Scribd Logo
Upload

Welcome to Scribd!

  • Parallel Registry Internet Explorer Registry (DC - GPO)

    Uploaded by

    Samer Bellar
    57 views6 pages
    The document provides information on how to change security options for published Internet Explorer, including: 1. The security zone settings are located in the registry and can be configured via GPO or by directly editing the registry. 2. Specific registry keys are provided as an example to enable cookies for published IE sessions. 3. Detailed explanations of the security zone values and how to determine the correct settings to configure are included.

    Original Description:

    Parallel Registry Internet Explorer Registry ( DC - GPO)

    Original Title

    Parallel Registry Internet Explorer Registry ( DC - GPO)

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides information on how to change security options for published Internet Explorer, including: 1. The security zone settings are located in the registry and can be configured via GPO or by directly editing the registry. 2. Specific registry keys are provided as an example to enable cookies for published IE sessions. 3. Detailed explanations of the security zone values and how to determine the correct settings to configure are included.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    57 views6 pages

    Parallel Registry Internet Explorer Registry (DC - GPO)

    Uploaded by

    Samer Bellar
    The document provides information on how to change security options for published Internet Explorer, including: 1. The security zone settings are located in the registry and can be configured via GPO or by directly editing the registry. 2. Specific registry keys are provided as an example to enable cookies for published IE sessions. 3. Detailed explanations of the security zone values and how to determine the correct settings to configure are included.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 6

     Article for your preferred language does not exist.

    Below is international version of the


    article.

    Available article translations:

    How to change Security Options of the published Internet


    Explorer
    Article ID: 123603
    Created On: Jan 13, 2016
    Last Review: Jan 14, 2016
    Views:
    APPLIES TO:

     Parallels Remote Application Server

    Symptoms
     How to change Security Options of the published Internet Explorer
     Unable to authenticate on web sites using published Internet Explorer.

    Cause
     Windows by default sets Internet Explorer restrictions for the users that have never
    logged in to Terminal server directly.
     Internet Explorer cookies are not enabled in RDP session for the users that have never
    logged in to the Terminal Server directly.

    Resolution
    Log in to the Terminal Server with user credentials locally or via RDP (Desktop mode). If there
    is no possibility to log in to Terminal Server or many different users need to be logged, you may
    follow the article below to deploy Internet Explorer options via GPO:

    How to configure Group Policy Preference settings for Internet Explorer 11 in Windows 8.1 or
    Windows Server 2012 R2

    Alternatively Resolution
    1. Identify what exact security option prevents Internet Explorer from working correctly.
    2. Determine what is the Internet Explorer zone user is in (you can publish Internet Explorer
    > open it via RAS RDP Client > go to Settings > Internet Options > Security).
    3. Use the following Microsoft article to deploy required registry settings for the user.
    For example, to make cookies work in Internet Explorer session you may deploy GPO:

    User Configuration > Preferences > Windows Settings > Registry

    with the following keys:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
    Settings\PrivacyAdvanced = 1

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
    Settings\1A02 = 0

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
    Settings\1A03 = 0

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
    Settings\1A05 = 0

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
    Settings\1A06 = 0

    The security zone settings for Internet Explorer are located at:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
    Settings

    AND

    HKEY_Local_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
    Settings

    The values that are located in both keys are additive. If a Web site is added to both keys, only the
    HKCU sites can be seen in the GUI, but both settings are enforced.
    If you only want machine based settings to be enforced, copy and paste the following to a
    HKLM_Only.reg file and Merge it with the computers registry:

    REGEDIT4

    \[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Intern
    et Settings\]
    "Security_HKLM_only"=dword:00000001

    The sub-keys of the Internet Settings key, for both HKLM and HKCU paths, are:

    TemplatePolicies
    ZoneMap
    Zones

    The Zones sub-key contains a sub-key for each zone defined. The defaults are:

    Key Meaning
    0 My Computer, NOT available in the Zone box of the Security tab.
    1 Local Intranet Zone.
    2 Trusted sites Zone.
    3 Internet Zone.
    4 Restricted Sites Zone

    These sub-keys contain the following Value Names:

    Value Name Data Type Meaning


    Displayed when you select a Zone in the Zone box of
    Description REG_SZ
    the GUI.
    Displayed when you select a Zone in the Zone box of
    DisplayName REG_SZ
    the GUI.
    Icon REG_SZ The icon that is displayed.
    CurrentLevel REG_DWORD The current Security setting.
    The lowest Security level allowed before a warning is
    MinLevel REG_DWORD
    issued.
    RecommendedLevel REG_DWORD The recommended Security level.
    Controls the users ability to modify the Security
    Flags REG_DWORD
    settings.

    The data values for the CurrentLevel, MinLevel, and RecommendedLevel Value Names are:

    Data value Meaning


    0x00010000 Low Security.
    0x00011000 Medium Security.
    0x00012000 High Security.

