• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2852
  • Last Modified:

Internet Explorer Security not being applied

Experts,

We are running a Citrix 4.5 environment with Server 2003 SP2, recently upgraded from Citrix 4.0. The problem we are having is that the group policy isn't applying to any user or admin properly for Internet Explorer Security. All other policy objects are applying. I browsed the Citrix forums and found a few solutions, but to no avail.

We have 2 policies enforced, 1 is the default domain policy where the settings are defined, and the other is the Citrix Presentation Server policy. This only happens when in Citrix - we can remote desktop to any server and the policy is applied properly. The policy is also applied properly from standalone machines since they aren't in that OU.

I have tried setting the Citrix policy to not be enforced with no luck, but there are no settings defined in that policy for IE security anyway. We have run gpresult and it does show that the policies are applied properly for the user and the computer. I have also checked the local group policy on the machine which is actually disabled on our testing machine. And yes we have run gpupdate /force many times - this has been ongoing for a couple months.

We do have OU's setup and the 4.5 Citrix servers are in their own OU where the Citrix policy is applied. Citrix is used as a desktop, so IE isn't it's own separate published application. We run on terminals with XP embedded, so each user gets a full desktop screen. We also use RES Powerfuse but we haven't determined that to be an issue. We created a published app that runs without powerfuse, but with Citrix to a server, and the same thing happened - IE shows the default security settings that comes with Server 2003.

Does anyone have any suggestions?

Thanks
0
sema-mwong
Asked:
sema-mwong
  • 17
  • 16
2 Solutions
 
Donald StewartNetwork AdministratorCommented:
0
 
sema-mwongAuthor Commented:
I tried the above suggestion this morning - no changes were made. Also, secedit apparently doesn't have the /refreshpolicy parameter anymore. I did gpupdate /force instead.

We are also running IE7

Thanks for the response.
0
 
Donald StewartNetwork AdministratorCommented:
Go to add/remove programs>>>windows components>>IE enhanced>>details>>select "for all other user groups"
ie-enhanced.bmp
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
sema-mwongAuthor Commented:
Enhanced security is turned off completely - both of those boxes are unchecked as well. Are you recommending to turn it on?
0
 
Donald StewartNetwork AdministratorCommented:
If what you are trying to do is have it enabled for all users then yes
0
 
sema-mwongAuthor Commented:
What we're trying to enable is the trusted sites and have them be the same for every user.
0
 
Donald StewartNetwork AdministratorCommented:
0
 
sema-mwongAuthor Commented:
I'm trying that solution now and creating a separate policy to have those settings defined.
Would you recommend that this new policy be checked as enforced? Also, I assume I need to turn off those settings in the default policy...
0
 
Donald StewartNetwork AdministratorCommented:
When a Group Policy Object (GPO) is enforced it means the settings in the Group Policy Object on an Organization Unit (which is shown as a folder within the Active Directory Users and Computers MMC) cannot be overruled by a Group Policy Object (GPO) which is link enabled on an Organizational Unit below the Organizational Unit with the enforced Group Policy Object (GPO). In Active Directory Users and Computers MMC 'below' means it is a subfolder.
0
 
sema-mwongAuthor Commented:
So in this case, enforced shouldn't matter since we dont' have any sub folders.
I made that policy, enforced it, ran gpupdate /froce, and logged out / back in. gpresult shows the new policy being applied, but the settings didn't change.
0
 
Donald StewartNetwork AdministratorCommented:
You may need to expand Computer Configuration, expand Administrative Templates, expand System, and then click Group Policy. In the right navigation pane, double-click Internet Explorer Maintenance policy processing. Click Enabled, click Apply, and then click OK.
0
 
Donald StewartNetwork AdministratorCommented:
Another thing that may cause your issue is if you dont have the latest windows installer installed
 
http://www.microsoft.com/downloadS/details.aspx?familyid=5A58B56F-60B6-4412-95B9-54D056D6F9F4&displaylang=en
 
Deploy this with group policy as well
0
 
sema-mwongAuthor Commented:
I have to step into a meeting - I'll check this out and get back to you. Thanks for all your help.
0
 
Donald StewartNetwork AdministratorCommented:
sorry my above responce was meant for another thread, too many windows open.
0
 
sema-mwongAuthor Commented:
I was slightly confused, so that explains a lot! no worries there.
0
 
sema-mwongAuthor Commented:
I did set that processing setting - ran gpupdate /force and logged out and back in. Still the same problem. The policy I created is in the same OU as the Citrix policy which has all the citrix servers in it.
0
 
Donald StewartNetwork AdministratorCommented:
You may have to right click on the "Internet Explorer Maintenance" in gpo and select reset
0
 
sema-mwongAuthor Commented:
Here's something else weird... I'm in group policy management looking at the policy. If I hit the tab for settings, I get an error:
"An error occurred while generating report:
An unknown error occurred while the HTML report was being created."
If I reset the GPO like suggested, the HTML generates fine, but as soon as I change the settings back, I get this error.
0
 
