To configure Internet Explorer security zones sites using group policy, we have two options:

1. Internet Explorer Maintenance policy
1. Windows 8 with Internet Explorer 10 deprecates IEM in favor of a more robust tool called Group Policy Preferences. Read More...
2. Site to Zone assignment list (Currently the Prefer method. Always use Administrative template over IE Maintenance.)

Apart from these two options, we can also use newly introduce Group Policy Preferences   but today we will only talk about the native group policies.

Internet Explorer Maintenance Policy:

Internet Explorer Maintenance Policy will allow you to configure Internet Explorer group policy settings. It is user based policy and it does not prevent the user from changing the setting on client machine.

IE Maintenance policy can be applied in two ways: Preference mode and Policy mode.

• Preference mode- All settings here will be applied once, and only once. It is only re-applied to a workstation if you modify the policy itself with new/updated settings.
• Policy Mode - All settings are applied every time group policies are processed or updated on workstation.

Internet Explorer Maintenance policy is user based policy and available under:

User Configuration>Windows Settings> Internet Explorer Maintenance>Security>Security Zone and Content Rating.

As you select the radio button “Import the current security zones and Privacy settings”, you will get a prompt:

Note:

If you are importing the security zone settings from the machine where Internet Explorer enhance security is enable then that this IE Maintenance policy will apply on those machines where IE Enhance security is enable.

If you want to apply security zone settings or sites to the client machines then import the security zones settings from the machine where IE enhance security is disable.

When IE Enhanced security is enable, IE will read from the following registry for added sites:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

And when we remove IE Enhanced security, IE start reading from the following registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

Then Click Continue and add sites to various zones:

Note:

Never edit the Internet Explorer maintenance settings on a GPO running a differ*.ent version of Internet Explorer than what the GPO settings were originally created. This can cause issues within both the GPO and the target computer receiving the settings.

When we use Internet explorer maintenance policy to add sites to various zones then it gives ability to the users to add their own sites as well on client machines.  Sites applied through IE maintenance policy and added by users manually will get appended.

To know more about how IE maintenance policy works then please refer this article:

• How Internet Explorer Maintenance Extension Works
• http://technet.microsoft.com/en-us/library/cc728403(v=ws.10).aspx

Site to Zone Assignment List:

This is another group policy which can be used to add sites to the various security zones.

The Site to Zone Assignment List policy setting associates sites to zones, using the following values for the Internet Security zones: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. If you set this policy setting to Enabled, you can enter a list of sites and their related zone numbers. The association of a site with a zone ensures that the security settings for the specified zone are applied to the site.

Site to Zone Assignment List policy setting is available for both Computer Configuration and User Configuration:

• Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
• User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page

Note:

When we configure Site to Zone assignment list GPO then users will not be able to add their own sites to any zone. Options to add sites on client machine will be greyed out.

Internet Explorer will read from the following registry for the sites deployed through Site to Zone assignment list:

• HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

• HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey

This blog has been provided to you by another one of our Support Engineers for Internet Explorer, Raza Abbas Rizvi.

Hi Everybody! I would like to share information that was clarified through a case I worked. Recently the platforms team changed their support stance on the customization of the Default User Profile due to shell related problems with unexpected registry entries and missing file issues related to the customized profile.

As a result, several options we’ve used over the years to correct a variety of IE related issues due to first logon, or missing registry entries need to be slightly modified/clarified.

ex. Automatically detect settings, missing registry entries related to running IE without a shell, etc)

DETAILS

From my discussion with the Platforms Directory Services team and through a thorough read through of the current knowledge base article on the topic, the only method that is NOT supported for the customizing of the Default User Profile is the actual file copy method used to replace the default profile with another user’s profile.

The good news is there is a method to customize the Default User profile that is supported and recommended for very targeted registry changes.

The current reigning article on the topic of Default Profile modification spends the majority of time discussing the image preparation method using Sysprep. In the article it talks about the reasons why the file copy method was deemed to be unsupported:

• 959753  How to customize the default local user profile when you prepare an image of Windows XP or Windows Server 2003
• http://support.microsoft.com/default.aspx?scid=kb;EN-US;959753

“Previously published procedures relied on a file copy mechanism. These procedures caused information to be left behind in the default user profile that caused the Windows shell to behave incorrectly. This led to problems with application compatibility and with the user experience. Therefore, do not advise customers to copy profiles over the default user profile. This method is no longer supported.”

