy to a client PC. Once established, the SYSTEM registry profile will be tattooed.
Here I will discuss about the IE maintenance GPO which causes this behavior.
When you use Internet Explorer Maintenance Group Policy to set user based connections settings, it provides you with two options:
| IMPORTANT: Windows 8 with Internet Explorer 10 deprecates IEM in favor of a more robust tool called Group Policy Preferences. Read More... |
If you choose Connection Settings options to set connection settings for the user, it causes this behavior.
To test it yourself, try setting this GPO in your local computer using Local group policy editor.
- (Run gpedit.msc command to open Local GPO editor)
- User Configuration - Windows Settings - Internet Explorer Maintenance - Connection - Connection Settings - choose [Import the current Connection Settings from this machine] and click [Modify Settings]
- Once GPO is applied to the user, check this registry:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Expected Results:
"Proxy Server" settings of connection should not apply to HKEY_USERS\.DEFAULT. \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections key.
Actual Result:
“Proxy Server" settings of connection gets added here: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections key.
What we recommend:
The respective proxy settings part of IEMaintenance should be used. User Configuration - WindowsSettings - Internet Explorer Maintenance- Connection-Proxy Settings
NOTE: If you have configured connection settings and then try to click on proxy settings, you are presented with following warning by the policy editor:
It tells you that proxy settings will overwrite the imported connection settings.
This warning applies to the user scope only.
It is of no use to profiles that are not in scope to receive user-based Internet Explorer policy settings (such as the SYSTEM registry profile). So remember that the system base settings added by connection settings will still exist and user based proxy settings will be overridden.
Once you click on OK, you are presented with the following dialog box:
You can then use following articles to configure proxy settings.
- Configure Proxy Settings, using below TechNet article:
If this is proxy settings for a specific dial-up connection:
If it needs to have the same proxy settings as LAN, then DialUpUseLanSettings is the best approach as mentioned in http://support.microsoft.com/kb/839571
- If not, maybe CMAK would be a better approach to deploy that connection
Connection Manager Administration Kit
You can also use PowerShell and GPO.
- Deploying VPN Connections by Using PowerShell and Group Policy
- Provisioning VPN client settings using Group Policy
I hope this helps and solve the mysterious question of why your local system account gets user based proxy settings.