Ran into an issue recently where Windows 7 IE 8 was experiencing an error when visiting a Microsoft Dynamics CRM website. The error was:
A Microsoft Dynamics CRM window was unable to open and may have been blocked by a pop-up blocker. Please add this Microsoft Dynamics CRM server to the list of sites your pop-up blocker allows to open new Windows: URL
What is really cool about this error message is the fact that I actually have the popup blocker disabled. DOH!
I started running through all of the usual suspects, disabling toolbars\BHO’s from manage addons but nothing seemed to help. So I took more drastic steps.
First I downloaded Disk2VHD from sysinternals (Microsoft) and made a backup of my machine. Why you might ask? Simple I want to be able to load a “VM” with an undo disk. The undo disk will allow me to do anything I want with the VM and never worry about what I might break. Stuff I would never do to my physical machine.
Anyways I made the VHD and booted it up, I then took a working machine and started exporting registry keys that I thought might help. After importing the known good registry keys from the working machine into the non-working machine I still had the error. I then began the process of registry comparison, while a very painful process I was able to find an anomaly
On my machine with the popup blocker error I had the following entry in the registry.
[HKEY_CLASSES_ROOT\Interface\{79EAC9C5-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32]
@="{79eac9c0-baf9-11ce-8c82-00aa004ba90b}"
On the machine that works (without the popup blocker error) I had the following.
[HKEY_CLASSES_ROOT\Interface\{79EAC9C5-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32]
@="{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
I modified the registry on the non-working machine to match what I had on the working machine and bingo the issue was resolved (note: I had to reboot first)
So what is this key and how did it get changed? That is a very good question and I am glad you asked. It appears the registration of ieproxy.dll was overwritten by another process (likely something I installed)
The real fix is not to simply edit the registry as I listed above, but is to regsvr32 the ieproxy.dll located in C:\program files\internet explorer or c:\program files (x86)\internet explorer
First click on the Windows button and type cmd in the search box.
Now right click on cmd and select Run as administrator
Now type in the following command:
regsvr32 "C:\program files\internet explorer\ieproxy.dll"
If you have a 64bit version of Windows register the 32bit version of IE
regsvr32 "C:\program files (x86)\internet explorer\ieproxy.dll"
If the registration was successful you will see the following message. At this point click OK.
That’s it I hope this helps some of you guys\gals.
What an odd problem with MSDN Subscriptions download site!
After I got my MSDN subscriptioin, I immediately had some problems loading the File Transfer Manager activex control from [https://msdn.microsoft.com/en-us/subscriptions/securedownloads/default.aspx]. If I click on any product from the menu on the left, and on the link to download an item, I get what appears to be a common VBscript Warning.
VBScript: Microsoft File Transfer Manager
=====================================
There was an error launching File Transfer Manager.
If you are running Windows XP with Service Pack 2 or Windows Server 2003 with Service Pack 1, this installation may have been blocked. If the gold IE Information Bar is Present above, please click the bar and select the option to “Install ActiveX”.
For additional assistance, please visit the web site https://transfer.ds.microsoft.com, or contact your help provider.
=====================================
So, it looks like I have some IE Settings preventing me of downloading the activeX control FTM uses to get the download manager window. I have another computer and this works just fine. I can see that With the vbscript dialog warning, you should also get a Yellow Bar security warning which allow the user to download the FTM ActiveX control, but on this particular windows 7 machine, this is not happening.
I had to do some digging around only to find out that my Windows 7 machine had the FTM GUID blocked (killbit).and therefor preventing the FTM ActiveX control to be instantiated.
I have not idea what may have cause this machine to have added the FTM to the ActiveX Compatibility List in IE, maybe something I did trying to protect my computer 
, I know that I do run a lot of security applications and some development that may have cause me the pain, but happy to say that it was really easy to fix.
The the FTM GUID is: {82774781-8F4E-11D1-AB1C-0000F8773BF0}
Here is what you have to do:
> Set the {82774781-8F4E-11D1-AB1C-0000F8773BF0} compatibility flag to dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{82774781-8F4E-11D1-AB1C-0000F8773BF0}]
“Compatibility Flags”=dword:00000000
OR
> Delete the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{82774781-8F4E-11D1-AB1C-0000F8773BF0} entry
> You can use the Batch File below to help you quickly make the change
Steps:
> Please cut and paste the code below into notepad and save it as ActivateFTM.cmd or .bat
:: ENABLES FTM ActiveX GUID
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{82774781-8F4E-11D1-AB1C-0000F8773BF0}” /V “Compatibility Flags” /t REG_DWORD /d 0 /f
> Make sure Internet Explorer is not running (confirm by opening Task Manager and killing any IExplore.exe process)
> Run the ActivateFTM.cmd batch file
> Open the 32 bit Internet Explore application and navigate to the MSDN Subscription/Download page
BTW: IE9 will rule the browser world…I love what Microsoft is doing
Hi,
I am sharing an .exe that will help you disable IE Enhanced Securiy on Windows 2008 or Windows 2003 TS Servers.