How to configure default user settings for already deployed desktops

Implement the required new or changed settings as a logon script and configure it to run one time. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

• 284193 How to run a logon script one time when a new user logs on

You can automate the procedure in Knowledge Base article 284193 by using the Reg.exe command. For an alternative solution, see the “Targeted changes to the Default User Registry hive and profile folders” section on the following Microsoft website:

• http://blogs.technet.com/deploymentguys/archive/2009/10/29/configuring-default-user-settings-full-update-for-windows-7-and-windows-server-2008-r2.aspx

What this means for IE is going forward, when discussing the need to modify the Default User Profile, you must identify and import only the registry modifications necessary to achieve the solution.

This blog has been provided to you by another one of our Escalation Engineers for Internet Explorer, Aurthur Anderson.

The brndlog.txt file shows how Internet Explorer was branded during user logon. The Brndlog.txt is the log file generated by the IE client-side extension iedkcs32.dll. This file contains branding information from IE Maintenance Policies and will be the most important item to gather during troubleshooting IE Maintenance Policies.

IMPORTANT: Windows 8 with Internet Explorer 10 deprecates IEM in favor of a more robust tool called Group Policy Preferences. Read More...

Where do I find the logfile?

The location for the logfile varies depending the OS:

When the branding itself is applied, information about the branding is stored in the logfile brndlog.txt, and the logfile for the previous branding has been renamed to brndlog.bak

Logfile-conversations:

When branding has been applied the last brndlog.txt is remaned to brndlog.bak, and the new one is named brndlog.txt.

As multiple branding can be applied you can also set the following regkey so the brndlog.txt is not overwritten - which is especially useful when analyzing new profiles, or GPOs, where multiple processes are spawned:

For IE8:
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\8.0]

(DWORD)"DebugAppendBrndLog"=1

For IE9:
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\9.0]

(DWORD)"DebugAppendBrndLog"=1

Determine the Branding-method:

The Brndlog.txt file contains Internet Explorer maintenance policy branding information. It may also contain branding information from IEAK packages and manually created Install.ins files (usually used with Auto-configuration). The first step in reviewing a Brndlog.txt file is to confirm that the settings are coming from Group Policy.

Determine the method of Branding by looking for the /mode section after the Command Line.

Example of brndlog.txt from IEAK:

Branding Internet Explorer...

Command line is "/mode:corp /peruser".

Global branding settings are:

Context is (0x01A00002) "Corporations, running from per-user stub";

Settings file is "C:\Program Files\Internet Explorer\Custom\install.ins";

Target folder path is "C:\Program Files\Internet Explorer\Custom".

Done.

Example of brndlog.txt from Group Policy:

Branding Internet Explorer...

Command line is "BrandInternetExplorer /mode:gp /ins:"C:\Documents and Settings\test3\Local Settings\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0\INSTALL.INS" /flags:eriu=1,favo=1,qlo=1,swu=1,sbs=1".

/mode:gp - indicates branding is coming from Group Policies.

/mode:corp /peruser - Indicates an IEAK brand is taking place.

Example of IEM in Preference Mode from Group Policy:

Global branding settings are:

Context is (0x02800200) "Group Policy, preference settings";

Target folder path is "C:\Documents and Settings\test3\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0

Example of IEM in Policy Mode from Group Policy:

Global branding settings are:

Context is (0x00800200) "Group Policy";

Settings file is "C:\Documents and Settings\test3\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0\INSTALL.INS";

NOTE: Remember that Preference Mode settings are only applied ONCE - even if you execute gpupdate /force.

Common errors which might occur in brndlog.txt

Favorite is not created

05/11/2007 17:52:14      Preprocessing "Title31" title key...

05/11/2007 17:52:14      Preprocessing "URL31" URL key...

05/11/2007 17:52:14      Failed with E_NOTIMPL.

See the following KB

967728   You cannot deploy favorites with URLs that contain the % character: http://support.microsoft.com/default.aspx?scid=kb;EN-US;967728

IE-Branding needs 20 seconds to be executed

10/25/2007 10:36:37    Refreshing browser settings...

10/25/2007 10:36:37    Broadcasting "Windows settings change" to all top level windows...

10/25/2007 10:36:57  Done.

