locked
IE9 stopped playing YouTube videos under standard user context RRS feed

  • Question

  • Hi all,

    Recently approx. 100 users cannot play YouTube videos in IE9. The videos work for some when using Chrome and not for others. When I elevate to domain/local admin account, all videos play as expected. 

    I haven't made any changes to the IE config and I have been assured that no changes have been made on the Sophos UTM (VM) firewall.

    My questions are; how can I compare the difference in IE settings between the standard user and the admin user? RSOP data will only give me applied or not applied GP settings. And does anyone know of a fix for the overall issue? 

    Thank you very much for taking the time to have a squizz. 

    Tuesday, November 12, 2013 12:14 AM

Answers

  • Hi,

    first, select File>Properties to determine which IE Security zone youtube maps to on each account (user v domain admin)

    then use Internet Options>Security tab>Security zone tab to compare the settings.

    I would guess that users have scripting of activeX disabled for the zone where they are mapping youtube.com

    Probably users or GPO has placed youtube and google in the Trusted Sites zone...

    (consider using GPO to restrict user ability to add/remove zone sites)

    youtube uses account.google.com for visitor validation and tracking. IE has security settings to prevent navigation to lower security zones and XSS filtering...

    the best strategy is to remove public access sites like google and youtube from the IE trusted sites lists... Security is actually less strict for sites placed in the trusted sites lists.

    Always the first step in troubleshooting IE issues is to test in no-Addons mode.... the second is to check that the user has choosen the default IE Security zone settings...

    MSIE browsers differ fundamentally from other browsers in the security model and the addons model... If it works in other browsers but not MSIE, then it will be an addon issue or an IE Security zone issue. Failing that it will be a website coding issue.


    Rob^_^

    Tuesday, November 12, 2013 6:12 AM

All replies

  • Hi,

    first, select File>Properties to determine which IE Security zone youtube maps to on each account (user v domain admin)

    then use Internet Options>Security tab>Security zone tab to compare the settings.

    I would guess that users have scripting of activeX disabled for the zone where they are mapping youtube.com

    Probably users or GPO has placed youtube and google in the Trusted Sites zone...

    (consider using GPO to restrict user ability to add/remove zone sites)

    youtube uses account.google.com for visitor validation and tracking. IE has security settings to prevent navigation to lower security zones and XSS filtering...

    the best strategy is to remove public access sites like google and youtube from the IE trusted sites lists... Security is actually less strict for sites placed in the trusted sites lists.

    Always the first step in troubleshooting IE issues is to test in no-Addons mode.... the second is to check that the user has choosen the default IE Security zone settings...

    MSIE browsers differ fundamentally from other browsers in the security model and the addons model... If it works in other browsers but not MSIE, then it will be an addon issue or an IE Security zone issue. Failing that it will be a website coding issue.


    Rob^_^

    Tuesday, November 12, 2013 6:12 AM
  • Thanks heaps Rob, this was really helpful! I did what you suggested and compared all the settings between the different accounts regarding zones and custom security settings. This helped me narrow it down to the proxy which I am still to resolve (Sophos). 

    It would be very handy to be able to access an xml configuration rather than do all this manually. Do you know a way? I'd be able to let powershell find all the differences. 

    Thank's for your quick reply and help, I haven't fixed the issue as yet, but I have ruled quite a bit out. 

    Friday, November 15, 2013 10:02 PM
  • Hi,

    IEAK Profile Editor.

    or

    http://Fiddlertool.com (uses its own proxy, so if the domain sends back a 200 response you know its YOUR proxy)

    or

    the Networking tab on the Developer tool will show you the response codes from the server proxy

    Regards.


    Rob^_^


    Friday, November 15, 2013 11:55 PM
  • No but it has different permissions on the firewall/proxy. My team were saying it was definitely not the proxy, but after firstly comparing settings and then creating and activating a bypass rule, it can only be these differing permissions. 

    But there has (supposedly) been no change on the proxy and it being a silly Sophos (so called) appliance, I'm not all that much closer to resolution without defining some extra trust for standard users. 

    Saturday, November 16, 2013 3:28 AM