Microsoft article 933991 outlines some of the known issues around IE Enhanced Security in Terminal Servers, but it does not provide you the Fix/Solution when dealing with an AD Environment. Here I will show you how you could potentially affect both New users as well as Existing users.
The Scenario:
When you logon as regular user, you discovered that you cannot manage the IE Security Settings. Basically, the option to add Trusted Sites is gray out or a pre-defined group policy appears that it is not getting apply.
Cause:
This is because IE Enhanced Security was turned on and tattooed the users profile.
We also know that this is an old issue that has carry over new Windows Servers, where IE Enhanced Security even when you have disable it from the UI, it does not properly update the registry until you go back and enable and then disable it again. This action, will only affect the new users and existing users will still have the entries on their profiles/registry.
Resolution:
I have written a bat file and an exe that will fix the problem profile. You will have to execute the bat or .exe while logon with the user account in order to affect the user profile. So, to fix this particular scenario, you would want to first, fix the .default profile by creating a new local user account. Fix this account with the .bat or .exe file that will add the entries below and then, copy this new profile to the .default profile.
To affect existing users, you can use the .exe or .bat as a logon script.
This is the best way you can affect everyone.
Download the .exeIEHarden_Disable.
Keys the .exe will affect:
Basically, I am running a fix.reg with following keys:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
“IsInstalled”=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
“IsInstalled”=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
@=”"
“IEHarden”=dword:00000000
“UNCAsIntranet”=dword:00000000
“AutoDetect”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents]
“iehardenadmin”=dword:00000000
“iehardenuser”=dword:00000000
From the .exe, I have a bat that will execute the following Command:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
regedit /s fix.reg
Rundll32 iesetup.dll,IEHardenUser
Rundll32 iesetup.dll,IEHardenAdmin
Rundll32 iesetup.dll,IEHardenMachineNow
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here is a .BAT file that will execute the same function outline above, but using reg.exe.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991
:: If required, backup the registry keys
:: This is always a good idea before making registry changes
REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” “HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A7-37EF-4b3f-8CFC-4F3A74704073.reg”
REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” “HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A8-37EF-4b3f-8CFC-4F3A74704073.reg”
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f
Rundll32 iesetup.dll, IEHardenLMSettings
Rundll32 iesetup.dll, IEHardenUser
Rundll32 iesetup.dll, IEHardenAdmin
REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /f /va
REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /f /va
Related Article
933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991
Profile Article:
http://technet.microsoft.com/en-us/library/cc766489(WS.10).aspx
Known issue with Windows 2008 and Profile Creation:
The documents you may find out there may not properly cover the profile creation for windows 2008 or Vista, so we have to use the steps below.
If we select the “C:\Users\Default” as the path in Step 7-e of this article, It wipes all the Data from the Directory (After giving a Warning of course).
When a new user logs on, it picks up the custom profile from “C:\Users\Default”.
The side effect of this workaround is, as all the data is lost from the “C:\Users\Default” it also causes the junction points to be removed.
Note that in Windows Server 2008 and Windows Vista, there are junction points associated for the profile folders.
http://msdn.microsoft.com/en-us/library/bb968829(VS.85).aspx
http://www.svrops.com/svrops/articles/jpoints.htm
There might be an application which has dependencies with these junction points. So below is the valid solution for this.
Solution
The following TechNet article talks about the valid steps to customize the default user profile.
Managing Roaming User Data Deployment Guide (Section : Create a Default Network User Profile)
http://technet.microsoft.com/en-us/library/cc766489.aspx
Creating the new profile:
1) Log on to a computer running Windows 2008 with any domain user account. Do not use a domain administrator account.
2) Configure user settings such as connection settings, zone settings whatever is it you want this profile to have. Run the IE Enhanced Security .exe or .bat file to get this profile get the IE Enhanced settings (Turn off). Log off the computer. MAKE SURE YOU TEST THIS NEW USER PROFILE!!! Log out and log back in and doublecheck your settings to make sure this is what you want/need. then move to next steps.
3) Log on to the computer used in step 1 with a domain administrator account.
