Managing IE6 in a Terminal Services Environment

[Guest cbrunet]

Greetings all,

 

I'm having some issues trying to manage Internet Explorer 6 through

Group Policy. I've setup a new GPO and associated it with the OU I

want. I've then gone User Configuration -> Administrative Templates -

> Windows Components -> Internet Explorer -> Internet Control Panel ->

Security Page and enabled the group policy Site to Zone Assignment

list. I've added the sites I wish to add to the local Intranet, and

exited.

 

Now, when I log onto the desktop of the associated system as

administrator, my IE settings come across. I go Tools -> Internet

Options, then the security tab, I select the Local Intranet sites and

all of my addresses I added are there. I can then freely browse any

of the sites I wish, but I cannot add new sites. Not a big deal since

I am looking to lock all of this information down anyways.

 

My problem is is that when I log in as a user, I get nothing in the

Local Intranet sites. Not only that, but the same problem is I can't

add new sites. So not only are all of the sites falling under the

Internet category, but I can't even tell users to add new sites now.

I've tried also adding these sites to the Computer Settings as well to

no avail, but if I do a RSoP, the policies show that they are being

applied fine. Even if I go into the registry it clearly shows that

the values are there (HKCU\Software\Policies\Microsoft\Windows

\CurrentVersion\InternetSettings\ZoneMapKey or HKLM for the machine

one's).

 

In other words, everything seems like it is set up perfectly but it is

simply not working. The machines I am adding these settings to are

Windows Server 2003 Application Servers running in Terminal Service

mode. The domain is all Server 2003.

 

I've been playing cat and mouse with this for almost 2 days now and am

at my wits end. I could use all the suggestions in the world.

 

-Curtis

[Guest Vera Noest [MVP]]

Re: Managing IE6 in a Terminal Services Environment

 

The IE settings are User settings. So you'll have to use loopback

processing in this GPO to make sure that the users are affected by

the user settings from this GPO, rather then the default handling

of GPOs, which is that the Computer Configuration settings from

this GPO are applied and the User configuration from the GPO which

is linked to the OU containing the user accounts.

 

Computer Configuration - Administrative Templates - System - Group

Policy

"User Group Policy loopback processing mode" - "Replace"

 

231287 - Loopback Processing of Group Policy

http://support.microsoft.com/?kbid=231287

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

cbrunet <darthkorn@gmail.com> wrote on 14 sep 2007 in

microsoft.public.windows.terminal_services:

> Greetings all,

>

> I'm having some issues trying to manage Internet Explorer 6

> through Group Policy. I've setup a new GPO and associated it

> with the OU I want. I've then gone User Configuration ->

> Administrative Templates -

>> Windows Components -> Internet Explorer -> Internet Control

>> Panel ->

> Security Page and enabled the group policy Site to Zone

> Assignment list. I've added the sites I wish to add to the

> local Intranet, and exited.

>

> Now, when I log onto the desktop of the associated system as

> administrator, my IE settings come across. I go Tools ->

> Internet Options, then the security tab, I select the Local

> Intranet sites and all of my addresses I added are there. I can

> then freely browse any of the sites I wish, but I cannot add new

> sites. Not a big deal since I am looking to lock all of this

> information down anyways.

>

> My problem is is that when I log in as a user, I get nothing in

> the Local Intranet sites. Not only that, but the same problem

> is I can't add new sites. So not only are all of the sites

> falling under the Internet category, but I can't even tell users

> to add new sites now. I've tried also adding these sites to the

> Computer Settings as well to no avail, but if I do a RSoP, the

> policies show that they are being applied fine. Even if I go

> into the registry it clearly shows that the values are there

> (HKCU\Software\Policies\Microsoft\Windows

> \CurrentVersion\InternetSettings\ZoneMapKey or HKLM for the

> machine one's).

>

> In other words, everything seems like it is set up perfectly but

> it is simply not working. The machines I am adding these

> settings to are Windows Server 2003 Application Servers running

> in Terminal Service mode. The domain is all Server 2003.