You will see the gap of 20 seconds between the line Broadcasting … and Done

Typically the issue is solved after installing the following KB + settings its FeatureControl-key

• 941158    After Internet Explorer Maintenance Group Policy settings are configured in a domain, a 20-second delay occurs when you log on to the domain from a client computer that has Internet Explorer 7 or Internet Explorer 8 installed
• http://support.microsoft.com/default.aspx?scid=kb;EN-US;941158

There is also one exception, in which this issue can occur, but the fix is not solving the issue:

In case that IEM including a security-import (seczones-processing) was enabled for the user, but has been  removed, the delay occurs for one time when the seczones are reset to default. In this case, brndlog.txt will contain the following lines:

12/14/2010 11:05:53        Processing reset of zones settings...

12/14/2010 11:05:53        "RegInstall" on "IEAKReg.HKCU" in "urlmon.dll" returned S_OK.

12/14/2010 11:05:53        Done.

12/14/2010 11:05:53        Done.

12/14/2010 11:05:53        Refreshing browser settings...

12/14/2010 11:05:53        Broadcasting "Windows settings change" to all top level windows...

12/14/2010 11:06:13        Done.

The information, that previously secimport has been done is indicated by the following regkey:

[HKCU\Software\Microsoft\Ieak\BrandedFeatures]

(DWORD)"Zones.Hkcu"

Therefore it is a good idea to remove the key [HKCU\Software\Microsoft\Ieak\BrandedFeatures] from a mandatory profile in order to prevent the delay with every logon, when you removed Securityzones import in IEM.

Security Settings are not applied

03/10/2010 15:30:50   Processing local machine policies and restrictions...

03/10/2010 15:30:50     ! processExtRegInfSectionHelper for section"ExtRegInf.Hklm".

03/10/2010 15:30:50     ! Key is  "SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}".

03/10/2010 15:30:50     Not Delaying executing C:\Documents and Settings\test\Local Settings\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0\seczones.inf.

03/10/2010 15:30:50     ! Execution of section [IeakInstall.Hklm] in "seczones.inf" failed with E_ACCESSDENIED.

03/10/2010 15:30:50     ! Key is  "SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}".

03/10/2010 15:30:50     Machine is not hardened

03/10/2010 15:30:50   Done.

03/10/2010 15:30:50    Processing current user policies and restrictions...

03/10/2010 15:30:50     ! processExtRegInfSectionHelper for section"ExtRegInf.Hkcu".

03/10/2010 15:30:50     ! Key is  "SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}".

03/10/2010 15:30:50     Not Delaying executing C:\Documents and Settings\test\Local Settings\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0\seczones.inf.

03/10/2010 15:30:50     ! Execution of section [IeakInstall.Hkcu] in "seczones.inf" failed with E_ACCESSDENIED.

03/10/2010 15:30:50     ! Key is  "SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}".

03/10/2010 15:30:50     Machine is not hardened

03/10/2010 15:30:50   Done.

In this sample, the policy Security Zones: Use only machine settings was enabled, but a normal user logged on. The normal user has no permissions to write into [HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings] and therefore the GPO cannot be applied and fails.

For these types of scenarios, we encorage customers to change from IEM to the policy-templates ( e.g. the Internet Zone Template and Site to Zone Assignment List ), because the machine-based settings would also change if different users with different settings log on to the server.

Branding from IEAK-Profilemanager does not apply with IE8

05/20/2010 14:32:06 FCK not set to allow autoconfig branding, or Automatically Detect Settings is checked under LAN Settings

973529  Automatic configuration does not work in Internet Explorer 8 : http://support.microsoft.com/default.aspx?scid=kb;EN-US;973529

[ You need to set the FCK FEATURE_AUTOCONFIG_BRANDING ]

Branding from IEAK-package or IEAK-Profilemanager does not apply

Besides of the FCK mentioned above, you may receive this lines in brndlog.txt:

05/20/2010 14:44:00    Branding Internet Explorer...

05/20/2010 14:44:00    Command line is "/mode:autoconfig /ins:"C:\Documents and Settings\test\Temporary Internet Files\Content.IE5\EPM0UQFI\install[1].ins"".

05/20/2010 14:44:00    ! NoExternalBranding restriction is set. Branding will not be applied.

05/20/2010 14:44:00    Done.

This occurs, if the policy Disable external branding of Internet Explorer has been enabled.

