GPO settings for Intranet security zone ignored

[Guest The Cavalry]

When a user logs into a PC on our domain a GP is applied with the relevant

Intranet security zone sites. When the same user logs into the Terminal

server these settings are ignored even though the relevant GP is applied. I

have therefore setup seperate OU and GP for Terminal Server and set the

security settings on the machine. I have set GP to force local security

settings and not use the user ones but still this does not work. This is very

annoying as users are prompted for their username and password everytime they

access our Intranet.

Any help muach appreciated

[Guest Jeff Pitsch]

Re: GPO settings for Intranet security zone ignored

 

Are you setting zones through IE maintenance or under admin templates? If

IE maintenance, I believe you need to setup a new gpo for that particular OS

version but it sounds like you did that but maybe not since I'm not sure

what you mean by how you said you did it........

 

--

Jeff Pitsch

Microsoft MVP - Terminal Services

 

"The Cavalry" <The Cavalry@discussions.microsoft.com> wrote in message

news:03ACB7C6-4E26-48FA-BE52-7CAC8DBCF989@microsoft.com...

> When a user logs into a PC on our domain a GP is applied with the relevant

> Intranet security zone sites. When the same user logs into the Terminal

> server these settings are ignored even though the relevant GP is applied.

> I

> have therefore setup seperate OU and GP for Terminal Server and set the

> security settings on the machine. I have set GP to force local security

> settings and not use the user ones but still this does not work. This is

> very

> annoying as users are prompted for their username and password everytime

> they

> access our Intranet.

> Any help muach appreciated

[Guest Peter Dickason, MCSE, CCA, CNE]

Re: GPO settings for Intranet security zone ignored

 

Hi,

 

That is correct. It won't work. I've ran into that before when trying to

add trusted sites through GP.

 

http://support.microsoft.com/kb/899270

 

I belive it has something to do with the IE enhanced security breaking it

but that's besides the point.

 

You can use the VB script from this article to set it or what I did was

configure USER\Administrative Templates\Windows components\Internet

Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List.

Keep in mind tho that my approach is a hard setting that cannot be adjusted

or added to by the user. Hope this helps.

 

Pete

[Guest Jeff Pitsch]

Re: GPO settings for Intranet security zone ignored

 

It will work you just need a gpo for IEESC and one without. Now that

article points a very specific piece that has been a known issue in that IE

maintenance requires explorer.exe as the shell to run correctly.

 

--

Jeff Pitsch

Microsoft MVP - Terminal Services

 

"Peter Dickason, MCSE, CCA, CNE" <nospam@here.com> wrote in message

news:uVZVe$4AJHA.4948@TK2MSFTNGP05.phx.gbl...

> Hi,

>

> That is correct. It won't work. I've ran into that before when trying to

> add trusted sites through GP.

>

> http://support.microsoft.com/kb/899270

>

> I belive it has something to do with the IE enhanced security breaking it

> but that's besides the point.

>

> You can use the VB script from this article to set it or what I did was

> configure USER\Administrative Templates\Windows components\Internet

> Explorer\Internet Control Panel\Security Page\Site to Zone Assignment

> List. Keep in mind tho that my approach is a hard setting that cannot be

> adjusted or added to by the user. Hope this helps.

>

> Pete

>

[Guest The Cavalry]

Re: GPO settings for Intranet security zone ignored

 

Neither of these suggestions have worked. I tried the script and have already

entered the registry settings suggested.

 

I have set the zone information in the registry of the Terminal Server via

......

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\Domains\domain.com

 

with a DWORD name of * value 1 (Intranet).

 

I have set the Terminal Server GP to Security Zone: Use Only Machnie Setting

 

Am I in the right place in the Terminal Server registry for setting

"domain.com" as an Intranet zone ?

 

 

"Jeff Pitsch" wrote:

> It will work you just need a gpo for IEESC and one without. Now that

> article points a very specific piece that has been a known issue in that IE

> maintenance requires explorer.exe as the shell to run correctly.

>

> --

> Jeff Pitsch

> Microsoft MVP - Terminal Services

>

> "Peter Dickason, MCSE, CCA, CNE" <nospam@here.com> wrote in message

> news:uVZVe$4AJHA.4948@TK2MSFTNGP05.phx.gbl...

> > Hi,

> >

> > That is correct. It won't work. I've ran into that before when trying to

> > add trusted sites through GP.

> >

> > http://support.microsoft.com/kb/899270

> >

> > I belive it has something to do with the IE enhanced security breaking it

> > but that's besides the point.

> >

> > You can use the VB script from this article to set it or what I did was

> > configure USER\Administrative Templates\Windows components\Internet

> > Explorer\Internet Control Panel\Security Page\Site to Zone Assignment

> > List. Keep in mind tho that my approach is a hard setting that cannot be

> > adjusted or added to by the user. Hope this helps.

> >

> > Pete

> >

>

>

>

[Guest Peter Dickason, MCSE, CCA, CNE]

Re: GPO settings for Intranet security zone ignored

 

Sorry, thought this was what I saw and thought I could help. In my

experience after importing the IE settings from a workstation didn't work, I

did try importing them from IE on the server with IEESC disabled and it

didn't help. I found I hard to hard code the settings in the reg key noted.

 

"Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message

news:%23QPgae5AJHA.2712@TK2MSFTNGP06.phx.gbl...

> It will work you just need a gpo for IEESC and one without. Now that

> article points a very specific piece that has been a known issue in that

> IE maintenance requires explorer.exe as the shell to run correctly.

>