4) Click Start, right-click Computer, and then click Properties.
5) Click Start, right-click Computer, and then click Properties.
6) Click Advanced System Settings. Under User Profiles, click Settings.
7) The User Profiles dialog box shows a list of profiles stored on the computer. Click the name of the user you used in step 1. Click Copy To.
8) In the Copy To dialog box, click on Browse button and find path to the Windows default user folder.
9) In Permitted to use, click Change. Type the name Everyone ,and then click OK.
10) Click OK to commit the changes.
NOTE: You can copy the working profile to your Sysvol netlogon share if you like to affect everyone on your domain. Windows will use the local default profile when it cannot locate a default network profile.
It may be favorable to perform these steps during off-peak hours, if you are using a production environment. A default network profile is optional.
You can also use the .exe as a logon script, but this will be executed every time the user log on to your network and it is not the best case scenario.
Download:
You can download the zip file that contains the .exe from here.
Have fun,
Cheli
Here I will show you how to hide Favorites btn from IE 8. This solution should work with all IE versions (Internet Explore 6, Internet Explorer 7, Internet Explore 8).
Here is how you can disable Internet Explore FAVORITES Button. I know that
The Registry key:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Toolbars]
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions]
“NoCommandBar”=dword:00000001
Custom ADM
How to load the Custom ADM Template?
- To start Group Policy, click Start and then click Run. In the Open box, type GPedit.msc or GPMC.msc if from a Domain policy and then click OK.
- Select Administrative Templates from the Computer Configuration branch.
- Right-click the Administrative Templates branch, and then select All Tasks.
- Select Add/Remove Templates.
- Click Add.
- Load the ADM templates.
Here is how you disable the Group policy filer, so you can see the new Policy Template:
- Right click on the Policy and select View > detail > Filtering
- Remove the check mark from the check box next to “Only show policy settings that can be fully managed”
- You should see the template now.
Copy and paste from line below!;
———————- Start————————
;This policy will help you hide the Favorite Button from IE Toolbar
;The value is a Dword NoCommandBar set to 1= Enable and 0=Disable
CLASS USER
CATEGORY “Custom Favorite Toolbars”
POLICY “Remove_IE_Favorite_Button”
Explain “This Policy will allow you to remove the Favorite Btn from IE Toolbar”
KEYNAME “Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions”
VALUENAME “NoCommandBar”
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY
[strings]
RemoveFavoritesBTN=”Removes Favorites Button from IE Toolbar”
RemoveFavoritesBTN=”Now you can hide Favorites… Nice”
;———————- END ————————
I hope this helps you achive your restrictions needs!
Pink
In this article, you will learn how Proxy Auto-Disover configuration files , wpad.dat files, provide central administration for proxy connections to the Internet and how the algorithm sequence work.
When using Automatically Detect setting setting in IE will search a proxy auto-configuration file in the predefined detection methods:
NOTE: Only applies when ‘Automatically detect settings’ in Internet Options > connections > Lan Connections is the only option checked. Other options for configuring IE connection settings include Automatic Configuration Scripts and manually specifying a proxy server.
- DHCP (252 option)
- DNS A record query/queries
- NetBios
If DHCP is configured to provide the WPAD location, IE stops the detection and will make a GET request for the wpad.dat file and no further searching is done. This is true even if the DHCP 252 option is incorrect and a correct entry is configured as a DNS record.
If DHCP 252 is not configured, IE will continue until it either exhausts the search or gets a response:
- BootP request to DHCP for the 252 option containing the path to the wpad.dat file if DHCP 252 is not configured
- DNS A query for “wpad.” ex. wpad.domainname.com if the DNS query fails
- A Netbios query for a machine named WPAD occurs If Netbios fails
- A direct connection is attempted
If this attempt fails, the user is presented with the Cannot display the webpage or similar message.
The wpad.dat detection (steps 1 thru 3) occur when “Detecting proxy settings…” is displayed in the status bar in the lower left corner of the Internet Explorer window.
Example of a detection order:
- If a domain suffix is west.corp.contoso.com
IE will perform the following queries:
- wpad.west.corp.contoso.com
- wpad.corp.contoso.com
- wpad.contoso.com
NOTE: If a domain suffix search order has been specified, the first domain in the list will be used instead.
We have demostrated that there is potential overhead associated with the detection method and if you don’t ahve a WPAD solution, there is not readon to have this option enabled. Disabling this option can reduce network traffic as well as initial page laod times for Internet Explore. When we disable this option, IE will attempt to connect immediately.