Internet Explorer Enhanced Security Configuration


2x Windows 2000 domain controllers
3x Windows 2000 Advanced Server's running Terminal Services
2x Windows 2003 Server Enterprise Edition servers running Terminal Services
1x Windows 2000 Server running IIS for web hosting

One of the applications used through terminal services is a web based application that uses some Java script. This program runs fine when logging onto a 2k Apps server, but when you logon to the new 2003 servers the application gives the following error message when launching IE:

"Content within this application coming from the website listed below is being blocked by Internet Explorer Enhanced Security Configuration. If you trust this web-site you can lower your security configurations . . . .etc."

Users are then prompted to add this site to thier trusted sites zone to be able to procede. Once added the problem goes away for this user.

The problem is, there are thousands of users and we need this software to work seemlessly without any security pop-ups like this. I have gone into Windows components and un-installed the Internet Explorer Enhanced Security Configuration but this has made no difference. I have configured the domain policy to add the site in question to the trusted sites zone for all users, but this policy just doesn't seem to implement when users log on. They still get the same error message and the only sites in the trusted zones listing are MS windows update sites.

The software we use must use IE as the browser. The browser software is only a small part of the whole package and so bandwidth/load to the IIS box is not in question. The rest of the software package (written in VB mainly) runs fine on the 2003 servers. The Apps servers use MS load balancing for TS logon's and are all high spec servers on a 100Mbps / 1Gbps LAN.

Is there anyway I can disable/switch off the IE Enhanced Security Configuration without having to deploy IEAK or something?

Cheers in advance.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The solution i'm thinking of would require you to use group policy to either add the sites to the trusted sites list ( In group policy User Configuration\Windows Settings\Internet Explorer Maintenance\Security) You would then either adjust the security settings accordingly or add the appropriate sites to the trusted sites list.

This also depends on how your AD is setup.

Hope this gives you an idea.

pah250Author Commented:
Tried this. Everytime I click to edit the Security Zones and Privacy I get a long winded warning message that says "You have chosen to import settings that are compatible with computers that don't have IE Enhanced Security Configuration enabled. These security settings wil be ignored on machines where the enhanced security configuration is enabled" .I have dissabled the Enhanced Security Configuration on all the 2003 boxes and configured this policy for the domain, but it has no effect.
What service pack are you running on the 2000 domain controllers?
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

pah250Author Commented:
All the 2K servers are SP4

I've managed to sort it though now. There is a registry key in HKCU that stores all the security information and website entries for all 4 security zones in IE. Just needed to export the key to file and add it into the common logon script for all users - job done.
PAQed, with points refunded (250)

Friendly Neighbourhood Community Support Admin

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pah250:  Can you post the registry key that was necessary?  The settings in the HKCU\Software\Internet Explorer\Security key don't seem to cut it.
pah250Author Commented:
The solution that we use to get around this is to first create a new user with domain admin rights and log on to the windows 2003 terminal server. Then use IE to add in all the internal websites that domain users will need to access in the course of thise normal life (users are restricted a a pre-set list of internal websites only). Then export the following hive and all sub hives:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

Then we add this registry file into the logon scripts for all domain users giving each user trusted access to our predefined list of internal web sites. Problem solved.
Ah, OK.  I thought it was a solution to enabling web access to any websites.  What you've got here you can also do in group policies, but sometimes the good ol' reg file works just as well.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.