Professional Documents
Culture Documents
Parallel Registry Internet Explorer Registry (DC - GPO)
Parallel Registry Internet Explorer Registry (DC - GPO)
Symptoms
How to change Security Options of the published Internet Explorer
Unable to authenticate on web sites using published Internet Explorer.
Cause
Windows by default sets Internet Explorer restrictions for the users that have never
logged in to Terminal server directly.
Internet Explorer cookies are not enabled in RDP session for the users that have never
logged in to the Terminal Server directly.
Resolution
Log in to the Terminal Server with user credentials locally or via RDP (Desktop mode). If there
is no possibility to log in to Terminal Server or many different users need to be logged, you may
follow the article below to deploy Internet Explorer options via GPO:
How to configure Group Policy Preference settings for Internet Explorer 11 in Windows 8.1 or
Windows Server 2012 R2
Alternatively Resolution
1. Identify what exact security option prevents Internet Explorer from working correctly.
2. Determine what is the Internet Explorer zone user is in (you can publish Internet Explorer
> open it via RAS RDP Client > go to Settings > Internet Options > Security).
3. Use the following Microsoft article to deploy required registry settings for the user.
For example, to make cookies work in Internet Explorer session you may deploy GPO:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\PrivacyAdvanced = 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\1A02 = 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\1A03 = 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\1A05 = 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\1A06 = 0
The security zone settings for Internet Explorer are located at:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings
AND
HKEY_Local_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings
The values that are located in both keys are additive. If a Web site is added to both keys, only the
HKCU sites can be seen in the GUI, but both settings are enforced.
If you only want machine based settings to be enforced, copy and paste the following to a
HKLM_Only.reg file and Merge it with the computers registry:
REGEDIT4
\[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Intern
et Settings\]
"Security_HKLM_only"=dword:00000001
The sub-keys of the Internet Settings key, for both HKLM and HKCU paths, are:
TemplatePolicies
ZoneMap
Zones
The Zones sub-key contains a sub-key for each zone defined. The defaults are:
Key Meaning
0 My Computer, NOT available in the Zone box of the Security tab.
1 Local Intranet Zone.
2 Trusted sites Zone.
3 Internet Zone.
4 Restricted Sites Zone
The data values for the CurrentLevel, MinLevel, and RecommendedLevel Value Names are:
The data values for the Flags value Name are additive:
NOTE: The My Computer zone does NOT contain the CurrentLevel, MinLevel, and
RecommendedLevel Value Names.
The following Value Names are all REG_DWORD data types. Their data values are:
1F00 Reserved **
The 1C00 Value Name, a REG_DWORD data type, has the following possible JAVA data
values:
The 1E05 Value Name, a REG_DWORD data type, specifies software channel permissions.
The TemplatePolicies sub-key of the Internet Settings key has the default security zones
settings. The Low, Medium, and High sub-keys contains Value Names that represents the Zones
default values.
The ZoneMap sub-key of the Internet Settings key has the following sub-keys:
Domains - Contains domains and protocols that have been added. Each added domain is a sub-
key of Domains. Sub-domains are sub-keys of the the domain that they belong to. Each domain
has a protocol Value Name (ftp, http, https, etc.) whose data value is the numerical value of the
security zone (0x00012000 is High Security) to which it is added.
The ProtocolDefaults sub-key of the Internet Settings key defines the default security zone for
a given protocol, by adding a Value Name (file, ftp, http, https, etc.), with NO colons (:) or
slashes (/). These REG_DWORD data types the following possible data values:
Key Meaning
0 My Computer, NOT available in the Zone box of the Security tab.
1 Local Intranet Zone.
2 Trusted sites Zone.
3 Internet Zone.
4 Restricted Sites Zone
The Ranges sub-key of the Internet Settings key contain arbitrary sub-keys that define the
ranges of the TCP/IP address. The :Ranges Value Name of these arbitrary sub-keys, a REG_SZ
data type, contains the range affected (192.168.0.*). A * Value Name, a REG_DWORD data
type, contains the security zone that the range falls within (0x1 is Local Intranet).