>

> I've been playing cat and mouse with this for almost 2 days now

> and am at my wits end. I could use all the suggestions in the

> world.

>

> -Curtis

[Guest TP]

Re: Managing IE6 in a Terminal Services Environment

 

Hi Curtis,

 

Have you disabled Internet Explorer Enhanced Security (IEES)

for your user groups? This is done through Add/Remove Programs

Windows Components.

 

Site to Zone Assignments are stored separately for IEES enabled

and IEES disabled. Unfortunately the Group Policy template is for

IEES disabled mode. By defining the assignments using a GPO you

effectively assigned an empty list of sites for users who have IEES

enabled. For reference sake IEES sites are stored under the

EscDomains (Enhanced security configuration Domains) key in the

user's registry.

 

-TP

 

cbrunet wrote:

> Greetings all,

>

> I'm having some issues trying to manage Internet Explorer 6 through

> Group Policy. I've setup a new GPO and associated it with the OU I

> want. I've then gone User Configuration -> Administrative Templates -

>> Windows Components -> Internet Explorer -> Internet Control Panel ->

> Security Page and enabled the group policy Site to Zone Assignment

> list. I've added the sites I wish to add to the local Intranet, and

> exited.

>

> Now, when I log onto the desktop of the associated system as

> administrator, my IE settings come across. I go Tools -> Internet

> Options, then the security tab, I select the Local Intranet sites and

> all of my addresses I added are there. I can then freely browse any

> of the sites I wish, but I cannot add new sites. Not a big deal since

> I am looking to lock all of this information down anyways.

>

> My problem is is that when I log in as a user, I get nothing in the

> Local Intranet sites. Not only that, but the same problem is I can't

> add new sites. So not only are all of the sites falling under the

> Internet category, but I can't even tell users to add new sites now.

> I've tried also adding these sites to the Computer Settings as well to

> no avail, but if I do a RSoP, the policies show that they are being

> applied fine. Even if I go into the registry it clearly shows that

> the values are there (HKCU\Software\Policies\Microsoft\Windows

> \CurrentVersion\InternetSettings\ZoneMapKey or HKLM for the machine

> one's).

>

> In other words, everything seems like it is set up perfectly but it is

> simply not working. The machines I am adding these settings to are

> Windows Server 2003 Application Servers running in Terminal Service

> mode. The domain is all Server 2003.

>

> I've been playing cat and mouse with this for almost 2 days now and am

> at my wits end. I could use all the suggestions in the world.

>

> -Curtis

[Guest cbrunet]

Re: Managing IE6 in a Terminal Services Environment

 

Hi TP,

 

I did indeed play around with disabling IEES (through GP as well) with

mixed results. At times it would seem to disable it properly, and

others not. That originally stemmed from the user having to allow any

site they traveled to, and I attempted to stop that by removing IEES.

I did not try removing it manually on the box itself, but that is the

step I will be taking today on our test Citrix server.

 

On Sep 16, 4:13 am, "TP" <tperson.knowsp...@mailandnews.com> wrote:

> Hi Curtis,

>

> Have you disabled Internet Explorer Enhanced Security (IEES)

> for your user groups? This is done through Add/Remove Programs

> Windows Components.

>

> Site to Zone Assignments are stored separately for IEES enabled

> and IEES disabled. Unfortunately the Group Policy template is for

> IEES disabled mode. By defining the assignments using a GPO you

> effectively assigned an empty list of sites for users who have IEES

> enabled. For reference sake IEES sites are stored under the

> EscDomains (Enhanced security configuration Domains) key in the

> user's registry.

>

> -TP

>

> cbrunet wrote:

> > Greetings all,

>

> > I'm having some issues trying to manage Internet Explorer 6 through

> > Group Policy. I've setup a new GPO and associated it with the OU I

> > want. I've then gone User Configuration -> Administrative Templates -

> >> Windows Components -> Internet Explorer -> Internet Control Panel ->

> > Security Page and enabled the group policy Site to Zone Assignment

> > list. I've added the sites I wish to add to the local Intranet, and

> > exited.