Donald StewartNetwork AdministratorCommented:
HMMMM...
0
 
Donald StewartNetwork AdministratorCommented:
Try this
 
You get this error if you have Internet Explorer Enhanced Security Configuration enabled. If you edit the GPO User Config > Windows Settings > Internet Explorer Maint - Change your settings to "Do not customize..." instead of Import. Relaunch GPMC and you should be able to generate the report.
0
 
Donald StewartNetwork AdministratorCommented:
You could also have a corrupted .net and may need to reinstall it.  You should use the tool below for removal.
Automated cleanup tool to remove the .NET Framework 1.0, 1.1, 2.0, 3.0 and 3.5

http://blogs.msdn.com/astebner/archive/2006/05/30/611355.aspx
 
0
 
sema-mwongAuthor Commented:
The IE enhanced security isn't on - triple verified lol. We are going to restart at least this machine that I'm testing with over the weekend and see what happens.
I can try the .NET thing - I'm leaning towards an IE7 problem since the exact same problem is happening on ~10 servers and that changing these settings just kill the GPO right off the bat. I also tried removing all sites in the trusted list to nothing, and same result. It isn't just here either, the slider bars for the other zones aren't being applied either.
0
 
Donald StewartNetwork AdministratorCommented:
Ok, I'll keep monitoring.
0
 
sema-mwongAuthor Commented:
Thanks for your help thus far, I hope to get this resolved soon.
0
 
sema-mwongAuthor Commented:
The server was rebooted over the weekend. So here's where we're at. I removed all the settings from the Default Domain Policy and from the newly created GPO so that nothing was specified. Our citrix sessions are now starting up much faster as they used to hang on "Applying Internet Explorer Branding Policy", and now they aren't. Checking the IE Security, 2 zones are on the default level, and no trusted sites are listed. So this tells me things are being applied properly.
Just now, I went to the newly created policy and put all zones to default, and added some trusted sites. After doing that, I refreshed the policy in the Group Pollicy Management tool and I got that HTML error again. Ran gpupdate /force and logged back in, the settings haven't changed at all.
0
 
Donald StewartNetwork AdministratorCommented:

You may need to use Loop back policy to apply it to the computer so that all users logging onto the terminal/citrix server get the settings.

http://www.dabcc.com/blogs/jeff/post/Blast-from-the-Past-Understanding-Group-Policy-in-a-Terminal-Services-Environment 
0
 
sema-mwongAuthor Commented:
I will try that and get back to you - it may not be until tomorrow. Thank you for the prompt response
0
 
sema-mwongAuthor Commented:
Well, for whatever reason, the policies are about 80% applied today. I checked my settings in several different servers and they are what they should be with a few exceptions - local intranet isn't at default, same with trusted sites. The important thing is that all the sites that are listed under trusted sites are there which is all we really need. I will check with other users to see if it's working for them and hopefully we can close this issue.
What I think did it was removing these settings from the default domain policy and creating a separate policy. The citrix loading times are slow again - they hang at applying internet explorer branding policy, but we have a workaround that we're going to try for that related to a DLL that can be copied from IE6.
I'll let you know what happens with the other users.
0
 
Donald StewartNetwork AdministratorCommented:
Try this registry setting for your branding issue
 

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PARSING_BRANDING_CMDLINE_FLAGS_KB941158]
"*"=dword:00000001
 
0
 
Donald StewartNetwork AdministratorCommented:
0
 
sema-mwongAuthor Commented:
Ok, I just created the loopback policy as per the article you posted. I noticed that the sites were there for me last week, but checking today with other people, the settings aren't being applied to them.
I will wait for replication of the policies and will let you know what happens.
Sorry for the delay in posting results.
0
 
sema-mwongAuthor Commented:
The loopback policy doesn't appear to have made a difference. I created 2 new policies and followed those instructions exactly, then added trusted sites to the user policy.
0
 
sema-mwongAuthor Commented:
We managed to setup a workaround for this as per this post on the Citrix forums (at the bottom):
http://forums.citrix.com/thread.jspa?threadID=102034&tstart=0

-----------------------
User Configuration => Administrative Templates => Windows Components => Internet Explorer => Internet Control Panel => Security Page

Double click the "Site to Zone Assignment List" Policy. Enable the policy, and click Show. Add the sites in here with a value of 2 for Trusted Sites.
-----------------------

I did those steps and now the trusted sites are working properly, and the Citrix loading time is fast. The only problem with this is that no user or admin can make changes to the trusted sites in IE, it has to be done from that group policy setting. This is a minor set back as this doesn't come up very frequently and we can make the changes manually as needed.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 17
  • 16
Tackle projects and never again get stuck behind a technical roadblock.
Join Now