Announcement

Collapse
No announcement yet.

security zones and content ratings policy update problem in IE7 workstation?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • security zones and content ratings policy update problem in IE7 workstation?

    Why this policy definition don't update in IE7 workstation?

    Default domain policy/User Configuration/Windows settings/Internet
    explorer maintance/security/security zones and content ratings
    - Here i make changes in "import the current content ratings" and modify settings.
    - add disapproved www-page address.


    Now policy update works on IE6 workstation fine but not IE7 workstation. I try also command
    gpupdate /force .


    What is wrong in Internet Explorer 7 browser?

  • #2
    Re: security zones and content ratings policy update problem in IE7 workstation?

    You will need the adm files for IE 7 they can be found here:

    http://www.microsoft.com/downloads/d...displaylang=en
    Technology is only as good as those who use it

    My tech blog - wiredtek.wordpress.com

    Comment


    • #3
      Re: security zones and content ratings policy update problem in IE7 workstation?

      I install that adm file but it not helped.

      Only way how i managed transfer security zones and content ratings settings to workstation is export server registry branch

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Ratings

      and import it to workstation

      Comment


      • #4
        Re: security zones and content ratings policy update problem in IE7 workstation?

        Originally posted by JTyranki View Post

        Only way how i managed transfer security zones and content ratings settings to workstation is export server registry branch
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Ratings
        Check in the GPOs linked to the computer's ou: computer configuration\administrative templates\Windows components\Internet Explorer
        the "Security sone:.." configurations (specialy the "Security zone:use only machine settings").
        http://www.ie7triage.com/IE7GPO.ASP

        If you configure the "User configuration", the entries will be added to the same path under the HKEY_CURRENT_USER sector!
        Now, you added the entries manualy to the key under HKEY_LOCAL_MACHINE (=Computer configuration).
        If a same policy entry exist under the same key in both sections HKCU and HKLM, one off them will override the other. Which one take the control depents, but in this case , I know that with zone security configurations - by default the entry in the HKCU section will win. <- Unless ! an entry "Security_HKLM_only" DWORD value is present and has a value of 1 in;
        HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win dows\CurrentVersion\Internet Settings.
        http://support.microsoft.com/kb/182569

        For youre case, something like this could be an possible explanation (?) why the GPO didn't work for the users.
        You can confirm this by checking on one of the clients in HKCU for the presence of your configuration settings, and check the HKLM for the presence of "Security_HKLM_only".


        \Rems
        Last edited by Rems; 22nd January 2008, 21:15.

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: security zones and content ratings policy update problem in IE7 workstation?

          Still not working

          how that policy settings replicate in workstation? I found under server sysvol folder file ratings.inf. That file contains all registery settings which is made by security zones and content ratings. Also this file replicates it self on workstation in this location

          C:\Documents and Settings\jtyranki\Local Settings\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0

          if choose install file, registery settings copied and content rating works fine.

          Comment


          • #6
            Re: security zones and content ratings policy update problem in IE7 workstation?

            that is interesting! thanks for the feedback.

            Found this article;
            Originally posted by : <[url]http://technet2.microsoft.com/windowsserver/en/library/2904be16-6bc3-4dfa-b884-dd4b6c6b99941033.mspx?mfr=true[/url]>

            Internet Explorer Maintenance Extension Processes and Interactions
            • Applying GPO Settings to a Client Computer


            The Internet Explorer Maintenance Extension uses the Internet Explorer Administration Kit (IEAK) infrastructure for both storage of settings and application to the client system.
            When Group Policy is applied, Client-Side Extensions process the GPO.
            Internet Explorer Maintenance settings are handled by the Internet Explorer branding DLL ( iedkcs32.dll ).

            The Group Policy Client-Side Extensions (CSE) invokes iedkcs32.dll, and two things happen:
            1. The Group Policy CSE copies all IEAK settings files created using Internet Explorer Maintenance, listed in the previous Physical Structure Components table, to the following locations:
              • Documents and Settings\<<username>>\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0\
                - And -
              • Documents and Settings\<<username>>\Application Data\Microsoft\Network\Connections\pbk\Rasphone.pb k (for connection settings)

              Note that the policy’s directory structure shown in the previous Physical Structure Components table is not replicated.

            2. The Branding DLL then applies the settings from the downloaded files to the registry on the client system.
              There are four possible locations for the registry settings:
              • HKLM\Software\Policies (preferred)
              • HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies
              • HKCU\Software\Policies (preferred)
              • HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies

              These locations have security permissions that a standard user cannot modify in order to change applied policy settings.
              These keys are created the first time a GPO configures them.

            On one of the clients - check the Branding log;
            "%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\Brndlog.txt"
            See if there are any problems with branding process?

            \Rems

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: security zones and content ratings policy update problem in IE7 workstation?

              Here is one brndlog file

              01/28/2008 08:05:53 COM initialized on a second attempt with S_FALSE success code!

