locked
Tracing What IE Zone Settings Are Taking Effect RRS feed

  • Question

  • Guys, I support many LOB applications that use IE11. To cut a long story short, one app in particular has elements that when clicked launch a new window where a PDF is displayed. When this window was launched for a certain group of users it was a blank white page but launched the PDF fine for others. I ran F12 tools net trace/dom explorer for both sets of users and could quickly see that the HTML returned for both was the same so why the blank page for one and OK for the other? Well, it turned out that the URL called for the PDF was prefixed with http:// and the calling page was https://. So we have mixed content here it seems. When I checked the users where the blank screen was displaying the Intranet Zone option 'Display Mixed Content' was set to 'Prompt'. On working users it was set to 'Enable' so problem identified (different GPOs applying for each set of users).

    Now, aside from the fact that when set to 'prompt' I would have expected just that, a prompt (:)) I would like to know if there's any way to track this kind of thing i.e. is there a way to trace when a certain Zone setting is passed/failed for a particular web request other than playing around with the settings?

    Thursday, October 19, 2017 8:43 PM

Answers

  • If I understand you correctly.....

    I'm asking though how to quickly detect something like this?

    my translation - how do you troubleshoot IE security settings?

    well.... you don't do any troubleshooting...your users should accept the default security zone settings that your company specifies in the GPO zone settings.... typically a user will try to tweak their IE security zone settings to 'try and get things to work'...

    First establish which IE security zone a site is mapped to from the File>Properties menu in IE...

    your company intranet sites should map to the Intranet zone.

    1. Instruct your users to reset their IE security zone settings... back to your default company settings as applied by GPO.

    Tools>Internet Options>Security tab, click "Reset all zones to default".

    (or you could with GPO, hide the IE Security zone settings to prevent user changes).

    For your developers To debug websites and pages for security, markup, and blocked content issues using the built in dev tool (f12), you must first go:

    Tools>Internet Options>Advanced tab, check "Always record developer console messages". Save changes.

    Now, when they debug your intranet site, the console of the dev tool will list security warnings. Your programmers should correct mixed content security warnings by using protocol-less URI's.

    eg. //foo.com instead of http://foo.com

    Generally one would not allow mixed content on company websites.... the solution lies in your programmers making the right coding choices, not in changing the default IE security zone settings or over-riding them with a GPO tweak.

    If you are the site programmer, then you should change your code, do not change the default security zone settings to work-around usability issues.

    Regards.

    Questions regarding Internet Explorer 8, 9 and 10 and Internet Explorer 11 for the IT Pro Audience. Topics covered are: Installation, Deployment, Configuration, Security, Group Policy, Management questions. If you are a consumer looking for answers or to raise a question, it's highly recommended you head on over to http://answers.microsoft.com/en-us


    Rob^_^

    • Marked as answer by shocko-tnet Monday, October 23, 2017 8:42 AM
    Friday, October 20, 2017 9:20 PM

All replies

  • Hi,

    PDF documents are opened in a hosted ActiveX control. eg. Adobe PDF Reader (see Tools>Manage Addons)

    There is also a security zone setting for scripted windows and popup blocking for each of the IE security zones.

    Some third-party browser addons include their own popup blocking features, which in turn can affect scripted windows outcomes.

    As PDF documents are displayed in a host ActiveX control object in MSIE browsers they may also be blocked by the users ActiveX filtering settings.

    The safest way to link to external resources from an intranet website is to use hyperlinks targeting a blank tab. and using a protocol-less URI eg. <a rel="external" href="//public.website/pdfdocument.pdf" download="pdfdocument.pdf" target="_blank">

    A blank page opening a PDF document is typical when the user has turned on ActiveX filtering but has not added the site to their white lists.

    see https://blogs.msdn.microsoft.com/ie/2011/02/28/activex-filtering-for-consumers/


    Rob^_^

    Friday, October 20, 2017 2:00 AM
  • Hi Rob, thanks for the reply. I am aware of the zone settings required for this LOB app and they are as follows:

    Setting

    Required Value

    Open windows without address or status bars

    Enabled

    Allow script-initiated windows without size or positions constraints

    Enabled

    Allow Scripting of Internet Explorer browser Control

    Enabled

    Display mixed Content

    Enabled

    Active-X filtering was not an issue. Specifically in this case a GPO has set 'Display Mixed Content' to 'Prompt' so the underlying cause is undisputed in my opinion. Setting it to enabled immediately resolved.

    I'm asking though how to quickly detect something like this?

    Friday, October 20, 2017 1:46 PM
  • If I understand you correctly.....

    I'm asking though how to quickly detect something like this?

    my translation - how do you troubleshoot IE security settings?

    well.... you don't do any troubleshooting...your users should accept the default security zone settings that your company specifies in the GPO zone settings.... typically a user will try to tweak their IE security zone settings to 'try and get things to work'...

    First establish which IE security zone a site is mapped to from the File>Properties menu in IE...

    your company intranet sites should map to the Intranet zone.

    1. Instruct your users to reset their IE security zone settings... back to your default company settings as applied by GPO.

    Tools>Internet Options>Security tab, click "Reset all zones to default".

    (or you could with GPO, hide the IE Security zone settings to prevent user changes).

    For your developers To debug websites and pages for security, markup, and blocked content issues using the built in dev tool (f12), you must first go:

    Tools>Internet Options>Advanced tab, check "Always record developer console messages". Save changes.

    Now, when they debug your intranet site, the console of the dev tool will list security warnings. Your programmers should correct mixed content security warnings by using protocol-less URI's.

    eg. //foo.com instead of http://foo.com

    Generally one would not allow mixed content on company websites.... the solution lies in your programmers making the right coding choices, not in changing the default IE security zone settings or over-riding them with a GPO tweak.

    If you are the site programmer, then you should change your code, do not change the default security zone settings to work-around usability issues.

    Regards.

    Questions regarding Internet Explorer 8, 9 and 10 and Internet Explorer 11 for the IT Pro Audience. Topics covered are: Installation, Deployment, Configuration, Security, Group Policy, Management questions. If you are a consumer looking for answers or to raise a question, it's highly recommended you head on over to http://answers.microsoft.com/en-us


    Rob^_^

    • Marked as answer by shocko-tnet Monday, October 23, 2017 8:42 AM
    Friday, October 20, 2017 9:20 PM
  • Of course users should accept the settings but that is in Utopia :). Developers often have relaxed setting son Dev machine and can easily miss things when developing LOB apps. You are of course correct that the https site should not call a non-https  internal URL but that particular app has some TLS 1.2 issues and hence it cant currently. regardless, the advanced setting you sent me namely:

    • Tools>Internet Options>Advanced Tab->Always record developer console messages

    Monday, October 23, 2017 8:42 AM