locked
Internet Explorer Enhanced Security Configuration Problems RRS feed

  • Question

  • Alright so let me start by saying that I've looked high and low and tried all other fixes I've been able to find on TechNet and elsewhere and this problem still occurs. We have two Terminal Servers, one having the problem and one not having the problem. I cannot find any differences on them so I am here hoping someone else may have some answers. The core problem is that we have some Group Policy IE settings that will not apply to a user until they reset IE. After that they never have another problem with it. So, the server is Windows Server 2008 R2 Standard SP1 and we are using IE8 because of the some special medical software that requires it.  IE ESC is turned off for both Standard and Administrative users on the server.  I have tried turning it back on and then off and logging in with a brand new user; I tried turning it on, rebooting then turning it off, rebooting again and then logging in with another brand new user.  I know that turning ESC on or off changes a registry key also, and I did verify that it is off per that registry key.

    When a new user logs in and tries to access any webpage from Google to a site that is in the Trusted Sites list, they get the popup that says, "Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration" and then they're given the choice to check the box not to continue notifying them.  While that does not continue notifying them, nothing we have set in Group Policy for IE - Trusted Sites, Trusted Sites Settings, Popup Blocker Settings - is set accordingly until IE is reset.  I have tried using IE 32-bit, IE 64-bit and IE No Addons.

    Again, we have two Terminal Servers that are set up seemingly identical but we're having this problem in one.  Any help would be most appreciated. 

    Tuesday, January 20, 2015 10:11 PM

Answers

  • Hi jon_crown,

    My apologies, I am supposing I did not make my point clearly.

    This “issue” has been reported as a known “issue” since 2003 based terminal server. And we also could consider this is by design.

    You could refer to this link for more information

    https://social.technet.microsoft.com/Forums/ie/en-US/e12693b3-c3e7-450e-8dfc-3b5bca29ce96/disable-ie-enhanced-security-does-not-work-rdssession-host-2008-r2?forum=winserverTS

    About the internet explorer group policy, Some GPOs change the registry settings, which may not take effect until you close IE (all processes), log off or even restart the computer for especially some advanced settings in Internet Explorer, and this is by design. If a policy is already defined, you might need click Reset Browser Settings or even delete some personal settings before you can place this policy in Preference mode. When you reset the browser settings, any policy settings that are specified to that Group Policy are reset.

    We also know that this is an old issue that has carry over new Windows Servers, where IE Enhanced Security even when you have disable it from the UI, it does not properly update.

    Many users reported that by using that bat file could affect existing users and new users same time. So we suggest you give it a try.

    More resolution about this issue you could refer to article 93991

    http://support.microsoft.com/kb/933991

    Regards

    Hi DWNewfolder, thanks for the first link you sent! I read through that and found a comment that actually did the trick for me.  I found that the IEHarden user key was be added for all new users, so I created a registry entry in my 2008 R2 Domain Controller that Updated it. That seemed to do it for me.  Thanks!

    • Marked as answer by jon_crown Tuesday, February 3, 2015 4:35 AM
    Tuesday, February 3, 2015 4:34 AM

All replies

  • Hi,

    the Trusted zone has lower integrity.... IE has security settings preventing navigation into a zone of lower integrity... public access sites like google should NOT be placed in the Trusted Zone. Google search results pages use click-through links that first request the google servers then redirect to the result url. the Trusted sites list is mostly used for B2B communication (business (intranet) to business(extranet)). Review your lists of 'trusted' sites.


    Rob^_^

    • Proposed as answer by Deason Wu Wednesday, January 21, 2015 8:23 AM
    Wednesday, January 21, 2015 1:13 AM
  • Hi,

    the Trusted zone has lower integrity.... IE has security settings preventing navigation into a zone of lower integrity... public access sites like google should NOT be placed in the Trusted Zone. Google search results pages use click-through links that first request the google servers then redirect to the result url. the Trusted sites list is mostly used for B2B communication (business (intranet) to business(extranet)). Review your lists of 'trusted' sites.


    Rob^_^


    Hi Rob, I'm sorry, I didn't state that well.  Google is not a Trusted Site.  What I was trying to say is that any site that is visited gives the ESC popup, whether it is one set as Trusted through Group Policy or not.  The policy is actually applying.  I can run gpresult /r and see that the policy has applied.  For some reason IE ESC still thinks it is turned on and is preventing the settings from applying.  As soon as a reset of IE is applied, no logout or refresh of Group Policy needed, closing IE and reopening it causes ESC to not popup anymore and all group policy settings are applied. The core problem is that Enhanced Security Configuration is still somehow turned on and is preventing the group policy settings from applying.  That's what I'm hoping someone can help me sort out.
    Thursday, January 22, 2015 8:05 PM
  • Hi jon crown,

    To disable IE Enhanced Security for both Windows 2003 / Windows 2008  and 2012 TS Servers. The key is that you have to execute the files while logon with the problem user.  Basically, once your user have these setting on their profile, the only way to remove it is to either Delete the profile and let it re-create again.

    Please refer to this article, it might be exactly what you are facing.

    http://blogs.msdn.com/b/askie/archive/2009/06/23/how-to-disable-ie-enhanced-security-on-windows-2003-server-silently.aspx

    Regards


    • Edited by Deason Wu Monday, January 26, 2015 4:24 AM
    Monday, January 26, 2015 3:42 AM
  • Hi jon crown,

    To disable IE Enhanced Security for both Windows 2003 / Windows 2008  and 2012 TS Servers. The key is that you have to execute the files while logon with the problem user.  Basically, once your user have these setting on their profile, the only way to remove it is to either Delete the profile and let it re-create again.