    The data values for the Flags value Name are additive:

    Data value Meaning


    1 Allow changes to custom settings.
    2 Allow users to add Web sites to this zone.
    4 Require HTTPS Web sites.
    8 Include Web sites that bypass the proxy server.
    16 Include Web sites not listed in other zones.
    32 Do NOT show security zone in Internet Properties.
    64 Show the Requires Server Verification dialog.
    128 UNCs are treated as Intranet connections.

    NOTE: The My Computer zone does NOT contain the CurrentLevel, MinLevel, and
    RecommendedLevel Value Names.

    The following Value Names are all REG_DWORD data types. Their data values are:

    Data value Meaning


    0 This action is allowed.
    1 This action will generate a prompt.
    3 This action is prohibited.
    Value Setting
    Name
    1001 Download signed ActiveX controls
    1004 Download unsigned ActiveX controls
    1200 Run ActiveX controls and plug-ins
    1201 Initialize and script ActiveX controls not marked as safe
    1206 Allow scripting of Internet Explorer Webbrowser control
    1400 Active scripting
    1402 Scripting of Java applets
    1405 Script ActiveX controls marked as safe for scripting
    1406 Access data sources across domains
    1407 Allow paste operations via script
    1601 Submit non-encrypted form data
    1604 Font download
    1605 Run Java
    1606 Userdata persistence
    1607 Navigate sub-frames across different domains
    1608 Allow META REFRESH *
    1609 Display mixed content *
    1800 Installation of desktop items
    1802 Drag and drop or copy and paste files
    1803 File Download
    1804 Launching programs and files in an IFRAME
    1805 Launching programs and files in webview
    1806 Launching applications and unsafe files
    1807 Reserved **
    1808 Reserved **
    1809 Use Pop-up Blocker **
    1A00 Logon
    1A02 Allow persistent cookies that are stored on your computer
    1A03 Allow per-session cookies (not stored)
    1A04 Don't prompt for client certificate selection when no
    certificates or only one certificate exists *
    1A05 Allow 3rd party persistent cookies *
    1A06 Allow 3rd party session cookies *
    1A10 Privacy Settings *
    1C00 Java permissions
    1E05 Software channel permissions

    1F00 Reserved **

    2000 Binary and script behaviors


    2001 Run .NET components signed with Authenticode
    2004 Run .NET components not signed with Authenticode
    2100 Open files based on content, not file extension **
    2101 Web sites in less priveleged web content zone can navigate into
    this zone **
    2102 Allow script initiated windows without size or position
    constraints **
    2200 Automatic prompting for file downloads **
    2201 Automatic prompting for ActiveX controls **
    2300 Allow web pages to use restricted protocols for active content **
    \{AEBA21FA-782A-4A90-978D-B72164C80120\} First Party Cookie *
    \{A8A88C49-5EB2-4990-A1A2-0876022C854F\} Third Party Cookie *

    * indicates an Internet Explorer 6 or later setting


    ** indicates a Windows XP Service Pack 2 or later setting
    The 1A00 Value Name, a REG_DWORD data type, has the following possible data values:
    Decimal Data value Meaning
    0 Automatically logon with current username and password.
    65536 Prompt for user name and password.
    131072 Automatic logon only in the Intranet zone.
    196608 Anonymous logon.

    The 1C00 Value Name, a REG_DWORD data type, has the following possible JAVA data
    values:

    Decimal Data value Meaning


    0 Disable Java.
    65536 High safety.
    131072 Medium safety.
    196608 Low safety.
    8388608 Custom.

    The 1E05 Value Name, a REG_DWORD data type, specifies software channel permissions.

    The TemplatePolicies sub-key of the Internet Settings key has the default security zones
    settings. The Low, Medium, and High sub-keys contains Value Names that represents the Zones
    default values.

    The ZoneMap sub-key of the Internet Settings key has the following sub-keys:

    Domains - Contains domains and protocols that have been added. Each added domain is a sub-
    key of Domains. Sub-domains are sub-keys of the the domain that they belong to. Each domain
    has a protocol Value Name (ftp, http, https, etc.) whose data value is the numerical value of the
    security zone (0x00012000 is High Security) to which it is added.

    The ProtocolDefaults sub-key of the Internet Settings key defines the default security zone for
    a given protocol, by adding a Value Name (file, ftp, http, https, etc.), with NO colons (:) or
    slashes (/). These REG_DWORD data types the following possible data values:

    Key Meaning
    0 My Computer, NOT available in the Zone box of the Security tab.
    1 Local Intranet Zone.
    2 Trusted sites Zone.
    3 Internet Zone.
    4 Restricted Sites Zone

    The Ranges sub-key of the Internet Settings key contain arbitrary sub-keys that define the
    ranges of the TCP/IP address. The :Ranges Value Name of these arbitrary sub-keys, a REG_SZ
    data type, contains the range affected (192.168.0.*). A * Value Name, a REG_DWORD data
    type, contains the security zone that the range falls within (0x1 is Local Intranet).

    You might also like