none
IE11 Compatibility sites (ClearableListData\UserFilter) resetting after being set from login script after 2-3 minutes. RRS feed

  • Question

  • Hello,

    Please note all testing has been done on Windows 10 1709 and 1803.

    We are a financial institution and have the need to set compatibility view mode for The Federal Reserve.  The sites are 170.209.0.2 and 170.209.0.3 (they are only accessible at a Financial institution with a Federal Reserve VPN router).  

    We've tried a login script method via Desktop Authority to set this registry key and we've also tried GPO to set this registry key.  The key is HKU\Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData\UserFilter.  Desktop Authority sets the key without issue.  GPO does not, so for this case we will continue to use Desktop Authority to set the key at login (or by running the login script out of the NETLOGON share).

    Upon initial logon this is working as we check the Compatibility View Settings under IE11's Gear menu.  We see these two sites plus 10 others.  The site list was created on one machine and then exported as a reg key.  I run process explorer and filter on Operation is RegSetValue and path contains UserFilter.  I see our Desktop Authority login script correctly set this key, and its 518 bytes long.  I launch IE and the sites are all there.  But then at some point usually a minute or two later after closing IE, there are 10 additional RegSetValue from rundll32.exe slowly chipping away at the UserFilter registry key (going from 518 bytes to 476,436,388,356,298,254,216,184,144 then finishing on 104 bytes).  

    Now going into IE after rundll32.exe manipulates this key, all of those preprogrammed sites are GONE, except for two, 192.168.1.9 and myappro.com.  These two are also in the bigger list so I'm not sure why only these two survive.  I checked group policy and I cannot find anywhere this is being set, thats why I resorted to Process Monitor to try to figure out what is setting this.  In the stack trace for rundll32.exe I see two items from inetcpl.cpl which are ShowHelpPageW and ClearMyTracksByProcessW using rundll32.exe so it looks like that is what is setting this key.

    Any idea how or where its getting the two compatibility sites from?  We do have a GPO set to delete history on exit, but if that were to delete compatibility sites, then ALL sites should be removed, not just two leftovers remaining in the list.

    Unfortunately talking to the Federal Reserve's tech support is like speaking to a brick wall.  They don't want to hear ANYTHING because they have their guard up all the time.  The security there is very tight.  They do not want to hear that setting X-UA-Compatible meta tag to the HTTP headers of their site would automatically make this work.  The problem is if we go to do a wire transfer on their site, its just a blank white screen UNLESS its in compatibility view.  They will not support other browsers (Edge, Firefox, Chrome).  IE 11 must be used or the site will not work.

    Thanks for your assistance.


    • Edited by KJSTech1 Tuesday, August 7, 2018 2:34 PM
    Tuesday, August 7, 2018 2:33 PM

Answers

  • Great advice, not just for me but for others reading as well.  It seems that when the GPO is set to clear browsing history on exit, the rundll32.exe forces UserList registry key to default to a list with only two sites in it (Not sure where that's coming from).

    We resolved it by changing the GPO Clear browsing history on exit to "Not Configured".  Obviously this has ramifications as now users will have to manage their own deletion of history, cookies and cache.

    On login the UserList key populates and it remains populated with the sites we need.  It is no longer overwritten 2 minutes after closing IE.

    We do use IE Enterprise mode as well, but we are not allowed for the Federal Reserve's sites.  We used to use it, however this past Monday they somehow detected its use and show a full screen splash page warning that the latest version of IE 11 needs to be use, the site needs to be in compatibility mode, and you cannot use Enterprise mode.  I was surprised the explicitly stated that.  I had to change those sites to "Default" in our sites.xml file we have on one of our internal webservers where Enterprise mode sites are defined.

    It seems that their wire transfer site only works on IE 11 Desktop, document mode 11 and ONLY when the site is added to the compatibility view settings.  I tried adding it to "Use list of Internet Explorer 7 compatible sites" in GPO but that did not work (still blank white screen on the site). 

    We don't show this key even exists in HKLM \Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData\  It only appears under HKCU.  Are you suggesting if we put it in HKLM it would stay permanent even if we clear browser history on exit?

    Ideally I'd like a way to keep the compatibility view settings site list permanent, even if a user clears browsing history, or we force it to clear on exit via GPO.  It doesn't look like I can do that at this point.  Heck I couldn't even go into F12 developer tools to see what document mode IE is rendering technet forums on.  IE freezes.  I'm posting this in Chrome, its more stable.

    • Marked as answer by KJSTech1 Friday, August 17, 2018 8:06 PM
    Wednesday, August 8, 2018 12:15 PM

All replies

  • Hi,

    Use the MACHINE hive in GPEdit to add sites to the IE Trusted Sites list (Trusted sites zone), not the current user.