>

> > Now, when I log onto the desktop of the associated system as

> > administrator, my IE settings come across. I go Tools -> Internet

> > Options, then the security tab, I select the Local Intranet sites and

> > all of my addresses I added are there. I can then freely browse any

> > of the sites I wish, but I cannot add new sites. Not a big deal since

> > I am looking to lock all of this information down anyways.

>

> > My problem is is that when I log in as a user, I get nothing in the

> > Local Intranet sites. Not only that, but the same problem is I can't

> > add new sites. So not only are all of the sites falling under the

> > Internet category, but I can't even tell users to add new sites now.

> > I've tried also adding these sites to the Computer Settings as well to

> > no avail, but if I do a RSoP, the policies show that they are being

> > applied fine. Even if I go into the registry it clearly shows that

> > the values are there (HKCU\Software\Policies\Microsoft\Windows

> > \CurrentVersion\InternetSettings\ZoneMapKey or HKLM for the machine

> > one's).

>

> > In other words, everything seems like it is set up perfectly but it is

> > simply not working. The machines I am adding these settings to are

> > Windows Server 2003 Application Servers running in Terminal Service

> > mode. The domain is all Server 2003.

>

> > I've been playing cat and mouse with this for almost 2 days now and am

> > at my wits end. I could use all the suggestions in the world.

>

> > -Curtis

[Guest cbrunet]

Re: Managing IE6 in a Terminal Services Environment

 

All servers did indeed show IEES as removed from the control panel.

Any other ideas? I'm double checking currently to see if loopback

processing is configured properly for the GPO, but if the settings are

showing up in the registry and in the RSoP, I do not believe it would

be a GPO setup issue.

 

On Sep 17, 8:33 am, cbrunet <darthk...@gmail.com> wrote:

> Hi TP,

>

> I did indeed play around with disabling IEES (through GP as well) with

> mixed results. At times it would seem to disable it properly, and

> others not. That originally stemmed from the user having to allow any

> site they traveled to, and I attempted to stop that by removing IEES.

> I did not try removing it manually on the box itself, but that is the

> step I will be taking today on our test Citrix server.

>

> On Sep 16, 4:13 am, "TP" <tperson.knowsp...@mailandnews.com> wrote:

>

> > Hi Curtis,

>

> > Have you disabled Internet Explorer Enhanced Security (IEES)

> > for your user groups? This is done through Add/Remove Programs

> > Windows Components.

>

> > Site to Zone Assignments are stored separately for IEES enabled

> > and IEES disabled. Unfortunately the Group Policy template is for

> > IEES disabled mode. By defining the assignments using a GPO you

> > effectively assigned an empty list of sites for users who have IEES

> > enabled. For reference sake IEES sites are stored under the

> > EscDomains (Enhanced security configuration Domains) key in the

> > user's registry.

>

> > -TP

>

> > cbrunet wrote:

> > > Greetings all,

>

> > > I'm having some issues trying to manage Internet Explorer 6 through

> > > Group Policy. I've setup a new GPO and associated it with the OU I

> > > want. I've then gone User Configuration -> Administrative Templates -

> > >> Windows Components -> Internet Explorer -> Internet Control Panel ->

> > > Security Page and enabled the group policy Site to Zone Assignment

> > > list. I've added the sites I wish to add to the local Intranet, and

> > > exited.

>

> > > Now, when I log onto the desktop of the associated system as

> > > administrator, my IE settings come across. I go Tools -> Internet

> > > Options, then the security tab, I select the Local Intranet sites and

> > > all of my addresses I added are there. I can then freely browse any

> > > of the sites I wish, but I cannot add new sites. Not a big deal since

> > > I am looking to lock all of this information down anyways.