Removing Internet Explorer Maintenance Processing

In case that you do not want to remove IE Maintenance from a policy, you need  use the context menu on"Internet Explorer Maintenance" within the "Group PolicyEditor" and choose "Reset browser settings". This will remove
the current settings to apply anymore, but the client side extension will still be applied, e.g. in order to reset security settings when they were configured in the policy as mentioned above.

When you want to remove the extension from the policy at all, please follow the steps outlined in the following KB:

2722241 Policy reporting tools indicate empty Internet Explorer Maintenance policy as winning: http://support.microsoft.com/kb/2722241/EN-US

This blog has been provided to you by another one of our Internet Explore Escalation Engineers, Heiko Mayer.

Hello Everyone!

This is Vinod from the IE team and I would like to share an informative concept about the IE Enhanced security feature which I discovered.

Scenario: User of a Terminal Server, still getting a Warning even after the administrator disabled it via Server Manager or Script.

In the Terminal Server environment we have a concept called Terminal Services Shadowing.

On a terminal server, whenever applications are installed, it first writes the new application registry entries to the HKEY_CURRENT_USER\Software registry location. At the same time, to ensure that these new entries are available for all the users on the terminal server, the new registry entries are propagated to another location in the registry called the shadow region:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software

So when we initially built the Terminal servers the IE Enhanced security feature creates a registry key under: 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap] – IEHarden

If you turn off the IE Enhanced Security from the UI or run the batch file, it will remove the settings from various other locations but not from the Shadow region.

How to troubleshoot IE Enhanced Security prompt issues?

You might get various symptoms like the once below:

• In 2003 and 2008 servers both the admin and the users are prompted with IE enhanced security even when the feature is Turned Off
• Users are being prompted for credentials while accessing their internal website.
• After adding a site to the Local Intranet Zone through group policy, the site continues to load under the Trusted Sites Zone
• Unable to run add-ons when IE is launched as a RemoteApp on the Windows 2008 R2 terminal server

Sample prompts that we can get:

• "Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration".

• "This Website uses a data provider that may be unsafe"

In all these scenarios if it is a Terminal server and if you have enabled shadowing, it is worth to verify whether the issue is actually caused by IE enhanced security or not.

The value for IEHarden will be set to 1 if the symptoms are being caused by IE Enhanced Security.

This will be a good start for troubleshooting to isolate if the issue is happening because of IE Enhanced security or not.

Note:  The update batch file is  available from the following blog article ">How to disable IE Enhanced Security on Windows 2003 & Windows 2008 Server silently?"

Regards,

The IE Support Team

Hi Team,

when creating an automatic proxy-configuration script (PAC-filer or also known as wpad.dat), questions arrive on how these could be optimized in order to speed up their performance

The functions which can be used in order to evaluate an address (URL and hostname) are explained in the following article:
JavaScript or JScript Auto-Proxy Example Files
http://technet.microsoft.com/library/Dd361950

As mentioned in that article, the functions  isInNet(), isResolvable() and dnsResolve() initiate queries to the DNS-subsystem.
Therefore the usage of these functions should be avoided, when possible or at least reduced.

1. Query for NetBIOS-names
NetBIOS-names (servernames with no dot in their name) no are typically used in the intranet only and are therefore not routed through the proxy.
  if (isPlainHostName(host))
    return "DIRECT";

2. Query for internal DNS-suffixes
Internally used DNS-zones are normally routed directly. The easiest way to determine such hosts is done by using the function dnsDomainis:
  if (dnsDomainIs (host, ".dns.company.com"))
    return "DIRECT";

The faster method for the same result can be done by using ShExMatch(), which performs a string compare. So the same result with the function above, where the “*”-character is then used as wildcard:
  if (shExpMatch(host, "*.dns.company.com"))
    return "DIRECT";

3.  Query for IP-ranges
The idea for that rule is to check, if the IP-address of the host belongs to the local intranet, regardless to the name of the webserver, which should bypass the proxy in order to navigate directly to the it.

In case, that the IP-address had been entered directly in the address-bar there is no need to resolve it again. You can use the following code in order to check, if the host has already the format of an IP-address :
  var isIpV4Addr = /^(\d+.){3}\d+$/;
  ret = isIpV4Addr.test (host);
This routine checks if the variable host contains 3 numbers which are followed by a dot, and if another number is followed- The result of this check is then passed to the variable ret, which is true in case of an IP, and false – if otherwise.

