Python not connected message for restricted users


We are using  Windows 7  workstations and when the students go to the
Click Python - start Python

The loading wheel dosen stop , it keeps going and going. and it says not connected
As snapshot attached.
At the same time when i log in as administrator it works sucessfully .

the student internet access is through proxy servers and we use Microsoft ISA server 2006. I am not sure if i have to create \enable a GPO Or i have to make changed in ISA server.

Or if there is way of finding if any port is blocking  for  Python not to work
Any help much appreciated

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
May want to check out this in local machine but still good to know the error in the denial log from ISA to further troubleshoot any rule blocking this
CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, and so on), the time that the process was created, and the user that created it.

..or see "Troubleshooting HTTP 502: The Uniform Resource Locator (URL) does not use a recognized protocol"

..or due to authenticated traffic req btw proxy related error (407 Proxy Authentication required) or (502 Proxy Error ( The ISA Server denied the specified Uniform Resource Locator (URL).

other related info -  "Common issues in client authentication"
Dave BaldwinFixer of ProblemsCommented:
There is javascript on that page that connects to Facebook and Google and maybe some other sites.  Are any of those sites blocked for your users?
btanExec ConsultantCommented:
also couple of point to note:
- DNS resolution is extremely vital for ISA Server. Also, if you would like to allow or deny certain destinations and they give a different result when doing a forward and reverse DNS lookup, you will have to be very carefully with the network object types (FQDN or IP address) you use in the element To of the access rules.

- if ISA Server is unable to authenticate the user for whatever reason, that means that no credentials at all are presented to the ISA Server, then any request from that user will be denied by the first rule requiring user authentication, regardless if it is an allow or a deny rule. In fact, this situation is the first case that an allow rule actually will deny a request.

- check out the the ISA log and you should find a number of requests allowed by rule #1 (for example) but also a lot of requests denied by rule #1. If you look further into the log, you should find the information Blocked by the HTTP Security filter: URL contains an extension which is disallowed under the column Filter Information for the denied requests. So, those requests are actively blocked by the allow rule #1.

- Put Web and Server Publishing rules on the top of the list. According to the ISA help file, access rules that deny traffic are processed before publishing rules. Therefore, if a request matches an access rule, the request will be denied, even if a publishing rule would have allowed the request.

sidenote is codecademy has some checks too below
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

You stated that is works we you log in as administrator. Is this the local admin or domain?  It should like a potential GP setting for IE.

While the user is logged in go a gpresult /v >c:\gpresult.txt Feel free to post the results if it does not contain sensitive information

Does the site require to be a member of the IE trusted sites?
lianne143Author Commented:
I had logged in as a domain admin. I will try adding the site in the trusted sites.
btanExec ConsultantCommented:
also as the administrator to see if there were maybe group policy that redirect you to ISA Server and blocks you from surfing the Internet or any policy on the router. e.g. gpo may have stated  block Web sites for some users and not all.

Also good to know that there is the computer and the user gpo, so for the Site to Zone Assignment List policy setting is available for both Computer Configuration and User Configuration:

Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page

Note: When we configure Site to Zone assignment list GPO then users will not be able to add their own sites to any zone. Options to add sites on client machine will be greyed out.

Internet Explorer will read from the following registry for the sites deployed through Site to Zone assignment list:
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
lianne143Author Commented:
Sorry guys , for the late reply.

I did some test We have three different proxy servers on our network.
1) admin proxy
2) staff proxy
3) student proxy

I logged is as administrator and Python works absolutely fine under admin proxy.

On the same PC I removed the admin proxy settings and changed the proxy settings to staff proxy- and Python works.

On the same again I removed the staff proxy settings and changed the proxy settings to student proxy- and Python doesn't work.

So not sure if the ISA server is blocking codeac ademy, please suggest how to go from here.
btanExec ConsultantCommented:
Thanks it is worth reviewing the 3 x ISA policy and this already isolate nothing to do on the machine GPO per se or security setting. It is more on the ISA access policy esp if they are different server or VM instance. may want to focus specifically on outbound access rule or even the access rule order (step 3 onwards for the below "Troubleshooting Web Access for Internal Clients ")
lianne143Author Commented:
Sorry Guys

I hope I am not confusing, trying to give as much information.
I have not made any changes and since my last post. I tested again now I did it is behaving differently.

I logged in as a staff and the (staff proxy) settings are picked from the GPO. Logged in as staff when I load python it doesn't load and with the same user I changed the proxy to (admin proxy) and still python don’t work.

