none
IE11 - Strange behavior on PDF files - Intranet and Internet RRS feed

  • Question

  • Hi,

    I'm currently have the issue, that mainly PDF files are handled different ways on each website.

    First example: I open a PDF file in our document management system (Intranet), I only can choose to save
    the file. If I open the catering menu pdf (Intranet), it opens directly in the IE11.

    Seconde example: I search google for any PDF (i.e. http://www.orimi.com/pdf-test.pdf), it opens within the IE11.
    If I open Outlook Webaccess, I only can download the file.

    In the past with IE 10, I have been asked to open or to save the file.

    Any idea what happened here? IE 11 is configured through GPO.

    Thank you for your help!

    Regards

    Alex

    Thursday, December 1, 2016 3:52 PM

Answers

  • Hi,

    for public websites that map automatically to the Internet zone, it also depends on how the web page has been coded.... If possible please include links to any websites that you are having problems with your questions so that we can visit them to investigate....

    Incorrectly coded object, embed or iframe tags that link to a pdf document will create two requests in the network stack in dev tools.

    another common problem with embed pdf documents is the setting on the Advanced tab of Internet Options - "Do not save encrypted files to disk". Regardless of which IE security zone a domain is mapped to if the site/page is using https, then any download link for pdf documents should/will use the same protocol as the top document URL...

    Typically home users will place public access sites like google or FB or yahoo etc... in their IE Trusted sites list and check the option to require secure protocol connections (https)...

    this is incorrect for a number of reasons... one being that the Trusted sites zone has a lower integrity security level eg. unsigned active X controls are allowed to run. Public access websites are designed to work with the default security levels that are found in the IE Internet Security zone....

    on your enterprise domain network, check your GPO settings for the IE Security zone sites lists, and only place the domains of your Business Partners that require the lower integrity zone (eg.. they may have unsigned in-house ActiveX controls on their site that your company has access to)

    On the client machines check what domains the user has placed in their Trusted sites list and also check that they are accepting the default security zone settings of your company... Tools>Internet Options>Security tab, click "Reset all zones to default".

    Finding out which IE security zone a domain/site is mapped to is not intuitive... use the File>Properties menu to determine which IE security zone a web site/page is mapped to...On client machines administered by GPO, domains added to zones by GPO do not appear in the clients' Internet Options>Security tab, Sites lists.

    You could use GPO to restrict users ability to access the security tab of Internet Options to make changes..."to try and get things to work" of their own volition.

    Regards.


    Rob^_^


    • Edited by 网游 - wang'you Sunday, December 4, 2016 10:36 PM
    • Marked as answer by Alex_Muc Monday, January 16, 2017 2:25 PM
    Sunday, December 4, 2016 10:32 PM

All replies

  • Hi Alex_Muc,

    According to your description, it could be caused by your Active X Control. Intranet and Internet have different seetings. We could check it.

    In Internet Explorer, enable the Acrobat ActiveX Control in the security options:

    Note: This procedure changes Internet Explorer’s security options for all ActiveX Controls. If you prefer to use stricter security, contact your Network Administrator about using the Administrator Approved setting in Internet Explorer’s Security panel.

    • Choose the appropriate zone for the location hosting the PDF file (for example, Internet or Local Intranet).
    • Click the Custom security level.
    • In the Security Settings dialog box, select Enable under Run ActiveX Controls and plug-ins, and then click OK.
    • Click OK in the Internet Properties dialog box.

    Hope it will be helpful to you


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 2, 2016 3:06 AM
    Moderator
  • Hi Carl Fan,

    thx for your Reply.
    Well I'm the admin, so I can't ask anybody else :)
    I'm running out of ideas, so that's why I asked here.

    In the GPO is configured only a few settings:

    Internet Zone -> Turn on Protected Mode -> Enabled
    Internet Zone -> Initialize and script ActiveX controls not marked as safe -> Disabled

    Intranet Zone -> Initialize and script ActiveX controls not marked as safe -> Enabled

    Advanced Page -> Turn on Enhanced Protected Mode -> Enabled

    Any ideas?

    Thank you!

    Friday, December 2, 2016 1:10 PM
  • PDF files are handled different ways on each website.

    Use the Developer Tools, Network tab to trace the download response in each case and look in the headers for significant differences.  Another test/workaround possibility is to use the Security settings Miscellaneous section to Disable MIME Sniffing.

    Good luck



    Robert Aldwinckle
    ---

    Friday, December 2, 2016 5:13 PM
    Answerer
  • Hi,

    for public websites that map automatically to the Internet zone, it also depends on how the web page has been coded.... If possible please include links to any websites that you are having problems with your questions so that we can visit them to investigate....

    Incorrectly coded object, embed or iframe tags that link to a pdf document will create two requests in the network stack in dev tools.

    another common problem with embed pdf documents is the setting on the Advanced tab of Internet Options - "Do not save encrypted files to disk". Regardless of which IE security zone a domain is mapped to if the site/page is using https, then any download link for pdf documents should/will use the same protocol as the top document URL...

    Typically home users will place public access sites like google or FB or yahoo etc... in their IE Trusted sites list and check the option to require secure protocol connections (https)...

    this is incorrect for a number of reasons... one being that the Trusted sites zone has a lower integrity security level eg. unsigned active X controls are allowed to run. Public access websites are designed to work with the default security levels that are found in the IE Internet Security zone....

    on your enterprise domain network, check your GPO settings for the IE Security zone sites lists, and only place the domains of your Business Partners that require the lower integrity zone (eg.. they may have unsigned in-house ActiveX controls on their site that your company has access to)

    On the client machines check what domains the user has placed in their Trusted sites list and also check that they are accepting the default security zone settings of your company... Tools>Internet Options>Security tab, click "Reset all zones to default".

    Finding out which IE security zone a domain/site is mapped to is not intuitive... use the File>Properties menu to determine which IE security zone a web site/page is mapped to...On client machines administered by GPO, domains added to zones by GPO do not appear in the clients' Internet Options>Security tab, Sites lists.

    You could use GPO to restrict users ability to access the security tab of Internet Options to make changes..."to try and get things to work" of their own volition.

    Regards.


    Rob^_^


    • Edited by 网游 - wang'you Sunday, December 4, 2016 10:36 PM
    • Marked as answer by Alex_Muc Monday, January 16, 2017 2:25 PM
    Sunday, December 4, 2016 10:32 PM
  • Hi Rob,

    you were right. It was the GPO - "Do not save encrypted files to disk". The strange things is, we had this option already enabled in IE10, but never had this behavior there. It started wih IE 11. Any idea why?
    For the moment I disabled it, so the users can work. Thanks!!

    Monday, January 16, 2017 2:20 PM
  • "

    you were right. It was the GPO - "Do not save encrypted files to disk". The strange things is, we had this option already enabled in IE10, but never had this behavior there. It started wih IE 11. Any idea why?"

    f12>Networking tab, click the start button to record network traffic... you will see encrypted content returned using https.

    encrypted== using the https protocol

    It has nothing to do with which IE Security zone a domain maps to Intranet or Internet. Your intranet DMS probably doesn't use it except for authentication... Most public websites do  serve pdf documents from https required nodes. In the wild it becomes an issue when bank web sites are placed in the IE Trusted Zone by users thinking it is more secure. PDF docs served using the https protocol won't be saved to the TIF for the reader application (eg. Adobe PDF ActiveX) to open it.


    Rob^_^

    Monday, January 16, 2017 9:01 PM