5

We have a Windows server 2012 R2 remote desktop farm, which we have applied a GPO to, to control site to zone assignments.

This was working fine up until recently, but just lately, we have found that this setting is not applying.

If I toggle ESC on, and then back off on the server I am on, the sites now show up in IE zone list for the currently logged in user. It does not however, seem to apply to all users. That list of sites will then follow them to other servers and that user will be ok moving forward.

We use user profile disks, so the users registry hive is not available on that server unless they are logged in, which might explain why it only occurs for the logged in test user.

EDIT: I can see the registry entries being created under HKCU ZoneMapKey and HKLM ZoneMap.

According to this article, IE should read settings from both of those locations, but they simply do not appear in the site list in IE control panel.

Is it possible that there has been an update for 2012 that has altered some ESC registry setting that causes us this issue?

James Edmonds
  • 1,733
  • 10
  • 37
  • 59
  • Check the zone assignment in the registry, IE ignore esc zone assignment if you have normal zone assignment. – yagmoth555 Jul 07 '16 at 11:59
  • I have applied the settings under the computer settings in the policy. If I look in HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey, I can see all of the entries, they just don't show up in IE itself – James Edmonds Jul 07 '16 at 13:35
  • But ESC is not enabled! – James Edmonds Jul 07 '16 at 13:49
  • I would try HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915\ to **1** anyhow, it's for fixing a bug when ZoneMap is done and ESC is on/off. – yagmoth555 Jul 07 '16 at 13:52
  • It's tagged for Win2003, but the registry fix work in 2012; https://support.microsoft.com/en-gb/kb/918915, they tell HKLM to fix it for all user, or it work too like you told in HCU – yagmoth555 Jul 07 '16 at 14:11
  • That doesn't seem to do anything unfortunately. – James Edmonds Jul 07 '16 at 14:45
  • Well not entirely true, after setting the key under HKLM, there are two sites showing in trusted sites: *.update.microsoft.com for both http and https. It does not show any of the ones from our GPO though – James Edmonds Jul 07 '16 at 14:54
  • It get strangier, where you got *.update.microsoft.com set in the registry ? (as one set in hklm will take precedence over one in hcu) – yagmoth555 Jul 07 '16 at 14:58
  • Those seem to be default sites stored in the EscDomains key, under ZoneMap in HKCU – James Edmonds Jul 07 '16 at 15:23
  • ESC is really off ? – yagmoth555 Jul 07 '16 at 15:24
  • It is yes, for both users and admins – James Edmonds Jul 07 '16 at 15:34
  • So I had a user account I was testing with, and could not get the sites to show in the list no matter what I did. I gave the user domain admin privileges temporarily, enabled ESC for both users and admins, then disabled it, and low and behold the sites show in the trusted sites list now. Removing admin rights and logging back in, they still show in the list. – James Edmonds Jul 07 '16 at 15:48
  • I seen the detail about profile disk, can you test with a user account without configured that way ? I wonder if your user log on a server with ESC on, and this server with ESC off, if some mismatch can happen. I would tend to populate both esc and zonemap registry with gpo in case such case can happen. (so both entry will have the same site) – yagmoth555 Jul 07 '16 at 15:52
  • We disable ESC before users ever even log onto these servers, so don't think that would be it. It is disabled on every server in the farm. We can't really test it without UPDs, as that is controlled by the deployment and we cannot disable them for specific users – James Edmonds Jul 07 '16 at 15:58
  • Excellent post. It helped me solve an issue where 2012-R2 servers weren't launching BgInfo via a DC share. I setup a Group Policy to trust the share, but not all the servers implemented the policy. Your ESC observations provided the clues. This would make a good Tech article. Here's the related [Open File Security Warning](http://woshub.com/how-to-disable-open-file-security-warnings-in-windows-7/) article that helped to setup the group policy for my BgInfo requirements. – bvj Feb 15 '18 at 09:10

3 Answers3

6

I created a new user account, and when logged on for the first time, it too experienced the same issue with sites not showing in IE, even though the GPO was applied.

I found in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap, there is a key called IEHarden (remembered the name back from my 2003 days with a similar ESC kind of issue). It looks like even though the server has ESC turned off, this key is set to 1. When either deleting, or setting this to 0, the sites immediately appear in internet control panel, and works as expected.

So while I know what is causing the problem, and have enough to fudge a workaround by deleting that key for each user on login, I still don't understand why that key is set to 1, or even exists in the first place (some users who could see the sites already, don't even have that key!). Again I can only come back to an update that has messed with IE ESC in some way.

EDIT:

Now have the full answer;

Two of our 8 session host created profiles with the IEHarden key, while the others did not (these two were setup by our consultants, although after asking them they are clueless).

Seems under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap the IEHarden key existed, so was being given to all new profiles created on that server.

Deleted the key from both, and all now back to normal!

Appleoddity
  • 3,488
  • 2
  • 13
  • 33
James Edmonds
  • 1,733
  • 10
  • 37
  • 59
0

Besides IEHarden under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap I had in my company also to set IsInstalled at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073} to dword:00000000.

These two registry settings did fully resolve the issue for us. Before IEHarden was somehow set after a certain time back to 1.

Tim
  • 43
  • 1
  • 4
0

Thanks James for posting the info. For anyone who faces this issue the key to look for is:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IEHarden
Appleoddity
  • 3,488
  • 2
  • 13
  • 33
Greg
  • 1
  • Curious about your environment. The OPs info and references solved my related issues. But the key you're describing doesn't exist in my 2012-R2 servers. – bvj Feb 15 '18 at 08:14