Internet Explorer 9 Add-ons

We use intranet IIS sites, launched through IE9 by Citrix XenApp 6.5 users. Currently, I have an intranet site that requires a new add-on. I'm looking for an easy way to bake in this add-on (ASW.CAB) to all 49 Windows 2008 Citrix session hows using either AppSense policy (set reg values) or GPO. The add-on is also blocked by default when trying to add as a admin user.
mce-man-itAsked:
Who is Participating?
 
mce-man-itAuthor Commented:
I ended up disabling download signed & un-signed active X. This removed the UAC prompt and the message in IE information bar is easier to handle for Citrix users.
0
 
redbmasterCommented:
Check the group policy settings for those servers under "User Config/Policies/Admin Templates/Windows Components/Internet Explorer/Security Features/Add-on Management"
0
 
James RankinCommented:
If using AppSense, I would import the necessary GPO objects (noted above) at the Internet Explorer process start, so that you don't need to load these GPOs at logon time in case IE isn't  used in that session. If you're using Personalization Server, the settings will then be captured for that process and loaded when the user requires them.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
mce-man-itAuthor Commented:
Agree on process start for IE using AppSense, but i'd rather use a set reg value to set the IE add-on. Seems to be HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ext to set the add=on list?
0
 
James RankinCommented:
I'd generally recommend using the GPO method thru AppSense, as they are vendor-supplied and if changes are made to the keys they set it's easier to import a new GPO than find the new Registry key. I'm not sure on the actual key you need to set but there is an Excel spreadsheet online somewhere that provides the Registry keys that correlate with GPO settings. This may be it http://download.microsoft.com/download/8/F/B/8FBD2E85-8852-45EC-8465-92756EBD9365/WindowsServer8BetaandWindows8ConsumerPreviewGroupPolicySettings.xlsx
0
 
redbmasterCommented:
Citrix strongly recommends using Group Policies, so I would stick with GPOs as well.
0
 
mce-man-itAuthor Commented:
Ok thanks kz20fl. We are running EM 8.2.125 and the relevant ADMX policy for Internet Explorer/Security Features/Add-on Management cab be set. It wants a value name (CLSID I think) and value (1 to allow), but I'm wondering how I find our the CLSID for the necessary add-in? (ASW.CAB)
0
 
James RankinCommented:
Good question....maybe you can load the add-in on a different computer where you have full control and monitor the registry value (either manually or using Process Monitor) to see what gets set?
0
 
redbmasterCommented:
Try:

Open Internet Options > General > Browsing history > Settings > View Objects

This opens an explorer window displaying the contents of the following path:
C:\Windows\Downloaded Program Files\

You can find the CLSID of the installed ActiveX controls by right-clicking >
Properties.

If that isn't what you need look at the second post here: http://www.techtalkz.com/internet-explorer/181805-add-ons-clsid.html and the quote above is the 4th post.
0
 
mce-man-itAuthor Commented:
So I think I've found the CLDIS, and I've baked this into production citrix servers using environment manager policy:

Process start for IE - create/set reg value:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ex

Value Name: {BDB57FF2-79B9-4205-9447-F5FE85F37312}
Value: 1

When I log into Citrix and test by opening IE, the reg values above are set correctly. However this still doesn't work, and I get the UAC prompt - do you want to allow the following program to make changes to this comouter?

Program name: Internet Explorer Add-on installer
File origin: hard disk on this computer
CLSID: {BDB57FF2-79B9-4205-9447-F5FE85F37312}

I'm stumped as I thought this would be the fix.
0
 
mce-man-itAuthor Commented:
Ok, so a bit more info. I've found the OCX's needed:

Vsflex6d.ocx - c:\windows\downloaded program files
ASW.ocx - c:\windows\sysWOW64

I've copied these into the base build (Citrix session hosts are PVS disk streamed) and registred the OCX files (regsvr32 asw.ocx regsvr32 Vsflex6d.ocx). Now when browisng to the intarnet site, I'm stil getting the UAC prompt (UAC is disabled).
0
 
mce-man-itAuthor Commented:
Hi Guys

Any ideas? I've attached a screen shot of the UAC message). I know I've got the CLSID's right now, as when you click 'no' to the UAC prompt, the intranet application lets you perform a search correctly, which it wasn't doing before. Just need to get rid of this UAC message (UAC is disabled).
screen-dump.doc
0
 
James RankinCommented:
is UAC disabled via GPO? If it is, does the RSOP show the policy as applying correctly?
0
 
