GPO settings for Intranet security zone ignored

  • Thread starter Thread starter The Cavalry
  • Start date Start date
T

The Cavalry

Guest
When a user logs into a PC on our domain a GP is applied with the relevant
Intranet security zone sites. When the same user logs into the Terminal
server these settings are ignored even though the relevant GP is applied. I
have therefore setup seperate OU and GP for Terminal Server and set the
security settings on the machine. I have set GP to force local security
settings and not use the user ones but still this does not work. This is very
annoying as users are prompted for their username and password everytime they
access our Intranet.
Any help muach appreciated
 
Re: GPO settings for Intranet security zone ignored

Are you setting zones through IE maintenance or under admin templates? If
IE maintenance, I believe you need to setup a new gpo for that particular OS
version but it sounds like you did that but maybe not since I'm not sure
what you mean by how you said you did it........

--
Jeff Pitsch
Microsoft MVP - Terminal Services

"The Cavalry" <The Cavalry@discussions.microsoft.com> wrote in message
news:03ACB7C6-4E26-48FA-BE52-7CAC8DBCF989@microsoft.com...
> When a user logs into a PC on our domain a GP is applied with the relevant
> Intranet security zone sites. When the same user logs into the Terminal
> server these settings are ignored even though the relevant GP is applied.
> I
> have therefore setup seperate OU and GP for Terminal Server and set the
> security settings on the machine. I have set GP to force local security
> settings and not use the user ones but still this does not work. This is
> very
> annoying as users are prompted for their username and password everytime
> they
> access our Intranet.
> Any help muach appreciated
 
Re: GPO settings for Intranet security zone ignored

Hi,

That is correct. It won't work. I've ran into that before when trying to
add trusted sites through GP.

http://support.microsoft.com/kb/899270

I belive it has something to do with the IE enhanced security breaking it
but that's besides the point.

You can use the VB script from this article to set it or what I did was
configure USER\Administrative Templates\Windows components\Internet
Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List.
Keep in mind tho that my approach is a hard setting that cannot be adjusted
or added to by the user. Hope this helps.

Pete
 
Re: GPO settings for Intranet security zone ignored

It will work you just need a gpo for IEESC and one without. Now that
article points a very specific piece that has been a known issue in that IE
maintenance requires explorer.exe as the shell to run correctly.

--
Jeff Pitsch
Microsoft MVP - Terminal Services

"Peter Dickason, MCSE, CCA, CNE" <nospam@here.com> wrote in message
news:uVZVe$4AJHA.4948@TK2MSFTNGP05.phx.gbl...
> Hi,
>
> That is correct. It won't work. I've ran into that before when trying to
> add trusted sites through GP.
>
> http://support.microsoft.com/kb/899270
>
> I belive it has something to do with the IE enhanced security breaking it
> but that's besides the point.
>
> You can use the VB script from this article to set it or what I did was
> configure USER\Administrative Templates\Windows components\Internet
> Explorer\Internet Control Panel\Security Page\Site to Zone Assignment
> List. Keep in mind tho that my approach is a hard setting that cannot be
> adjusted or added to by the user. Hope this helps.
>
> Pete
>
 
Re: GPO settings for Intranet security zone ignored

Neither of these suggestions have worked. I tried the script and have already
entered the registry settings suggested.

I have set the zone information in the registry of the Terminal Server via
......

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\domain.com

with a DWORD name of * value 1 (Intranet).

I have set the Terminal Server GP to Security Zone: Use Only Machnie Setting

Am I in the right place in the Terminal Server registry for setting
"domain.com" as an Intranet zone ?


"Jeff Pitsch" wrote:

> It will work you just need a gpo for IEESC and one without. Now that
> article points a very specific piece that has been a known issue in that IE
> maintenance requires explorer.exe as the shell to run correctly.
>
> --
> Jeff Pitsch
> Microsoft MVP - Terminal Services
>
> "Peter Dickason, MCSE, CCA, CNE" <nospam@here.com> wrote in message
> news:uVZVe$4AJHA.4948@TK2MSFTNGP05.phx.gbl...
> > Hi,
> >
> > That is correct. It won't work. I've ran into that before when trying to
> > add trusted sites through GP.
> >
> > http://support.microsoft.com/kb/899270
> >
> > I belive it has something to do with the IE enhanced security breaking it
> > but that's besides the point.
> >
> > You can use the VB script from this article to set it or what I did was
> > configure USER\Administrative Templates\Windows components\Internet
> > Explorer\Internet Control Panel\Security Page\Site to Zone Assignment
> > List. Keep in mind tho that my approach is a hard setting that cannot be
> > adjusted or added to by the user. Hope this helps.
> >
> > Pete
> >
>
>
>
 
Re: GPO settings for Intranet security zone ignored

Sorry, thought this was what I saw and thought I could help. In my
experience after importing the IE settings from a workstation didn't work, I
did try importing them from IE on the server with IEESC disabled and it
didn't help. I found I hard to hard code the settings in the reg key noted.

"Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message
news:%23QPgae5AJHA.2712@TK2MSFTNGP06.phx.gbl...
> It will work you just need a gpo for IEESC and one without. Now that
> article points a very specific piece that has been a known issue in that
> IE maintenance requires explorer.exe as the shell to run correctly.
>
 
Back
Top