              01/28/2008 08:05:53 Processing Group Policy...
              01/28/2008 08:05:53 Starting Internet Explorer group policy processing part 1 (copying files) ...
              01/28/2008 08:05:54 Done.

              01/28/2008 08:05:56 Clearing policies set by a previous list of GPOs...
              01/28/2008 08:05:56 Done.

              01/28/2008 08:05:56 Starting Internet Explorer group policy processing part 2 ...

              01/28/2008 08:05:56 Branding Internet Explorer...
              01/28/2008 08:05:56 Command line is "BrandInternetExplorer /mode:gp /ins:"C:\Documents and Settings\aapee\Local Settings\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0\INSTALL.INS" /flags:eriu=1,favo=1,qlo=1,chl=1,chlb=1".

              01/28/2008 08:05:56 Global branding settings are:
              01/28/2008 08:05:56 Context is (0x00800200) "Group Policy";
              01/28/2008 08:05:56 Settings file is "C:\Documents and Settings\aapee\Local Settings\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0\INSTALL.INS";
              01/28/2008 08:05:56 Target folder path is "C:\Documents and Settings\aapee\Local Settings\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0".
              01/28/2008 08:05:56 Done.

              01/28/2008 08:05:56 About to clear previous branding...
              01/28/2008 08:05:56 Done.

              01/28/2008 08:05:56 Processing migration of old settings...
              01/28/2008 08:05:56 Done.

              01/28/2008 08:05:56 Processing wininet setup...
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing deletion of connection settings...
              01/28/2008 08:06:03 Existing connection settings weren't specified to be deleted!
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing zones HKCU settings...
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing local machine policies and restrictions...
              01/28/2008 08:06:03 GP context. Not processing the HKLM sections.!
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing current user policies and restrictions...
              01/28/2008 08:06:03 There are no current user *.inf files to process!
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing legacy policies and restrictions...
              01/28/2008 08:06:03 There are no legacy *.inf files to process!
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing general customizations...
              01/28/2008 08:06:03 Browser title is set to "Microsoft Internet Explorer provided by Stymoflex Oy".
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing Help->About customization...
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing browser toolbar buttons...
              01/28/2008 08:06:03 There are no toolbar buttons to process!
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing root certificates...
              01/28/2008 08:06:03 This feature is for ISPs only!
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing default favorites and/or quick links...
              01/28/2008 08:06:03 There are no favorites to add!
              01/28/2008 08:06:03 There are no quick links to add!
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing deletion of favorites and/or quick links...
              01/28/2008 08:06:03 None of the favorites folders were specified to be deleted!
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing favorites...
              01/28/2008 08:06:03 There are no favorites to add!
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing ordering of favorites...
              01/28/2008 08:06:03 Favorites will be put into the default position!
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing quick links...
              01/28/2008 08:06:03 There are no quick links to add!
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing ordering of quick links...
              01/28/2008 08:06:03 Quick Links will be put into the default position!
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing connection settings...

              01/28/2008 08:06:03 Settings from the *.ins file will be applied to LAN connection!

              01/28/2008 08:06:03 Processing autoconfig settings from the ins file...
              01/28/2008 08:06:03 "Flags" is set to 0x1.
              01/28/2008 08:06:03 "Autoconfig URL" is set to "".
              01/28/2008 08:06:03 "Autoproxy URL" is set to "".
              01/28/2008 08:06:03 "Autoconfig reload delay" is set to 0 minutes.
              01/28/2008 08:06:03 Done.

              01/28/2008 08:06:03 Processing proxy settings from the ins file...
              01/28/2008 08:06:03 "Flags" is set to 0x1.
              01/28/2008 08:06:03 "ProxyServer" is set to "127.0.0.1:80".
              01/28/2008 08:06:03 "ProxyBypass" is set to "<local>".
              01/28/2008 08:06:03 Done.
              01/28/2008 08:06:04 Notified ICW that connection to the Internet is configured.
              01/28/2008 08:06:04 Done.

              01/28/2008 08:06:04 Processing TrustedPublisherLockdown restriction...
              01/28/2008 08:06:04 This restriction is not set!
              01/28/2008 08:06:04 Done.

              01/28/2008 08:06:04 Registering download URLs as safe for updating IE...
              01/28/2008 08:06:04 Done.

              01/28/2008 08:06:04 Deleting links...
              01/28/2008 08:06:04 No links to delete!
              01/28/2008 08:06:04 Done.

              01/28/2008 08:06:04 Creating feeds...
              01/28/2008 08:06:04 Done.

              01/28/2008 08:06:04 Creating start pages...
              01/28/2008 08:06:04 There are no start pages to add!
              01/28/2008 08:06:04 Done.

              01/28/2008 08:06:04 Creating search providers...
              01/28/2008 08:06:04 There are no search providers to add!
              01/28/2008 08:06:04 Done.

