Deployment

ActiveX Installer Service issue with

Published October 15, 2012 | By xelo

I just want to quickly share an issue I worked with related to implementing the ActiveX Installer Service group policy and its parameters. Before I start, I have to thanks the IE support team that recently posted a new blog post that I think will help IE Admin deal with these types of issues.

In my case, I was adding the wrong parameter and value in the group policy [2,2,1,0x00000100||0x00001000||0x00000200||0x00002000 ] and the ASKIE blog Guidelines on enabling, configuring and troubleshooting ActiveX Installer service (Axis) provided me with the correct values [ 2,2,1,0x00003300 ] and now everything is working as expected. As they mentioned in the article the document out of the TechNet: ActiveX Installer Service in Windows 7: http://technet.microsoft.com/en-us/library/dd631688(v=WS.10).aspx   is confusing. The new blog post from these guys are a must have.

Approved Installation Sites for ActiveX Controls

Approved Installation Sites for ActiveX Controls 4 https certificate exception errors parameter/value sample

 

Happy to see the IE team give back to the community. We deal with a lot of issues in the IE world that has to do with education and interpretation of MS documents.

 

Thanks,

Xelo

 

Posted in Deployment, Group Policy

How can I restrict users of opening IE x64 exe in windows?

Published December 17, 2011 | By admin

This blog post is targeted to the IT Administrators having to deal with users that are curious in off to open the IEx64 version of IE on their machines, only to find out that some applications add-on does not work and end up calling the help desk and spent hours troubleshooting. Preventing users of hurting productivity is one of IT Admins job, as these types of actions by users cost Enterprises lots of money.

Today, most web application are design to work in a Windows 32bit Browser configuration and to keep users from hurting productivity, the administrators can use the AppLocker Policy. I will show you how you can locked down the IEx64 version of IE in Windows 7. To read more about Microsoft IEx64 and design, please visit Eric Lawrence Q&A 64-bit Internet Explorer blog post.

AppLocker Policy Steps – Restricting IEx64 .exe process

  • From Start \ Run Type: Gpedit.msc or gpmc.msc to access your domain policy!
  • From the left pane, navigate to: Computer configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules
  • Right click on Executable Rules and select Create Default Rule…

clip_image001

  • A Create Executable Rule wizard will come up. Select Permissions and set it to Deny. I left the User or group: option to Everyone

clip_image002

  • Click on next > to set Conditions and select Path, click on the next > to continue

clip_image003

  • Click on Next > To set the Path. Click on the Browse Files… button and navigate to %PROGRAMFILES%\Internet Explorer\iexplore.exe, click on Next > To continue

clip_image004

  • From the Exceptions, Click on the Add exception: menu and set it to Path. See screenshot below and move to next step…

clip_image005

  •  … then click on the Add… button to set the Exception path. When you get the Path Exception window, just paste this path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Do Not use variable [%PROGRAMFILES(x86)%\Internet Explorer\iexplore.exe ] as it will failed to process! It looks like this policy will read the path the same way, regardless if you use the x86 variable. You could change this using the SET command, but I do not recommended as Microsoft may use these configurations for other purpose!

  • Click on Next > to add a Name. Add a friendly name, that can easily help your administrator identify what the policy restriction is for. In this example, you can use IEx64 Restriction
  • Click on Create to complete. You will more likely get an AppLocker warning, click on Yes to get the Default Rules created. These are all set to allow, you should not have any problems!
  • I recommend you double-check your configuration to make sure everything is set accordingly.  Open it by double-clicking on it and in action, select Deny if not already!
  • Click on the Exception Tab and make sure it is set to Path. And click ok to close
  • Run GPUpdate /Force from command window to test your policy

The warning you will get if you try to open IEx64 from %PROGRAMFILES%\Internet Explorer\iexplore.exe or any shortcut pointing to this directory is something like this:

clip_image007

 

RESOURCES

 

The Registry location for this policy is under:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SrpV2

We are setting the policy for EXE, so the key to find the above configuration will be under:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe

The complete key may look like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe\5dcf1ef3-ba15-42a5-9ce7-47f6b8a4399c]

“Value”=”<FilePathRule Id=\”5dcf1ef3-ba15-42a5-9ce7-47f6b8a4399c\” Name=\”IEx64 Restriction\” Description=\”\” UserOrGroupSid=\”S-1-1-0\” Action=\”Deny\”><Conditions><FilePathCondition Path=\”%PROGRAMFILES%\\Internet Explorer\\iexplore.\”/></Conditions><Exceptions><FilePathCondition Path=\”C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\”/></Exceptions></FilePathRule>”

 

Resources: Windows 7 AppLocker Executive Overview:

http://technet.microsoft.com/en-us/library/dd548340(v=WS.10).aspx

 

Saludos!

Posted in Deployment, Group Policy, IE9, Solutions

Wpad detection method – Proxy Auto-Disover

Published September 18, 2009 | By ie8rocks

In this article, you will learn how Proxy Auto-Disover configuration files , wpad.dat files, provide central administration for proxy connections to the Internet and how the algorithm sequence work.

When using Automatically Detect setting setting in IE will search a proxy auto-configuration file in the predefined detection methods:

NOTE: Only applies when ‘Automatically detect settings’ in Internet Options > connections > Lan Connections is the only option checked. Other options for configuring IE connection settings include Automatic Configuration Scripts and manually specifying a proxy server.

  1. DHCP (252 option)
  2. DNS A record query/queries
  3. NetBios

If  DHCP is configured to provide the WPAD location, IE stops the detection and will make a GET request for the wpad.dat file and no further searching is done. This is true even if the DHCP 252 option is incorrect and a correct entry is configured as a DNS record.

If DHCP 252 is not configured, IE will continue until it either exhausts the search or gets a response:

  1. BootP request to DHCP for the 252 option containing the path to the wpad.dat file if DHCP 252 is not configured
  2. DNS A query for “wpad.” ex. wpad.domainname.com if the DNS query fails
  3. A Netbios query for a machine named WPAD occurs If Netbios fails
  4. A direct connection is attempted

If this attempt fails, the user is presented with the Cannot display the webpage or similar message.

The wpad.dat detection (steps 1 thru 3) occur when “Detecting proxy settings…” is displayed in the status bar in the lower left corner of the Internet Explorer window.

Example of a detection order:

- If a domain suffix is west.corp.contoso.com

IE will perform the following queries:

  • wpad.west.corp.contoso.com
  • wpad.corp.contoso.com
  • wpad.contoso.com

NOTE: If a domain suffix search order has been specified, the first domain in the list will be used instead.

We have demostrated that there is potential overhead associated with the detection method and if you don’t ahve a WPAD solution, there is not readon to have this option enabled. Disabling this option can reduce network traffic as well as initial page laod times for Internet Explore.  When we disable this option, IE will attempt to connect immediately.

Posted in Deployment, Networking, Performance, Settings, Troubleshooting | Leave a comment

Search

Categories

Bookmarks

Archives

Copyright © 2013 IE8Blog.com. All Rights Reserved.

Designed by OTGGROUP.COM.