[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Internet Explorer Enhanced Security Configuration

Posted on 2003-11-20
10
Medium Priority
?
1,674 Views
Last Modified: 2008-01-09
Setup:

2x Windows 2000 domain controllers
3x Windows 2000 Advanced Server's running Terminal Services
2x Windows 2003 Server Enterprise Edition servers running Terminal Services
1x Windows 2000 Server running IIS for web hosting

One of the applications used through terminal services is a web based application that uses some Java script. This program runs fine when logging onto a 2k Apps server, but when you logon to the new 2003 servers the application gives the following error message when launching IE:

"Content within this application coming from the website listed below is being blocked by Internet Explorer Enhanced Security Configuration. http://192.168.2.253. If you trust this web-site you can lower your security configurations . . . .etc."

Users are then prompted to add this site to thier trusted sites zone to be able to procede. Once added the problem goes away for this user.

The problem is, there are thousands of users and we need this software to work seemlessly without any security pop-ups like this. I have gone into Windows components and un-installed the Internet Explorer Enhanced Security Configuration but this has made no difference. I have configured the domain policy to add the site in question to the trusted sites zone for all users, but this policy just doesn't seem to implement when users log on. They still get the same error message and the only sites in the trusted zones listing are MS windows update sites.

The software we use must use IE as the browser. The browser software is only a small part of the whole package and so bandwidth/load to the IIS box is not in question. The rest of the software package (written in VB mainly) runs fine on the 2003 servers. The Apps servers use MS load balancing for TS logon's and are all high spec servers on a 100Mbps / 1Gbps LAN.

Is there anyway I can disable/switch off the IE Enhanced Security Configuration without having to deploy IEAK or something?

Cheers in advance.
0
Comment
Question by:pah250
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 3

Expert Comment

by:Chris_Picciotto
ID: 9788023
The solution i'm thinking of would require you to use group policy to either add the sites to the trusted sites list ( In group policy User Configuration\Windows Settings\Internet Explorer Maintenance\Security) You would then either adjust the security settings accordingly or add the appropriate sites to the trusted sites list.

This also depends on how your AD is setup.

Hope this gives you an idea.

0
 

Author Comment

by:pah250
ID: 9788480
Tried this. Everytime I click to edit the Security Zones and Privacy I get a long winded warning message that says "You have chosen to import settings that are compatible with computers that don't have IE Enhanced Security Configuration enabled. These security settings wil be ignored on machines where the enhanced security configuration is enabled" .I have dissabled the Enhanced Security Configuration on all the 2003 boxes and configured this policy for the domain, but it has no effect.
0
 
LVL 3

Expert Comment

by:Chris_Picciotto
ID: 9790752
What service pack are you running on the 2000 domain controllers?
0
How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

 

Author Comment

by:pah250
ID: 9800768
All the 2K servers are SP4

I've managed to sort it though now. There is a registry key in HKCU that stores all the security information and website entries for all 4 security zones in IE. Just needed to export the key to file and add it into the common logon script for all users - job done.
0
 
LVL 2

Accepted Solution

by:
Lunchy earned 0 total points
ID: 10084034
PAQed, with points refunded (250)

Lunchy
Friendly Neighbourhood Community Support Admin
0
 
LVL 2

Expert Comment

by:epsilonx
ID: 12107409
pah250:  Can you post the registry key that was necessary?  The settings in the HKCU\Software\Internet Explorer\Security key don't seem to cut it.
0
 

Author Comment

by:pah250
ID: 12111895
The solution that we use to get around this is to first create a new user with domain admin rights and log on to the windows 2003 terminal server. Then use IE to add in all the internal websites that domain users will need to access in the course of thise normal life (users are restricted a a pre-set list of internal websites only). Then export the following hive and all sub hives:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

Then we add this registry file into the logon scripts for all domain users giving each user trusted access to our predefined list of internal web sites. Problem solved.
0
 
LVL 2

Expert Comment

by:epsilonx
ID: 12112913
Ah, OK.  I thought it was a solution to enabling web access to any websites.  What you've got here you can also do in group policies, but sometimes the good ol' reg file works just as well.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
MSSQL DB-maintenance also needs implementation of multiple activities. However, unprecedented errors can hamper the database management. In that case, deploying Stellar SQL Database Toolkit ensures fast and accurate database and backup repair as wel…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question