    Use the File>Properties menu in IE to confirm that the secure sites are mapped to the IE security zone you expect.... from you description it sounds like you are mapping the external sites to your IE Intranet zone... to force IE11 to use Compatibility View (IE7 emulation).

    On your network, you should manage legacy backward compatibility with Enterprise Site Mode lists.

    To debug compatibility issues in IE11.

    1. first go Tools>Internet Options>Advanced tab, check "Always record developer console messages". Save changes.

    2. Open IE and navigate to the external site and then press the f12 key to display the dev tool. On the Console tab it will list markup, blocked content and security messages and warnings.

    On the Emulation tab it will list the IE version that it is emulating, and how it was established.

    expected:. IE8 Enterprise Mode - Enterprise site mode lists,

    probably: IE7 - Display intranet sites in compatibility view.

    or - IE11 (default)

    Use the File>Properties menu in IE to determine which IE security zone the site is mapped to (machine applied hosts in gpo do not appear in client Internet Options). expected Trusted zone.

    use the about:compat page in IE11 or Edge to list the machines' IE11 Compatibility settings to confirm that the external hosts are configured to use a lower emulation mode.

    You can use the Networking tab of the f12 tool or another network sniffing tool like Fiddler to inspect the requests and responses.

    Also under the machine key in GPO, you may have to disable the setting to
    "Send do not track headers".

    If they are using geo-tracking, you will need to configure Windows 10 Privacy settings to allow websites (even those using IE11) to access the machines geo settings.

    Regards.


    Rob^_^

    Wednesday, August 8, 2018 2:48 AM
  • Great advice, not just for me but for others reading as well.  It seems that when the GPO is set to clear browsing history on exit, the rundll32.exe forces UserList registry key to default to a list with only two sites in it (Not sure where that's coming from).

    We resolved it by changing the GPO Clear browsing history on exit to "Not Configured".  Obviously this has ramifications as now users will have to manage their own deletion of history, cookies and cache.

    On login the UserList key populates and it remains populated with the sites we need.  It is no longer overwritten 2 minutes after closing IE.

    We do use IE Enterprise mode as well, but we are not allowed for the Federal Reserve's sites.  We used to use it, however this past Monday they somehow detected its use and show a full screen splash page warning that the latest version of IE 11 needs to be use, the site needs to be in compatibility mode, and you cannot use Enterprise mode.  I was surprised the explicitly stated that.  I had to change those sites to "Default" in our sites.xml file we have on one of our internal webservers where Enterprise mode sites are defined.

    It seems that their wire transfer site only works on IE 11 Desktop, document mode 11 and ONLY when the site is added to the compatibility view settings.  I tried adding it to "Use list of Internet Explorer 7 compatible sites" in GPO but that did not work (still blank white screen on the site). 

    We don't show this key even exists in HKLM \Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData\  It only appears under HKCU.  Are you suggesting if we put it in HKLM it would stay permanent even if we clear browser history on exit?

    Ideally I'd like a way to keep the compatibility view settings site list permanent, even if a user clears browsing history, or we force it to clear on exit via GPO.  It doesn't look like I can do that at this point.  Heck I couldn't even go into F12 developer tools to see what document mode IE is rendering technet forums on.  IE freezes.  I'm posting this in Chrome, its more stable.

    • Marked as answer by KJSTech1 Friday, August 17, 2018 8:06 PM
    Wednesday, August 8, 2018 12:15 PM
  • Hi,

    For a secure wire transfer web site, launch IE11 in inprivate mode. InPrivate mode does not record site or third-party cookies, nor record any history data.

    Before proceeding further consider...

    Ideally you would use kiosk mode instead, launched from a desktop link with iexplore.exe -k -private "https://wiretransfer.com" (place the url in quotes "" in the link file location field), if you are installing to a stand alone terminal to a secure website. You would then use GPO current user (or a guest account) to lock down the windows shell (access to the taskbar, file system etc).

    You would not have to configure IE's compatibility view with enterprise mode or GPO settings since the site displays fine in IE11 emulation mode.

    or

    a custom version of IE using the WBC (Web Browser Control) (or a windows Universal application).

    You can completely lockdown the client terminal and manage website compatibility with FEATURE_CONTROL_BROWSEREMULATION values in the registry.

    <quote>

    We don't show this key even exists in HKLM \Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData\ 

    </quote>

    the key is created when you edit the Machine node in GPEdit for Clearable List Data or you can manually create the key in the registry.

    If you use the InPrivate switch, you don't have to worry about clearing the history or cookies. Web search for "VBA, scripting IE, Kiosk applications, stackoverflow" for ideas about creating a dedicated web browser.

    Regards.


    Rob^_^

    Thursday, August 9, 2018 3:01 AM