I just want to quickly share an issue I worked with related to implementing the ActiveX Installer Service group policy and its parameters. Before I start, I have to thanks the IE support team that recently posted a new blog post that I think will help IE Admin deal with these types of issues.
In my case, I was adding the wrong parameter and value in the group policy [2,2,1,0x00000100||0x00001000||0x00000200||0x00002000 ] and the ASKIE blog Guidelines on enabling, configuring and troubleshooting ActiveX Installer service (Axis) provided me with the correct values [ 2,2,1,0x00003300 ] and now everything is working as expected. As they mentioned in the article the document out of the TechNet: ActiveX Installer Service in Windows 7: http://technet.microsoft.com/en-us/library/dd631688(v=WS.10).aspx is confusing. The new blog post from these guys are a must have.
Happy to see the IE team give back to the community. We deal with a lot of issues in the IE world that has to do with education and interpretation of MS documents.
This blog post is targeted to the IT Administrators having to deal with users that are curious in off to open the IEx64 version of IE on their machines, only to find out that some applications add-on does not work and end up calling the help desk and spent hours troubleshooting. Preventing users of hurting productivity is one of IT Admins job, as these types of actions by users cost Enterprises lots of money.
Today, most web application are design to work in a Windows 32bit Browser configuration and to keep users from hurting productivity, the administrators can use the AppLocker Policy. I will show you how you can locked down the IEx64 version of IE in Windows 7. To read more about Microsoft IEx64 and design, please visit Eric Lawrence Q&A 64-bit Internet Explorer blog post.
Do Not use variable [%PROGRAMFILES(x86)%\Internet Explorer\iexplore.exe ] as it will failed to process! It looks like this policy will read the path the same way, regardless if you use the x86 variable. You could change this using the SET command, but I do not recommended as Microsoft may use these configurations for other purpose!
The warning you will get if you try to open IEx64 from %PROGRAMFILES%\Internet Explorer\iexplore.exe or any shortcut pointing to this directory is something like this:
We are setting the policy for EXE, so the key to find the above configuration will be under:
The complete key may look like this:
“Value”=”<FilePathRule Id=\”5dcf1ef3-ba15-42a5-9ce7-47f6b8a4399c\” Name=\”IEx64 Restriction\” Description=\”\” UserOrGroupSid=\”S-1-1-0\” Action=\”Deny\”><Conditions><FilePathCondition Path=\”%PROGRAMFILES%\\Internet Explorer\\iexplore.\”/></Conditions><Exceptions><FilePathCondition Path=\”C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\”/></Exceptions></FilePathRule>”
Resources: Windows 7 AppLocker Executive Overview:
In this article, you will learn how Proxy Auto-Disover configuration files , wpad.dat files, provide central administration for proxy connections to the Internet and how the algorithm sequence work.
When using Automatically Detect setting setting in IE will search a proxy auto-configuration file in the predefined detection methods:
NOTE: Only applies when ‘Automatically detect settings’ in Internet Options > connections > Lan Connections is the only option checked. Other options for configuring IE connection settings include Automatic Configuration Scripts and manually specifying a proxy server.
If DHCP is configured to provide the WPAD location, IE stops the detection and will make a GET request for the wpad.dat file and no further searching is done. This is true even if the DHCP 252 option is incorrect and a correct entry is configured as a DNS record.
If DHCP 252 is not configured, IE will continue until it either exhausts the search or gets a response:
If this attempt fails, the user is presented with the Cannot display the webpage or similar message.
The wpad.dat detection (steps 1 thru 3) occur when “Detecting proxy settings…” is displayed in the status bar in the lower left corner of the Internet Explorer window.
Example of a detection order:
- If a domain suffix is west.corp.contoso.com
IE will perform the following queries:
NOTE: If a domain suffix search order has been specified, the first domain in the list will be used instead.
We have demostrated that there is potential overhead associated with the detection method and if you don’t ahve a WPAD solution, there is not readon to have this option enabled. Disabling this option can reduce network traffic as well as initial page laod times for Internet Explore. When we disable this option, IE will attempt to connect immediately.