Intranet zone assignment not working

Have 5 x Win2008 R2 session hosts accessing DFS shares.

On 3 of them, don't have any problems.

But on 2 of them non-admins get security warnings when accessing files on the DFS shares.

Have a loopback GP applied to all hosts that adds the DFS shares to the Intranet Zone.  No other related policies being applied.

Have tried various formats for specifying the DFS shares in the site to zone assignment list, but none seem to work on these 2 hosts.

Policies are definitely being applied.

IE ESC is disabled for all users.

What else to check?
LVL 1
devon-ladAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
what is the warning?  How does internet explorer figure in this problem?
0
compdigit44Commented:
The are user launching some type of web url shortcut from a DFS share? Other wise UNC paths are affected by IE setting..

For the users have the problem have you reviewed the results of the Rsop targeting the server?
0
devon-ladAuthor Commented:
David - Windows Security popup - Your internet security settings suggest etc. etc.  Internet Explorer is involved because it's a DFS share so looks like a website address.  Common problem I've seen many time, always fixed by adding DFS share to the Intranet Zone of IE.

compdigit44 - Just opening, moving, copying files.  Yes, have reviewed RSOP - correct policies being applied, and correct settings within the policies.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

devon-ladAuthor Commented:
Apparently there's a bug (annoyance) in how group policy handles IE ESC and Site to Zone assignment.

If ESC is enabled, group policy applies the zone assignment settings to one registry setting, if it's not enabled they are applied to another.

When this GPO was first applied, ESC for non-admins was turned on - but now it's off.

So turned ESC on for non-admins - problem went away.

Turned ESC off again and rebooted - still working, no more security warnings.
0
devon-ladAuthor Commented:
Further note - this only worked for the test account I had used to login when ESC was on and then afterwards when it was off.

To resolve completely I had to ensure ESC was off, delete the zone assignment GPO, recreate it and apply it.
0
compdigit44Commented:
I found a Microsoft KB discussing this as an issue with Widows 2003 but as you have reported looks like it still may be a problem under certain circumstances.

https://support.microsoft.com/en-us/kb/918915
0
devon-ladAuthor Commented:
0
devon-ladAuthor Commented:
To follow up on this - still have a number of users having the problem.  It is related to a number of GPOs that use deprecated Internet Explorer Maintenance policies instead of the administrative template.

I've tried disabling/removing these policies and even tried more invasive procedures as follows:

https://support.microsoft.com/en-gb/kb/2722241?wa=wsignin1.0

Users that are not receiving the correct settings have blank Intranet Zone settings.

My thought now is to reset Internet Explorer to factory settings.  I thought this was a per-user setting, but when I try to do this it warns that a restart is necessary.  Does that mean it will affect all users?  This is actually ultimately what I need, but I wanted to test with one user first.
0
devon-ladAuthor Commented:
Deleting profiles was the only way I found to resolve this completely.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
devon-ladAuthor Commented:
Found solution myself.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.