James RankinCommented:
Another note - if these are x64 systems, you need to run the regsvr32 command from the %windir%\syswow64 folder as I remember, is this where it was run from? Don't know whether that will make a difference in this particular instance but it has caught me out previously with some problems.
0
 
mce-man-itAuthor Commented:
Thanks for suggestions kz20fl, but registering the ocx's using regsvr32 from %windir%\syswow64% doesn't work. RSOP shows the correct GPO applied (UAC disabled). I've checked in the registry as well (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System) - EnableLUA DWORD = 0.
0
 
James RankinCommented:
Let me see if I can replicate this behaviour in my lab
0
 
mce-man-itAuthor Commented:
Great thank-you. Do you want a copy of the OCX's and info on the CLSID's?
0
 
James RankinCommented:
I was just wondering about the UAC stuff, but sure, put the details in and I will see if I can recreate it precisely
0
 
mce-man-itAuthor Commented:
Hi kz20fl. I'm wondering if you got time to replicate? So in summary, baking in the CLSID's for the OCX active x components works, and the search area on the web app works correctly.

The annoying thing is that every time a user clicks the link to perform an SKN serach, IE warsn that it needs to download the active x components. I've tried disabling:

automatic prompting for active X controls
only allowed approve domains to use active x without prompt - intranet site is approved.

These settings still leaves IE displaying a warning prompt (bottom of screen) "Internet Explorer Blocked this website from installing ActiveX content". You also get a 'Install' button which a user can click. This then tries again to install the ASW.CAB (containing the OCX components baked into the registry through CLSID's) and the user receives the UAC prompt.

is there anyway i can disable this prompt?
0
 
redbmasterCommented:
Go to IE's "Internet Options" -> "Advanced" tab -> "Security" section -> check "Allow active content to run in files on My Computer".

Please note you'll need to restart IE to test the changes.
0
 
mce-man-itAuthor Commented:
Good idea, but this didn't work.

I've installed the ASW.OCX onto my laptop, which I'm a full admin. When I choose to manage my add-ons, I can see the asw.ocx has been added-in correctly:

Name:                   ASW_Control.ASW
Publisher:              (Not verified)
Type:                   ActiveX Control
Version:                1.0.0.37
File date:              
Date last accessed:     ¿20 ¿September ¿2012, ¿¿14:36
Class ID:               {1020A036-C11C-4952-8FBE-CDF1E67496EE}
Use count:              4
Block count:            0
File:                   ASW.ocx
Folder:                 C:\Windows\Downloaded Program Files


So on my Citrix test server, I'm using AppSense policy to set:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ex\CLSID
Value Name: {1020A036-C11C-4952-8FBE-CDF1E67496EE}
Value Type: REG_SZ
Value: 2 (enabled so I can manage through IE add-ons)

When I manage add-ons through IE on my Citrix test server, I cannot manage ASW_Control.ASW. Are the registry settings correct?

I've tried HKCU\Microsoft\Windows\CurrentVersion\Policies\Ex\CLSID as well.
0
 
redbmasterCommented:
I'm not able to assist with setting this up in the registry, but if you'd like to try a GPO please let me know.
0
 
mce-man-itAuthor Commented:
Ok, lets try this through a GPO using AppSense. So at IE start, I'm using the ADMX, and enabled:

Windows Components - Internet Explorer - Security Features - Add-on Management:

ASW.OCX = {1020A036-C11C-4952-8FBE-CDF1E67496EE} Value = 2 (enabled and user can manage)

Vsflex6d.ocx = {C5DE3F82-3376-11D2-BAA4-04F205C10000} Value = 2

Is this ok? Should I still put the OCX's in the gold build?
0
 
redbmasterCommented:
I'd set the values to 1 on both that way the user doesn't accidentally disable the add-on.

Yep, give that a shot and don't forget to do a gpupate on all fronts.
0
 
mce-man-itAuthor Commented:
Ok, done that, left at option 2 so in my test environment I can see the add-on's. GPO has applied. I can see in the RSOP. When I launch the application from IE, and click the link that requires the active x component, it still displays the UAC message. Managing the IE add-ons doesn't show me the active x components,
0
 
mce-man-itAuthor Commented:
Has anyone else got any thoughts on this issue?
0
 
James RankinCommented:
I'm afraid I was unable to replicate this, but I was using a personal vDisk in my test environment so I was wondering if this had any possible effect. I will see if I can do a bit of further testing when I get a moment.
0
 
mce-man-itAuthor Commented:
Anyone else got any ideas on this one? If I set the IE add-ons through GPO (settings CLSID), should I still be able to view the add-on's through IE 9 add-on management?
0
 
mce-man-itAuthor Commented:
We didn't really find any better solutions.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.