[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Trusted sites GPO

Posted on 2010-09-08
15
Medium Priority
?
4,009 Views
Last Modified: 2013-12-08
I have defined a trusted sites Group Policy as follows under Windows Server 2003:

User Configuration>Administrative Templates>Internet Control Panel>Security Page>"Site to Zone Assignment List

However I now get the attached message when opneing the settings windows from the Group Policy Management window.  What does this mean?  Is it a problem?
Error-1.doc
0
Comment
Question by:DHPBilcare
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
15 Comments
 
LVL 11

Expert Comment

by:TheGorby
ID: 33631507
It's because you have the Internet Explorer Enhanced Security COnfiguration installed. When this is installed, IE will not allow you to go to any website including intranet areas unless it is in the Trusted Sites zone. Usually IEESC would only be enabled on a server, and only for accounts with local admin access. If this is affecting any user who logs into that server (i.e. if it's a terminal server) you may want to uninstall it for users only.
0
 

Author Comment

by:DHPBilcare
ID: 33631587
I only get this message since I added the local sites to group policy on the server as defined above.  If I add the same sites directly into a trusted zone in IE on the server will I lose the message?
0
 
LVL 11

Expert Comment

by:TheGorby
ID: 33631737
Well assuming you do want the IEESC installed for this user who got the error message, all you have to do is click the Add button on that error message and you won't get that error for that particular site anymore (about:security_mmc.exe). Clicking Add will add that site to the trusted sites for that user on that computer, but over time you may come across other instances where a similar message will appear but with a different site listed. All you'll have to do is always click that Add button and that will be the last time you see the message for that site.
If you want to prevent other users from getting this exact same message, add the site 'about:security_mmc.exe' to your trusted sites zone assignment GPO and you'll be good to go.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:DHPBilcare
ID: 33631843
Thanks for that.

Why is this error appearing after I have enabled this group policy?  
0
 
LVL 11

Expert Comment

by:TheGorby
ID: 33631963
Most likely, IEESC has been installed since the server OS was installed, by default it always is. My guess is that soon after that happened, someone added that site to the trusted sites list; it may even be on the list by default. When you applied the zone assignment GPO it may have replaced the existing trusted sites list entirely, with that of your GPO zone list.
On a side note, if you're intending for your zone assignment GPO to apply to users who don't log onto an IEESC-enabled server, you'll need to recreate your GPO. If that's the case, this article will help a bunch:
http://technet.microsoft.com/en-us/library/cc780445(WS.10).aspx
0
 

Author Comment

by:DHPBilcare
ID: 33632019
Thanks for that.

As long as the zone assignment covers all client computers that belong to the server in question I should be covered.  

I did notice earlier that if I disable the new policy that message goes away.  
0
 
LVL 11

Expert Comment

by:TheGorby
ID: 33632260
No problem, I pulled my hair out for a week dealing with IEESC and GPO zone assignments, it was 'fun'.
0
 

Author Comment

by:DHPBilcare
ID: 33634480
Yeah, I know what you mean.

I've added about:security_mmc.exe to the list on the server but still get the message?  any ideas.
0
 

Author Comment

by:DHPBilcare
ID: 33634641
Also I have had an issue whereby certain mhcines have picked up the new group policy I get the following problems.

1) Internet Explorer - Internet Options gets greyed out.
2) I cannot browse to websites via the address bar.

??  any ideas.
0
 
LVL 11

Expert Comment

by:TheGorby
ID: 33636661
Is the 'Site to Zone Assignment List' the only setting you've configured in this GPO? I know when that setting is used it grays out the list of websites in the zones, and also prevents users from adding new sites to the zones. That is most likely why you're still getting the message, even though you're clicking the add button the GPO is preventing changes to the trusted sites list and therefore blocking the addition of about:security_mmc.exe. Adding it to your GPO should do the trick.
If you want GPO-affected users to be able to add (but not delete) sites to any zone list, I use the following registry setting instead: User Config\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings.
As far as all Internet Options being grayed out and not being able to browse via the address bar, those are new issues to me! I'll dig around and try some testing to see if I get the same results, it's been a while since I used the Site to Zone Assignment setting.
0
 
LVL 11

Expert Comment

by:TheGorby
ID: 33639240
What version of Windows and IE are the client machines?
0
 

Author Comment

by:DHPBilcare
ID: 33640499
Thanks for the help.

1) The site to Zone assighment is the only setting in this policy.
2) I added the about:security_mmc.exe to the GPO but I still get the message.
3) The user with the greyed out Internet Options is on XP SP3 and IE 8.

I am now only sending the GPO out to selected users and growing from there as required.  All my users will need this over the next two weeks.  But this way I get to test as I go and see what happens.

0
 
LVL 11

Accepted Solution

by:
TheGorby earned 2000 total points
ID: 33648152
I must say I'm at a loss on this one. I have a freshly imaged XP SP3 machine with updated MS updates, and a test user domain account wiith only the zone assignment GPO applying to the account. As you can see in the screen shot, although the site to zone addition options are grayed out I can still access all other internet options. The test account only has local user access to the machine, not admin or power user. I am also still able to go to websites by typing them into the address bar.
I suppose at this point my suggestion would be to replicate my test environment, create a test account and deny all group policy application except the zone assignments and see if you still have the same issues.

ss1.bmp
0
 
LVL 11

Expert Comment

by:TheGorby
ID: 33648190
Another note, I think we're using the same policy in GPO but I'm not sure because the policy I'm using for this test isn't the same as what you typed in the original question, the folder structure in my GPO Editor doesn't match up with yours. Here's what I'm using:
User Config\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\
And the policy is: Site to Zone Assignment List
0
 

Author Closing Comment

by:DHPBilcare
ID: 33727386
I have rest, started again replacted the solution and it worked this time???
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question