"The recommended security level for this zone is "High".

If users are being prompted to reenter domain username and password, and considering we haven't resolved your other issue, I'm thinking that you are manually creating users and placing them in Active Directory OU's other than the default MyBusiness/Users/SBSUsers OU.

Are you using the Add-User wizard and a default User template?

Jeff
TechSoEasy

Hi Jeff,

I am using the Add-User wizard and my account is in the MyBusiness/Users/SBSUsers OU.

Actually, I realized that I haven't reviewed an IPCONFIG /ALL from your other problem... so it's most likely the way you are configuring the network settings.

Please post an IPCONFIG /ALL from the server as well as a workstation.

Thanks.

Jeff
TechSoEasy

Server:

   Host Name . . . . . . . . . . . . : rsbs1
   Primary Dns Suffix  . . . . . . . : davidreade.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : davidreade.local

Ethernet adapter Server Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-13-72-08-92-5E
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.1.1.80
   Subnet Mask . . . . . . . . . . . : 255.0.0.0
   Default Gateway . . . . . . . . . : 10.1.1.50
   DNS Servers . . . . . . . . . . . : 10.1.1.80
   Primary WINS Server . . . . . . . : 10.1.1.80

Workstation:

        Host Name . . . . . . . . . . . . : pc2
        Primary Dns Suffix  . . . . . . . : davidreade.local
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : davidreade.local
                                            davidreade.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : davidreade.local
        Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethe
rnet NIC
        Physical Address. . . . . . . . . : 00-40-B9-CB-BF-00
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.1.1.11
        Subnet Mask . . . . . . . . . . . : 255.0.0.0
        Default Gateway . . . . . . . . . : 10.1.1.50
        DHCP Server . . . . . . . . . . . : 10.1.1.80
        DNS Servers . . . . . . . . . . . : 10.1.1.80
        Primary WINS Server . . . . . . . : 10.1.1.80
        Lease Obtained. . . . . . . . . . : 19 April 2006 18:07:30
        Lease Expires . . . . . . . . . . : 27 April 2006 18:07:30

Well, other than using a Class A subnet on a small business network (where a Class C is just fine and preferred), all of that looks okay.

Can you access the \\rsbs1\netlogon and \\rsbs1\sysvol shares from a workstation without getting any errors?

Also please review the system and application event logs on a workstation and report any constant errors with event ID #.  

Jeff
TechSoEasy

I can access both shares on the workstation no problem and there are no errors in EventVwr either.

I've also checked the local security and group policies and found the IE Zones to be "Not configured" for both user and computer config.

Actually I've just found out about this issue on another network that I manage.  It's not coming from SBS's Group policy, it came from this patch:  http://support.microsoft.com/kb/891781

Whether or not you want to change the settings is up to you... an overview of how is here:
http://support.microsoft.com/kb/182569

Jeff
TechSoEasy

I can't see it being the patch. I've just managed to login using the Administrator logon and open the CompanyWeb page no problem, without being prompted for the username and password. I've removed the patch, but the same issue stands. I've also adjusted the registry settings to force the Internet Zone to be medium, which is now the case, but still I'm being prompted to enter my username and password for the one user!

If it's just the one user, then in the Server Management Console, and click the "change user permissions" link.  Select the appropriate template that you used for this user (leaving the "replace" option selected), and click next, then select the user that is having the problem, and finish out the wizard.

This should correct your problem.  Please advise if it doesn't.

Jeff
TechSoEasy

Unfortunately, that didn't work. I'm having the same problem. Does it make any difference I'm using Roaming Profiles?

I think I've found the problem...

About 2 weeks ago I logged on to the server accidently with my roaming profile, then logged off. Since then up to now I've not used IE, because I use Firefox instead. Now I know that SBS and Windows Server has the Internet Explorer Enhanced Security Configuration installed by default which, on the server, sets the minimum Internet zone to High. I've also noticed the CompanyWeb on the server is in the Local Intranet group.

I have tried testing my theory that the roaming profile has somehow saved the same security config when I've logged off that time by removing the CompanyWeb on the server from the Local Intranet group. When refreshing the page, I'm being prompted as the Administrator account to enter my domain username and password. When I add the web address back into the Sites part of the group and refresh, I'm being logged straight in.

This means I can log on to the CompanyWeb on my client by ensuring it's in the Local Intranet group.

However, it doesn't solve the issue with the Internet zone being set to High on the client. If I try to alter this setting on both the client and the server, I get the same error message (as the title of this topic).

The previous topic I made recently about a similar issue was actually happening to my brother, who made the same mistake as me, logging on to his server with his roaming profile and logging out again.

Does this mean to eradicate the problem we would have to remove the IEESC addon from the server, logon with the roaming profile, log off again and reinstall the addon? Or is there a quicker way around this, i.e. changing the registry?

Another thing, would using the File and Settings & Office 2003 Settings Wizards be a quicker way? Additionally, by using the wizard, would this transfer the security configuration?