none
Site to Zone propagation not functioning properly (have to reset IE to default settings before it works). RRS feed

  • Question

  • Hello All,

    I have been having an issue with site to zone propagation via GPO that has me perplexed.  I'll provide environment details first and then explain what I've done.

    Cloud based environment with two Windows 2008R2 servers (one DC and one functioning as a workstation) and 4 Linux servers (which I only mention because the internal website we access resides on one of them but for all intents and purposes they are irrelevant) running IE 11 and both servers have all update to date patches.  IE ESC is disabled on both systems as this was seeming to prevent GPO propagation of our Intranet Site in the Intranet Zone on both the server and workstation via GPO.  Terminal Services (RDP) is being used to access both servers.

    I've run gpupdate /force and the policy propagates properly to push *.test.com (that is strictly an example) to each server and it sporadically applies to my test accounts.  I've come to the conclusion that everything in the background is working properly however the point of issue is when you log on using a brand new test account with proper (non-administrative) groups and permissions.  How I've come to this conclusion is because when you logon to a new user account for the first time and launch IE 11 it gives you the chance to Setup IE for the first time, disregard setting it up, or just cancel out altogether.  It doesn't appear to matter what I do as it disables the Zones and doesn't show the *.test.com site that I am pushing.  HOWEVER if I go to the Advanced Tab of Internet Settings and hit the Rest Internet Settings button and logoff/reboot and then log back on the site shows up properly and I am able to edit the various zones.

    Why this is an issue is that we are developing a test environment that allows us to provision accounts to Active Directory and create workflows that send notifications to new users.  The new user receives their credentials (not via email) and logs on and is able to request other services and is granted these by workflow approvals from management.  The user should only need to launch IE and enter the URL (which we'll be pushing by GPO homepage setting) to get to the provisioning application and Single Sign-on (SSO) is enabled and functioning properly within the environment.  It is functioning to such a degree that a user should only need to use a PIV card and corresponding PIN number to logon to the workstation and then through SSO launch IE 11 (or Firefox or Chrome as we're agnostic) to get to the provision application.  Due to something within IE 11 we are unable to make this a truly seamless process for new users as we can't just say logoff and back on and it will work.

    Final notes, this is a TEST/DEV environment and there is no fear of a "user" fouling up the works as the only ones with access to the site and user accounts are the development and support team (very small).  So please no comments regarding maintaining access vs security as this is not necessary at this part of the project (we've already got multiple levels of security and certificates in place, etc, etc).

    I hope that I've explained everything clearly as possible and I'm hoping others have had a similar problem and that an easy resolution is available.  Once again, I can make things work, however this needs to be a seamless process going forward.  I've already read through numerous blogs on the issue and I know that others have/are experiencing problems like this.

    Best regards

    Monday, March 9, 2015 8:15 PM

Answers

  • RonK2015,

    Did you mean all your client is Windows Server 2008R2?

    If yes, the registry is indeed not available.

    You could refer to this script below:

    Reset all Internet Explorer setting to default using PowerShell.

    https://gallery.technet.microsoft.com/scriptcenter/Reset-Internet-Explorer-20f838e7

    For further help about script content, I suggest you ask script forum for professional help.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, March 16, 2015 8:13 AM
    Moderator

All replies

  • Hi,

    Did this issue occur on all Internet Explorer 11 in your domain environment?

    Please collect gpresult log when this issue occur(don't reset and re-log) for analysis:

    Run "gpresult /h gpreport.html" command to saves the report in HTML format with the file name "gpreport.html" at C:\Windows\System32\ directory.

    Open this file to check if this group policy was applied successfully.

    Meanwhile, read this familiar thread:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/70b2dd7e-833c-4240-92e0-9b865e917307/trusted-sites-and-internet-zone-security-level-gpo-is-not-applying-in-windows-server-2008-r2?forum=winserverGP


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, March 10, 2015 7:16 AM
    Moderator
  • Thank you for the response.  I just noticed using a brand new user that when I open IE 11 for the first time without a homepage it shows a page indicating that IE ESC is Enabled when in fact it is disabled on the system.  When I reset the internet settings, logoff and then back on it shows the same type of page however it shows it as Disabled. When I look in Intranet Zones my policy has been applied.

    Is it possible to use a GPO to reset internet settings at Logon as this is what is correcting the issue?

    Tuesday, March 10, 2015 5:29 PM
  • BTW, yes it happens on both servers in the environment and both servers have IE11.  I'll have to test it again using the gpresult command you mentioned as well to see what is occurring but I do not believe it is the application of the GPO and it has something to do with IE showing that IE ESC is still enabled when it is not.
    Tuesday, March 10, 2015 5:31 PM
  • I ran the report and it shows that group policies are being applied properly.  Nothing is in error.
    Tuesday, March 10, 2015 6:46 PM
  • Hi,

    Have you run this report before you reset the internet settings, logoff and then back?

    Did it take effect only reboot the computer without reset the Internet Explorer?

    I have take a test on my lab machine, Windows Server 2008R2 DC, Windows 7 client with Internet Explorer 11.

    Everything works fine. I didn't need reboot or reset Internet Explorer.

    Thus I suggest you use build a test environment -> one Server and one client without any other Server or setting to check the result.

    Alternative, you could push the related registry to achieve this:

    HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

    HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey

    For more information, please read this article:

    How to configure Internet Explorer security zone sites using group polices

    http://blogs.msdn.com/b/askie/archive/2012/06/05/how-to-configure-internet-explorer-security-zone-sites-using-group-polices.aspx

    In addition, set a logon script to reset Internet Explorer is available. However, it would reset every time when user logon.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Thursday, March 12, 2015 8:15 AM
    Moderator
  • Thank you for the response.  Can you paste in the information for the logon script?  The GPO works once IE11 internet settings are reset for the new user.  Your workstation is Win 7 however mine is a 2008R2 server.  We are only able to logon via terminal services.  Ironically Chrome doesn't set a home page either when you set its master_preferences file). 
    Thursday, March 12, 2015 8:29 PM
  • RonK2015,

    Did you mean all your client is Windows Server 2008R2?

    If yes, the registry is indeed not available.

    You could refer to this script below:

    Reset all Internet Explorer setting to default using PowerShell.

    https://gallery.technet.microsoft.com/scriptcenter/Reset-Internet-Explorer-20f838e7

    For further help about script content, I suggest you ask script forum for professional help.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, March 16, 2015 8:13 AM
    Moderator