>

> > > My problem is is that when I log in as a user, I get nothing in the

> > > Local Intranet sites. Not only that, but the same problem is I can't

> > > add new sites. So not only are all of the sites falling under the

> > > Internet category, but I can't even tell users to add new sites now.

> > > I've tried also adding these sites to the Computer Settings as well to

> > > no avail, but if I do a RSoP, the policies show that they are being

> > > applied fine. Even if I go into the registry it clearly shows that

> > > the values are there (HKCU\Software\Policies\Microsoft\Windows

> > > \CurrentVersion\InternetSettings\ZoneMapKey or HKLM for the machine

> > > one's).

>

> > > In other words, everything seems like it is set up perfectly but it is

> > > simply not working. The machines I am adding these settings to are

> > > Windows Server 2003 Application Servers running in Terminal Service

> > > mode. The domain is all Server 2003.

>

> > > I've been playing cat and mouse with this for almost 2 days now and am

> > > at my wits end. I could use all the suggestions in the world.

>

> > > -Curtis

[Guest TP]

Re: Managing IE6 in a Terminal Services Environment

 

Hi Curtis,

 

Does the problem occur with new users (newly-created profile)?

 

I ask because the IEES doesn't always work well when it needs

to modify existing profiles to reflect enabled/disabled status.

When a user logs on after disabling IEES they should see a

window come up like this:

 

Peronalized Settings

 

Removing personalized settings for:

 

%IEHARDENUSER_DESC%

 

This window is the Just-In-Time setup for IEES changing the user's

registry settings to reflect the disable.

 

Have you tried temporarily setting the Site to Zone Assignment List

to Not Configured? If it is working properly then a normal user should

be able to add sites after you make the change.

 

-TP

 

cbrunet wrote:

> All servers did indeed show IEES as removed from the control panel.

> Any other ideas? I'm double checking currently to see if loopback

> processing is configured properly for the GPO, but if the settings are

> showing up in the registry and in the RSoP, I do not believe it would

> be a GPO setup issue.

[Guest cbrunet]

Re: Managing IE6 in a Terminal Services Environment

 

On Sep 17, 10:39 am, "TP" <tperson.knowsp...@mailandnews.com> wrote:

> Hi Curtis,

>

> Does the problem occur with new users (newly-created profile)?

>

> I ask because the IEES doesn't always work well when it needs

> to modify existing profiles to reflect enabled/disabled status.

> When a user logs on after disabling IEES they should see a

> window come up like this:

>

> Peronalized Settings

>

> Removing personalized settings for:

>

> %IEHARDENUSER_DESC%

>

> This window is the Just-In-Time setup for IEES changing the user's

> registry settings to reflect the disable.

>

> Have you tried temporarily setting the Site to Zone Assignment List

> to Not Configured? If it is working properly then a normal user should

> be able to add sites after you make the change.

>

> -TP

>

> cbrunet wrote:

> > All servers did indeed show IEES as removed from the control panel.

> > Any other ideas? I'm double checking currently to see if loopback

> > processing is configured properly for the GPO, but if the settings are

> > showing up in the registry and in the RSoP, I do not believe it would

> > be a GPO setup issue.

 

Are you not expected to be able to add additional sites when using the

site to zone assignment list? In other words, it needs to be in the

"Not Configured" configuration for users to be able to add sites? I

can't have it supply a pre-set number of sites, but still allow users

to add additional ones in the future?

[Guest TP]

Re: Managing IE6 in a Terminal Services Environment

 

Hello again,

 

Not Configured = Users make Site to Zone Assignments

Enabled = Site to Zone Assignments set to list in the GPO

Disabled = Site to Zone Assignments are not permitted

 

You could do what you want with a script that adds the

sites to the user's registry at logon, or for new users you

could modify the Default User profile.

 

-TP

 

cbrunet wrote:

> Are you not expected to be able to add additional sites when using the

> site to zone assignment list? In other words, it needs to be in the

> "Not Configured" configuration for users to be able to add sites? I

> can't have it supply a pre-set number of sites, but still allow users

> to add additional ones in the future?