What an odd problem with MSDN Subscriptions download site!
After I got my MSDN subscriptioin, I immediately had some problems loading the File Transfer Manager activex control from [https://msdn.microsoft.com/en-us/subscriptions/securedownloads/default.aspx]. If I click on any product from the menu on the left, and on the link to download an item, I get what appears to be a common VBscript Warning.
VBScript: Microsoft File Transfer Manager
=====================================
There was an error launching File Transfer Manager.
If you are running Windows XP with Service Pack 2 or Windows Server 2003 with Service Pack 1, this installation may have been blocked. If the gold IE Information Bar is Present above, please click the bar and select the option to “Install ActiveX”.
For additional assistance, please visit the web site https://transfer.ds.microsoft.com, or contact your help provider.
=====================================
So, it looks like I have some IE Settings preventing me of downloading the activeX control FTM uses to get the download manager window. I have another computer and this works just fine. I can see that With the vbscript dialog warning, you should also get a Yellow Bar security warning which allow the user to download the FTM ActiveX control, but on this particular windows 7 machine, this is not happening.
I had to do some digging around only to find out that my Windows 7 machine had the FTM GUID blocked (killbit).and therefor preventing the FTM ActiveX control to be instantiated.
I have not idea what may have cause this machine to have added the FTM to the ActiveX Compatibility List in IE, maybe something I did trying to protect my computer 
, I know that I do run a lot of security applications and some development that may have cause me the pain, but happy to say that it was really easy to fix.
The the FTM GUID is: {82774781-8F4E-11D1-AB1C-0000F8773BF0}
Here is what you have to do:
> Set the {82774781-8F4E-11D1-AB1C-0000F8773BF0} compatibility flag to dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{82774781-8F4E-11D1-AB1C-0000F8773BF0}]
“Compatibility Flags”=dword:00000000
OR
> Delete the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{82774781-8F4E-11D1-AB1C-0000F8773BF0} entry
> You can use the Batch File below to help you quickly make the change
Steps:
> Please cut and paste the code below into notepad and save it as ActivateFTM.cmd or .bat
:: ENABLES FTM ActiveX GUID
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{82774781-8F4E-11D1-AB1C-0000F8773BF0}” /V “Compatibility Flags” /t REG_DWORD /d 0 /f
> Make sure Internet Explorer is not running (confirm by opening Task Manager and killing any IExplore.exe process)
> Run the ActivateFTM.cmd batch file
> Open the 32 bit Internet Explore application and navigate to the MSDN Subscription/Download page
BTW: IE9 will rule the browser world…I love what Microsoft is doing
Hi,
I am sharing an .exe that will help you disable IE Enhanced Securiy on Windows 2008 or Windows 2003 TS Servers.
Microsoft article 933991 outlines some of the known issues around IE Enhanced Security in Terminal Servers, but it does not provide you the Fix/Solution when dealing with an AD Environment. Here I will show you how you could potentially affect both New users as well as Existing users.
The Scenario:
When you logon as regular user, you discovered that you cannot manage the IE Security Settings. Basically, the option to add Trusted Sites is gray out or a pre-defined group policy appears that it is not getting apply.
Cause:
This is because IE Enhanced Security was turned on and tattooed the users profile.
We also know that this is an old issue that has carry over new Windows Servers, where IE Enhanced Security even when you have disable it from the UI, it does not properly update the registry until you go back and enable and then disable it again. This action, will only affect the new users and existing users will still have the entries on their profiles/registry.
Resolution:
I have written a bat file and an exe that will fix the problem profile. You will have to execute the bat or .exe while logon with the user account in order to affect the user profile. So, to fix this particular scenario, you would want to first, fix the .default profile by creating a new local user account. Fix this account with the .bat or .exe file that will add the entries below and then, copy this new profile to the .default profile.
To affect existing users, you can use the .exe or .bat as a logon script.
This is the best way you can affect everyone.
Download the .exeIEHarden_Disable.
Keys the .exe will affect:
Basically, I am running a fix.reg with following keys:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
“IsInstalled”=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
“IsInstalled”=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
@=”"
“IEHarden”=dword:00000000
“UNCAsIntranet”=dword:00000000
“AutoDetect”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents]
“iehardenadmin”=dword:00000000
“iehardenuser”=dword:00000000
From the .exe, I have a bat that will execute the following Command:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
regedit /s fix.reg
Rundll32 iesetup.dll,IEHardenUser
Rundll32 iesetup.dll,IEHardenAdmin
Rundll32 iesetup.dll,IEHardenMachineNow
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here is a .BAT file that will execute the same function outline above, but using reg.exe.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991
:: If required, backup the registry keys
:: This is always a good idea before making registry changes
REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” “HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A7-37EF-4b3f-8CFC-4F3A74704073.reg”
REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” “HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A8-37EF-4b3f-8CFC-4F3A74704073.reg”
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f
Rundll32 iesetup.dll, IEHardenLMSettings
Rundll32 iesetup.dll, IEHardenUser
Rundll32 iesetup.dll, IEHardenAdmin
REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /f /va
REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /f /va
Related Article
933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991
Profile Article:
http://technet.microsoft.com/en-us/library/cc766489(WS.10).aspx
Known issue with Windows 2008 and Profile Creation:
The documents you may find out there may not properly cover the profile creation for windows 2008 or Vista, so we have to use the steps below.
If we select the “C:\Users\Default” as the path in Step 7-e of this article, It wipes all the Data from the Directory (After giving a Warning of course).
When a new user logs on, it picks up the custom profile from “C:\Users\Default”.
The side effect of this workaround is, as all the data is lost from the “C:\Users\Default” it also causes the junction points to be removed.
Note that in Windows Server 2008 and Windows Vista, there are junction points associated for the profile folders.
http://msdn.microsoft.com/en-us/library/bb968829(VS.85).aspx
http://www.svrops.com/svrops/articles/jpoints.htm
There might be an application which has dependencies with these junction points. So below is the valid solution for this.
Solution
The following TechNet article talks about the valid steps to customize the default user profile.
Managing Roaming User Data Deployment Guide (Section : Create a Default Network User Profile)
http://technet.microsoft.com/en-us/library/cc766489.aspx
Creating the new profile:
1) Log on to a computer running Windows 2008 with any domain user account. Do not use a domain administrator account.
2) Configure user settings such as connection settings, zone settings whatever is it you want this profile to have. Run the IE Enhanced Security .exe or .bat file to get this profile get the IE Enhanced settings (Turn off). Log off the computer. MAKE SURE YOU TEST THIS NEW USER PROFILE!!! Log out and log back in and doublecheck your settings to make sure this is what you want/need. then move to next steps.
3) Log on to the computer used in step 1 with a domain administrator account.
4) Click Start, right-click Computer, and then click Properties.
5) Click Start, right-click Computer, and then click Properties.
6) Click Advanced System Settings. Under User Profiles, click Settings.
7) The User Profiles dialog box shows a list of profiles stored on the computer. Click the name of the user you used in step 1. Click Copy To.
8) In the Copy To dialog box, click on Browse button and find path to the Windows default user folder.
9) In Permitted to use, click Change. Type the name Everyone ,and then click OK.
10) Click OK to commit the changes.
NOTE: You can copy the working profile to your Sysvol netlogon share if you like to affect everyone on your domain. Windows will use the local default profile when it cannot locate a default network profile.
It may be favorable to perform these steps during off-peak hours, if you are using a production environment. A default network profile is optional.
You can also use the .exe as a logon script, but this will be executed every time the user log on to your network and it is not the best case scenario.
Download:
You can download the zip file that contains the .exe from here.
Have fun,
Cheli