on IE how can i find out which GPO is avoiding a correct display for a web site ?


We have a website that dont display a part of it's content when on IE11.
This website was added to the trusted sites for IE11 but the problem persists.

Now when i'm on IE 11 and i change
Menu -> tools -> security -> trusted sites :   from Medium to Medium-Low
and that then i refresh the page, i can have the full display of the page and it's the situation i'd like to have.

i've been asked to find out which config changes in the list that we can display when "Custom level.." button is pressed.

my question:

is it possible to export the list of configuration values under "Custom level.." in order to compare them  with a vim diff  or other adhoc tool ?

I learnt that all GPO changes are changes to the registers, so i guess that we could find out which GPO has the ability to change which register. with that in mind I've started RegFromApp in order to have the changes in the register when operating the change from medieum to medium-low.

How can i know with the registers that changed during the change medium->medium-low where is the configurations in the GPO ?

Thanks in advance for your help.

I'm trying to figure out which GPO is IE configuration is
Erwin PombettAsked:
Who is Participating?
arnoldConnect With a Mentor Commented:
I believe the default position of IE security is medium in a domain environment.
Using a GPO as referenced you can lower it if you want.

IE 8 => IE 9 => IE10 => IE11 MS made adjustments on the security model that while they all might be in the Medium security mode, they will have other settings that are adjusted.

This is often the reason in an AD you have to test before pushing updates.

Depending on your AD/DC OS version, you may need to get the IE 11 settings.
AntyraelICT SpecialistCommented:
1. I don't think you can export those settings other than your registry monitoring kind of way.

2. When you run the command rsop.msc (as an administrator), you can see both the Computer and User policies applied to the currently running system.
You can find the Internet Explorer settings applied under Computer|User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer (and, Security tab settings are under Internet Control Panel -> Security Page).
If, for instance, you select the Security Page in the tree, you can see assigned policies with their respective GPO and whether they are enabled or disabled.

I hope this answers your question. Good luck!
Are you able to browse the site using IE 11 from a different location?
A GPO would not affect how a site is displayed in a browser, the issue might be that you need to browse the site in compatibility mode.

Is there content on the page that is not displaying, what errors if any are you getting?
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

AntyraelICT SpecialistCommented:
Arnold, a GPO can definitely affect how a site is displayed, by using the Browser Compatibility settings you yourself are referring to.
Erwin PombettAuthor Commented:
thank you for your answer,

i was not enough clear.....

I know what changed in registers  when i moved the cursor from medium to medium-low (IE security level).
now I'd like to find which GPO could have been done such change in register ?
my goal is to keep the medium level but with customs changes that should be a change in the currents GPO.

thank you in advance for further help.
Erwin PombettAuthor Commented:
Antyrael ,

thank you for your answer.
I'm sure that GPO can affect web sites through IE11.

we are checking all web sites that the company work with in order to adapt the GPO when things are not working as expected.

you would need to use GPMC and run the group policy wizard if the naming of GPOs does not indicate what they do.
you would then search through the user configuration, windows settings, internet explorer maintenance

or administrative templates, internet explorer

Once you navigate to these and locate the change you did not want, you can see which GPO is the source of this change (winning GPO) you might have several GPOs modifying this setting, such that should you change the setting in the currently winning to not-set. rerun the report to make sure there is no other GPO that was being superseded by the current one. repeat if there are multiple, until the GPO setting is not being pushed, or the one you wanted is displayed.
Antyrael, agree, but to understand whether one should look under the hood, or under the car, one needs to determine that there is something there.
The person merely said a site is not displaying in IE 11.
And when security changed to a lower it works.  
I attempted to determine whether this is following an update to IE11, whether the issue is isolated to one or through out, etc.
Starting small to see what ........
Erwin PombettAuthor Commented:
hi arnold,

the web site generates a javascript error, an object that 's not present.

for the rest:
the web site is displayed normally on IE 11 with a machine that's is not in the domain.
the web site is dislpayed normally on IE  8 with a machine that is in the domain.

thank you for further help
Domain based environment the security settings are a bit more restrictive as compared to the same browser version in a home type of environment.
AntyraelICT SpecialistCommented:
Arnold, you are absolutely right, I didn't interpret the initial questions correctly it seems.
That's the problem sometimes when English isn't your native language ;)
Erwin PombettAuthor Commented:
sorry guys,
i'm not native ....
but i'm taking as much time as necessary to explain what i'm looking for ;)

i don't know what to do now ....  :/ i'm getting lost

as a complement of information :  the domain has GPO for IE8 and GPO for IE11.
i'll take time to think about all your informations and be back .

so far, thanks a lot

I do not believe you can have two GPOs since inetres.admx  can only exist once .

You would have a single IE settings, the settings set via GPO that IE8 does not have ie8 will ignore, the settings that IE9 does not have IE 9 will ignore.

While you may have an IE 11 GPO, if you do not have the iE 11 Settings template provided in the link to MS, some specific IE11 settings are not present in the options.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.