    Please refer to this article, it might be exactly what you are facing.

    http://blogs.msdn.com/b/askie/archive/2009/06/23/how-to-disable-ie-enhanced-security-on-windows-2003-server-silently.aspx

    Regards


    Hi DiWuNewfolder, thanks for your reply. I looked at that link but it looks like he is just telling you how to disable enhanced security on server 2003 using a batch file and then goes on to describe the proper way to do it in server 2008 via server manager, which I have already done on my servers.  Please let me know if you think I'm reading it wrong. I saw a link at the bottom by the same author though that describes exactly the problem that I'm having. I looked through everything already and vetted it out and I'm not seeing anything that he describes and I'm also still having the problem. Here's the link:

    http://blogs.msdn.com/b/askie/archive/2012/09/11/disable-ie-enhanced-security-does-not-work-in-windows-2003-and-2008-remote-desktop-services-terminal-services-host.aspx

    Please let me know if you have any other thoughts. Thanks!


    • Edited by jon_crown Friday, January 30, 2015 1:11 AM wrong link
    Wednesday, January 28, 2015 1:37 AM
  • Hi jon_crown,

    My apologies, I am supposing I did not make my point clearly.

    This “issue” has been reported as a known “issue” since 2003 based terminal server. And we also could consider this is by design.

    You could refer to this link for more information

    https://social.technet.microsoft.com/Forums/ie/en-US/e12693b3-c3e7-450e-8dfc-3b5bca29ce96/disable-ie-enhanced-security-does-not-work-rdssession-host-2008-r2?forum=winserverTS

    About the internet explorer group policy, Some GPOs change the registry settings, which may not take effect until you close IE (all processes), log off or even restart the computer for especially some advanced settings in Internet Explorer, and this is by design. If a policy is already defined, you might need click Reset Browser Settings or even delete some personal settings before you can place this policy in Preference mode. When you reset the browser settings, any policy settings that are specified to that Group Policy are reset.

    We also know that this is an old issue that has carry over new Windows Servers, where IE Enhanced Security even when you have disable it from the UI, it does not properly update.

    Many users reported that by using that bat file could affect existing users and new users same time. So we suggest you give it a try.

    More resolution about this issue you could refer to article 93991

    http://support.microsoft.com/kb/933991

    Regards

    Friday, January 30, 2015 9:49 AM
  • I added my comments below to your comments from our askie msdn blog:

    http://blogs.msdn.com/b/askie/archive/2015/01/27/10348389.aspx

    Comments:The article support.microsoft.com/.../933991 explains the situation.

    How was the Terminal Server build?

    Normally, if you stage your TS to be an application Server, you should disable Enhanced Security for the Users and use other Security Zone GPOs to manage your security.

    The blog blogs.msdn.com/.../how-to-disable-ie-enhanced-security-on-windows-2003-server-silently.aspx have the entries normally affected when IE Harden (IE Enhanced Security) is enabled.

    Also, consider that if your default profile have these settings and the newly created profiles inherited the settings from it, these will also have the setting. So, you have to work on cleaning up your default profile and best way is to make sure you login with a local administrator or domain account and either enabled and disable the IESC again from Server Manager or run the batch file.

    You can also add the urls to the EscDomains keys[Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains] for its respective zone and that should also allow the users to access the site 

  • MORE: So, I would expect that something is left behind that is causing your problem and it will take more troubleshoot to find out what is happening with this TS setup / configuration.

    Ultimately, the reason why the other GPO may not be working is because, the ESC is preventing it. So, disable both Admin and User ESC and try again. Repeat the process as mentioned in my previous comment. Make sure, the IExplore is not running. Run your GPupdate /Force after you disabled it and test. The Administrator portion needs to be disabled if you are testing with that account and performing your test!

Friday, January 30, 2015 3:14 PM
  • Hi jon_crown,

    My apologies, I am supposing I did not make my point clearly.

    This “issue” has been reported as a known “issue” since 2003 based terminal server. And we also could consider this is by design.

    You could refer to this link for more information

    https://social.technet.microsoft.com/Forums/ie/en-US/e12693b3-c3e7-450e-8dfc-3b5bca29ce96/disable-ie-enhanced-security-does-not-work-rdssession-host-2008-r2?forum=winserverTS

    About the internet explorer group policy, Some GPOs change the registry settings, which may not take effect until you close IE (all processes), log off or even restart the computer for especially some advanced settings in Internet Explorer, and this is by design. If a policy is already defined, you might need click Reset Browser Settings or even delete some personal settings before you can place this policy in Preference mode. When you reset the browser settings, any policy settings that are specified to that Group Policy are reset.

    We also know that this is an old issue that has carry over new Windows Servers, where IE Enhanced Security even when you have disable it from the UI, it does not properly update.

    Many users reported that by using that bat file could affect existing users and new users same time. So we suggest you give it a try.

    More resolution about this issue you could refer to article 93991

    http://support.microsoft.com/kb/933991

    Regards

    Hi DWNewfolder, thanks for the first link you sent! I read through that and found a comment that actually did the trick for me.  I found that the IEHarden user key was be added for all new users, so I created a registry entry in my 2008 R2 Domain Controller that Updated it. That seemed to do it for me.  Thanks!

    • Marked as answer by jon_crown Tuesday, February 3, 2015 4:35 AM
    Tuesday, February 3, 2015 4:34 AM