I have another proxy server which by passes the proxy (ByPass), when I put this server setting the python works on a staff login.
But when I login as a domain administrator and the proxy settings for the domain administrator is (admin proxy) and python loads successfully.
Please suggest as what I need to do at this stage.
Thanks for your help
Let's try the following.
1) From the student ISA server open the section to monitor active connections.
2) From a client workstation using the student ISA server as a proxy try to access the training site.
3) See if the monitor on the ISA shows any blocked connections.

Additional Questions:
-  IS there a firewall in-between the workstations and ISA servers?
lianne143Author Commented:
Just saw the post  and  away from work . I will try this tomorrow and post you the results.

There is no firewall between the workstations and ISA servers.

Thanks you so much
btanExec ConsultantCommented:
Probably let summarise the failed and working cases for clarity and see if we can isolate entirely to find root cause. (and let's be consistent in testing the same browser and same machine and clean cache btw each test attempt)

See below and confirm the status - Are all the error code the same for those failed scenarios.

*a) Staff > admin proxy  - Failed
b) Staff > staff proxy - Working
*c) Staff > student proxy - Failed?

d) Admin > admin proxy - Working
*e) Admin > staff proxy - Failed
*f) Admin > student proxy - Failed

*g) Student > admin proxy - Failed?
*h) Student > staff proxy - Failed?
i) Student > student proxy - Working?

j) Anything > Bypass proxy - Working
lianne143Author Commented:
Please see below the behaviour of Python. I have cleared cache all the times I try.

*a) Staff > admin proxy  - The wheel keeps spinning  and spinning (without the Not connected Error code )
*b) Staff > staff proxy – Failed- The wheel keeps spinning  and spinning (without the Not connected Error code )
*c) Staff > student proxy - Failed? – With “Not connected Error code”

d) Admin > admin proxy - Working
*e) Admin > staff proxy – Failed - The wheel keeps spinning and spinning (without the Not connected Error code)
*f) Admin > student proxy – Failed - With “Not connected Error code”

*i) Student > student proxy – failed

j) Anything > Bypass proxy – Working

When I login as student, due to the Group policy restrictions, I am not able to see the files menu in the IE11 and unable to change the proxy settings.

The proxy server for both admin and Staff is same and their IP as follows, but only the proxy settings change on the IE  for  Staff > staff proxy  
                       Admin>admin proxy.
The IP of Staff proxy is:
The IP of admin proxy is:

For the students it is a different proxy server and the IP is

Bypass proxy server is  a different server as well  and the IP is

are you using a WPAD or proxy.pac file by any chance..
lianne143Author Commented:
I am not sure if we are using WPAD or proxy.pac , is there a way to find.

btanExec ConsultantCommented:
It seems like only privileged account to proxy is working (e.g. Admin > admin proxy - Working) and other all failed. Can also check the troubleshooting steps stated in below to cover the ground of checks

Another as mentioned, is the automatic proxy detection. The various proxy combination which include explicit is well tabulated to differentiate btw PAC and WPAD -

- WPAD - browser guess the location of the PAC file through DHCP and DNS lookups. The WPAD standard uses wpad.dat.

- PAC - Specify the URL for a PAC file with a JavaScript function that determines the appropriate proxy for each URL. This method is more suitable for laptop users who need several different proxy configurations, or complex corporate setups with many different proxies.  PAC file is published to a HTTP server, and client user agents are instructed to use it, either by entering the URL in the proxy connection settings of the browser or through the use of the WPAD protocol.

But it may seems that you are in the explicit proxy.....unless maybe Admin can try set automatic, if DHCP and DNS is set properly,  the WPAD file (the proxy configuration file) will be downloaded  in the TIF (Temporary Internet Files) folder. You can easily copy/paste the file into a temp directory renaming it to have a .TXT extension.  From there you can load the file in notepad.exe to see that the file content and logic within.
(Do not open any files directly from the Temporary Internet Files folder)

Also good to check if there are exception list in browser proxy option that state to bypass certain URL or wildcard-ed URLs, likewise proxy handling all the various protocol etc...

The troubleshooting "Troubleshooting Automatic Detection " may be useful if using the WPAD etc..
a) A WPAD entry is configured in DHCP, but only users logged on as local administrators can successfully detect settings.
b) Web Proxy clients cannot detect automatic proxy settings.
c) Clients are experiencing delays of up to 10 seconds when making a request for a Web page, and using DHCP for automatic discovery. This is especially noticeable for Web requests from clients that are not configured as Firewall clients.
d) Clients cannot retrieve settings using WPAD.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lianne143Author Commented:
Sorry guys, I will look at this and post on the forum
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.