XPe SP2 IE Security

  • This topic is empty.
Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #179
    AvatarAnonymous
    Member
    • Total Post: 162
    • Jacked into The Matrix
    • ★★★★★★

    Hi TT + Everyone,

    We are in the final stages of testing the new XPe SP2 Image for Wyse 9450’s before rolling it out and have come across a strange problem.

    In Internet Explorer, if a user tries to save a video file (.avi) from a website by right clicking and choosing “Save Target As…”, Internet Explorer pops up a message saying “Your current security settings do not allow this file to be downloaded”.

    This issue seems to occur for both Domain Admins and normal Users and doesn’t seem to be resolved when resetting IE security permissions to ‘Low’ (we haven’t modified them anyway, but just in case I thought I’d try resetting them to see if it made a difference).

    Is this a “feature” of the new Wyse XPe SP2 build that is being enforced somewhere or is it just a new feature of XPe SP2 when you put it on a domain (we don’t have the issue with XPe SP1 terminals that are on the domain).

    Cheers

    #8795
    AvatarAnonymous
    Member
    • Total Post: 162
    • Jacked into The Matrix
    • ★★★★★★

    Just to add to this – is seems that a local user (i.e non-admin) and a local admin can successfully download the file without error!!

    Normally I’d think that is a definate pointer to a domain policy that is being applied – but there aren’t any policies that “secure” Internet Explorer. I think I’ll make up a quick test domain and stick the terminal in that domain just to completely rule out group policies in our production domain.

    #8796
    AvatarAnonymous
    Member
    • Total Post: 162
    • Jacked into The Matrix
    • ★★★★★★

    Good News!!! It seems there is a little surprise MS have hidden within XP Embedded SP2 (which would explain it as I couldn’t work out why we hadn’t seem this behaviour before!).

    Here’s what I’ve found –

    Symptoms:

    1. Local Users/Admins can right click -> Save Target As with no problems
    2. Occasionally (depending if you block the Default Domain Policy from applying or not) Domain Users/Admins can right click -> Save Target As however most of the time as soon as you do that you get a big fat “Your current security settings do not allow this file to be downloaded” alert and the dialog bombs out.

    After some Google searching I came up with this link from MS about Internet Explorer Zone Registry Entries – http://support.microsoft.com/default.aspx?scid=182569

    This thread from an MS Newsgroup has the solution and some chat about it – http://groups.google.com/group/microsoft.public.windowsxp.embedded/browse_thread/thread/3f4e29a3412b5d5f/c5d3d402e8cd713f

    Basically, in the following keys –

    HKCUSoftwareMicrosoftWindowsCurrentVersionInternet
    SettingsZones
    HKCUSoftwareMicrosoftWindowsCurrentVersionInternet
    SettingsZones1
    HKCUSoftwareMicrosoftWindowsCurrentVersionInternet
    SettingsZones2

    You need to set “1807” to have a value of 0. It is set to 3 by default which causes IE to break.

    If you read that Microsoft article from the link above – they have the 1807 setting marked as “Reserved**”.

    Moral of the story – when Microsoft says something is “reserved” for future use, chances are they are using it 🙂

    #8797
    Avatarthinkthin
    Member
    • Total Post: 1707
    • Jacked into The Matrix
    • ★★★★★★

    Hi,

    Great information, thanks for posting this up!!!

    Have a look at the Rapport package here:

    http://www.freewysemonkeys.com/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=55&ttitle=DownloadICAfileFix

    You could use this as it automates the fix you suggested.

    Nice one! 🙂

    #10688
    Avatarbnoggle
    Member
    • Total Post: 5
    • Newbie

    Just wanted to say what a big help this site has been. Have been searching the forum for serveral days. I am currently evaluating a s90 for our environment and ran into this problem and was able to fix it with the above registry edit. We are using Citrix web interface. Is there anyway to force this change to all users (domain and local)?

    #10690
    Avatarthinkthin
    Member
    • Total Post: 1707
    • Jacked into The Matrix
    • ★★★★★★

    Hi,

    If you have devices joined to the domain make sure you build the image with the rapport script change to the HKLM section of the registry. Each user will also need the setting however you could put this in the default terminal profile or log in script.

    If you are on the domain (which if you read my posts I am not a huge fan off) make sure you Google this site for some of the other setting you need to make and issue of domain membership.

    Thanks for your support of the site!

    Cheers,
    -TT

    #10712
    Avatarbnoggle
    Member
    • Total Post: 5
    • Newbie

    Yeah I wish I did not have to run in the domain but kind of stuck with that for the moment anyway. Hate to ask such a dumb question but what would be the easiest way to force any user (domain or local) who logs in to get the above registry keys? When you said logon script can it be done on the wyse or does it have to be done on the domain?

    Also in the link for the ica file it said that future versions of sp2 would fix this issue. Are there any currently that do?

    Thank you

    #10715
    Avatarthinkthin
    Member
    • Total Post: 1707
    • Jacked into The Matrix
    • ★★★★★★

    Hi,

    Have a search in the forums for key word “domain” and there are lots of posts on these issues. Here is one quick way…

    – Create an image that blocks using the domain profile (the key for this is in the XP topics section). This means when a user logs in it uses the “Default User” profile on the terminal. Do this on a clean image BEFORE joining the domain.

    – Edit the default user profile with the registry key for the IE issues (load the hive with regedit)

    – Make any other changes to the Default user profile (wall paper, icons etc)

    – Pull the master image with WDM (make sure the write filter is on first)

    – Push the image out to the target terminals and then use the “join Domain” Rapport script to join the units to the domain after the image is pushed. This will make sure membership happens correctly and the security key change is disabled.

    Now, a user logs in and the default user profile is used. When a user logs out the profile will be deleted so you do not run out of space with lots of profiles.

    I hope this helps, MS technet has lots of info on creating profiles,

    Cheers,
    -TT

    #10717
    Avatarbnoggle
    Member
    • Total Post: 5
    • Newbie

    Thank you, I will give that a try when I get back to work. Thanks for the info and time.

    #11175
    Avatarbnoggle
    Member
    • Total Post: 5
    • Newbie

    Thinkthin….thank you for your help and for the site. That did fix the problem. 😀 😀 😀 . Sorry for the delay on posting back got stuck on several other projects until recently.

    #11176
    Avatarthinkthin
    Member
    • Total Post: 1707
    • Jacked into The Matrix
    • ★★★★★★

    Glad we could help!

    🙂

Viewing 11 posts - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.