Solved

Site to Zone Wildcard Syntax (Internet Explorer policy)

Posted on 2014-01-20
8
6,441 Views
Last Modified: 2014-02-05
I am troubleshooting some Internet Explorer ZoneMapping event log errors, and it seems some (or more) of the many entries we have in our group policy are using the incorrect syntax.  The MS article ( http://support.microsoft.com/kb/184456 )  seems to be lacking some information, like  
1) Is it ok to use a trailing slash for the URL?
2) " " wildcard (*) after the trailing slash?
3) Can we use port numbers in the syntax?
4) can you use a URL that has only a hostname with trailing wildcard (e.g.  http://HOSTNAME*  or *://HOSTNAME*   ???)
5) can you specify a pagename? (e.g. http://sub.domain.com/vdir/page.asp   ??)

The Event log doesn't show which ones are malformed so I am scratching my head a little and want to make sure I don't grind business to a halt by not-allowing some of these web apps to run as expected
0
Comment
Question by:mcburn13
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
8 Comments
 
LVL 1

Author Comment

by:mcburn13
ID: 39794490
one more to add that I suspect isn't allowed.
6) Using a wildcard on a subnet for IP like:  http://10.0.2.* or https://10.3.*

Is there a way to get more granular logging to find out which ones are throwing the errors?
0
 
LVL 18

Accepted Solution

by:
irweazelwallis earned 250 total points
ID: 39796186
These are based on some of my own polices as the documentation is scant

don't use port numbers
Don't use multiple wild cards
You should be able to specify pages names
If you are specifying it's then don't use wild cards use ranges I.e 192. 168.1.0-192.168.1.234
0
 
LVL 13

Expert Comment

by:Jaihunt
ID: 39796260
Wild cards are not supported for ActiveXapproval list on IE7, don't use the Wild cards (*.) while adding site to ActiveXapproval list add the full site address
This is only for ActiveXapproval list for trusted site list you can use the Wild cards

http://www.windowstricks.in/2010/11/configuring-trusted-website-and-activex.html
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:mcburn13
ID: 39800524
we aren't doing an activexapproval list this is just a site to zone setting in our IE group policy.  As the http://support.microsoft.com/kb/184456 documentation doesn't go into any detail it  DOES allow for two wildcards at the beginning but I have read varying things on the trailing wildcards.  Some say if you want to do a wildcard for a whole class b subnet you would do it like x.x.*.* and x.x.* doesn't work. Others say don't use a trailing / on the URL and don't use a wildcard on the end of it (with or without slash).  why would someone just use *.domain.com instead of *://*.domain.com I don't see the benefit but maybe I'm missing something.  Part of the reason I'm posting this is to get a few experts who absolutely know definitively on this (as we are just somewhat "guessing")- then this article can serve to help others in the future...
0
 
LVL 13

Assisted Solution

by:Jaihunt
Jaihunt earned 250 total points
ID: 39802373
You can add *.microsoft.com but not microsoft.com/*.* Also you cannot use wild card to http or https.

Only before a website domain which has multiple sites will accept the wild card. the behavior is changed in vista and later.

the KB article applies only to IE 5.

You can use wildcard characters to add all subdomains for a given domain. For example, you can add *.microsoft.com to the list, which adds both www.microsoft.com and support.microsoft.com.

http://technet.microsoft.com/en-us/library/dd883248%28v=ws.10%29.aspx

http://blogs.msdn.com/b/askie/archive/2012/09/27/guidlines-on-implementing-activex-installer-service-axis.aspx

Its better to add full URL in certain place.
0
 
LVL 1

Author Comment

by:mcburn13
ID: 39812661
def don't mind accepting multiple solutions here but still wanted to give some more experts a chance to chime in on this- again in the hope that this helps others going through the same thing...
0
 
LVL 1

Assisted Solution

by:mcburn13
mcburn13 earned 0 total points
ID: 39825386
Well the zonemapping errors have gone away. From what I can tell the port numbers in the syntax aren't causing it as they are still there.   I believe it was the trailing slashes following by wildcards...
0
 
LVL 1

Author Closing Comment

by:mcburn13
ID: 39835098
part of the reason I found myself through trial and error
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
A hard and fast method for reducing Active Directory Administrators members.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question