donL,
So I was curious enough about this one to research it out. I don't have a 2003 server environment to test on, so it was up to "Google Fu" to check into this.
Turns out it is a "bug" in the GUI. The policy you applied did work correctly, it just doesn't show up correctly in IE's GUI on the client. Stupid, yes...but true.
Here's an example accepted answer over on EE that mirrors this:
If you see "Some settings are managed by your system administrator"
then it was applied successfully and is on Medium. You can verify
this by clicking custom level and looking at each security option,
they will coincide with what they should be for "Medium".
You can disregard what it says on "Security level for this
zone"...it's not accurate.
For example, if you set it to low, it will still still say
medium/high or high but if you click on custom level you will see
"download unsigned activex controls" is enabled.....which is a option
that is enabled on low and disabled on high. - Jake77444 @ EE
And this blog also confirms it:
IE GPO Zone Templates and the “Open File – Security Warning”
In Conclusion
- Security templates are not visually reflected in the security page of Internet Explorer even though they are applied.
- Security zone settings are applied to Internet Explorer by doing a gpupdate but a log off/on is required to apply these settings to the
rest of the OS
- The “Launching applications and unsafe files” setting determines whether the “Open File – Security Warning” dialog is displayed when
launching applications from a given location
- The “Launching applications and unsafe files” cannot be set with a an indvidual GPO setting. (You could create a custom adm file though)
- When setting zone security via GPO I recommend making the Internet Explorer security page invisible to users to avoid confusion
as they can still quite happily adjust the security level slider, it
just won’t have any effect!
Hope that helps! It was news to me!