              01/28/2008 08:06:04 Processing active desktop customizations...
              01/28/2008 08:06:04 No desktop customizations to process!
              01/28/2008 08:06:04 Done.

              01/28/2008 08:06:04 Processing channels and their categories (if any)...
              01/28/2008 08:06:04 There are no channels to process!
              01/28/2008 08:06:04 Done.

              01/28/2008 08:06:04 Processing software update channels...
              01/28/2008 08:06:04 There are no software update channels to add!
              01/28/2008 08:06:04 Done.

              01/28/2008 08:06:04 Actual processing of channels by calling webcheck.dll "DllInstall" API...
              01/28/2008 08:06:04 There is no webcheck processing necessary!
              01/28/2008 08:06:04 Done.

              01/28/2008 08:06:04 Showing channel bar on the desktop...
              01/28/2008 08:06:04 Done.

              01/28/2008 08:06:04 Processing subscriptions...
              01/28/2008 08:06:04 There are no subscriptions to process!
              01/28/2008 08:06:04 Done.

              01/28/2008 08:06:04 Refreshing browser settings...
              01/28/2008 08:06:04 Broadcasting "Windows settings change" to all top level windows...
              01/28/2008 08:06:07 Done.
              01/28/2008 08:06:07 Done.
              01/28/2008 08:06:07 There are no current user *.inf files to process!
              01/28/2008 08:06:07 Favorites will be put into the default position!
              01/28/2008 08:06:07 Quick Links will be put into the default position!
              01/28/2008 08:06:07 There are no channels to process!
              01/28/2008 08:06:07 Done processing group policy.


              One line is intresting "Not processing the HKLM sections.!" Is that reason why policy not replicated?

              Comment


              • #8
                Re: security zones and content ratings policy update problem in IE7 workstation?

                The GPO worked for IE6.0 clients you said. Is the policy added to HKLM or the HKCU?

                Just a thought;

                After the upgrade from IE6 to IE7, have you tried re-configure the policy?

                test the folowing with a test GPO;
                1. Edit the Group Policy object from a computer with IE7 and,
                  on which "content ratings" is active and already configured.
                2. From this computer, do the "import the current content ratings" for the policy

                This procedure ensures that the correct registry keys and entry names for IE7 will be copied, and the correct flags are added for INSTALL.INS file.
                Create a test OU and add a test User account to it (for 'just-in-case' you can also add a testing computer to this OU)
                Check whether this test GPO apllied succesfully to the client (Assuming that this IE user configuration policy will overwrite the same policy set in the default domain policy?).

                \Rems

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment


                • #9
                  Re: security zones and content ratings policy update problem in IE7 workstation?

                  IE6 client add policy same place that IE7 in HKLM section

                  IE6 clients brndlog.txt file is however little bit different


                  01/30/2008 08:49:38 Processing local machine policies and restrictions...
                  01/30/2008 08:49:38 "ratings.inf" processed successfully.
                  01/30/2008 08:49:38 Done.

                  and same part in IE7 file is

                  01/30/2008 07:47:41 Processing local machine policies and restrictions...
                  01/30/2008 07:47:41 GP context. Not processing the HKLM sections.!
                  01/30/2008 07:47:41 Done.

                  I think this is reason why IE7 client does not add policy settings what i'm trying to use.

                  Comment


                  • #10
                    Re: security zones and content ratings policy update problem in IE7 workstation?

                    Check the INSTALL.INS file for both clients.
                    And also compare the flags in this line of the brndlog.txt ;
                    Command line is "BrandInternetExplorer /mode:gp /ins:"C:\Documents and Settings\aapee\Local Settings\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0\INSTALL.INS" /flags:eriu=1,favo=1,qlo=1,chl=1,chlb=1".

                    "IE6 client add policy same place that IE7 in HKLM section" <- is that for both in the HKCU or in HKLM? EDIT - sorry, I didn't read to well. Can you confirm however that no similar entries exist in the HKCU part on one of the IE7 clients.

                    \Rems
                    Last edited by Rems; 1st February 2008, 10:32.

                    This posting is provided "AS IS" with no warranties, and confers no rights.

                    __________________

                    ** Remember to give credit where credit's due **
                    and leave Reputation Points for meaningful posts

                    Comment


                    • #11
                      Re: security zones and content ratings policy update problem in IE7 workstation?

                      Hello,

                      I am a French man, i understand a litle english, but i have a very bad english spoken, so sorry,.

                      I have the same problem like you.
                      I didn't use parameters in IE6, but i try to use parameters IE7 with Active Directory (IEAK).
                      I have the same result in the brndlog.txt file:
                      Processing local machine policies and restrictions...
                      GP context. Not processing the HKLM sections.!
                      and IE7 is not modify at the connection.

                      If i execute directely the ratings.inf in my profil, it ok, the keys are modified and IE7 parameters are modifed.

                      Have you get a solution ? thank you very much for help.

                      Comment

                      Working...
                      X