This would be be the codesnip where the variable hostIP will contain the IP-address for additional checks later:
  var hostIP;
  var isIpV4Addr = /^(\d+.){3}\d+$/;
  if (isIpV4Addr.test (host))
    hostIP=host;
  else
    hostIP=dnsResolve (host);

When a non-existing host had been passed to the function (e.g. cause the user entered something wrong in the address bar), the result in hostIP might be 0. Any additional errorhandling could be done by the proxy:
  if (hostIP==0)
    return "PROXY myproxy:80";

Now, as we have the IP-address of the host, the checks for the internal IP-ranges needs to be done.
When possible, use the shExpMatch-function instead of isInNet. The following two codesnips have the identical result, while shExpMatch is faster in execution:
  if (isInNet (hostIP, "95.53.0.0", "255.255.0.0"))
    return "DIRECT";
  if (shExpMatch (hostIP, "95.53.*))
    return "DIRECT";

4. Javascript is case-sensitive
The proxyscript uses the language javascript, which is case-sensitve. Therefore an if-clause where upper characters are used will never turn true, while the other parameter is using lowercase.
Internet Explorer itself converts the variables host and url into lowercase before the function  FindProxyForURL is called.
This is not true for WinHTTP, which passes the hoist and the url directly to the function.
Therefore the parameters, which are checked within the PAC-file should be converted within the PAC befotre they are evaluated. Here is the call for the convert:
    host = host.toLowerCase();

5. Use of IPv6
In case that you want to use and handle IPv6-addresses, Internet Explorer supports them since IE7 on every OS-Version (and WinHTTP since Windows Vista), but you then need to use “Ex“-functions (like isInNetEx ()) as mentioned in the following Blogpost:

WinINet and WinHTTP IPv6 Support in Web Proxy Auto-Discovery (WPAD) scripts enabled in Windows Vista
http://blogs.msdn.com/b/wndp/archive/2006/07/18/ipv6-wpad-for-winhttp-and-wininet.aspx

One example, where the implementation of myIpAddressEx was very useful is also mentioned in the KB-article http://support.microsoft.com/kb/2839111/en-us

6. Testing of a PAC-file
In case that the script contains any syntax-error (e.g. a missing ‘)’-character in an if-statement, the script is no more executed. In order to minimize such errors, you may consider the usage of a script-editor which performs syntax-checking on the fly. When using Visual Studio, you can just rename the extension of your PAC-file to JS when editing.

After this, you can test it by configuring it in IE as a local PAC-file. For the local C:-drive the syntax in order to configure IE would be file://c:\test.pac 
With IE11, the usage of a PAC-file through the file-protocol is no more possible, unless you add the following registry-key

[HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
(DWORD)"EnableLegacyAutoProxyFeatures"=1

More information to the usage of local PAC-files is available in the following Blogpost:

• Understanding Web Proxy Configuration
  http://blogs.msdn.com/b/ieinternals/archive/2013/10/11/web-proxy-configuration-and-ie11-changes.aspx

When debugging and testing the PAC-file, you can add statements as extraline which will initiate a popup, when the line is hit:
alert ("We are now here and host is: " + host);

Of course, alert ()-statements should never be active within the production environment.

6.1 Testing with autoprox.exe [ DOWNLOAD AUTOPROXY ]
Sometimes you need just to test your PAC-file, if the expected route is returned, although you have no access to the website in question. For such testing you can use the (attached) command line-utility tool autoprox.exe, which my colleague Pierre-Louis Coll created.
When starting it in a CMD without additional parameter the usage is displayed:

C:\temp>autoprox
Version : 2.1.0.0
Written by pierrelc@microsoft.com
Usage : AUTOPROX -s  (calling DetectAutoProxyUrl and saving wpad.dat file in temporary file)
Usage : AUTOPROX  [-h] url [Path to autoproxy file]
       -h: calls InternetInitializeAutoProxyDll with helper functions implemented in AUTOPROX
AUTOPROX url: calling DetectAutoProxyUrl and using WPAD.DAT logic to find the proxy for the url
AUTOPROX url path: using the autoproxy file from the path to find proxy for the url
Example: autoprox -s
Example: autoprox http://www.microsoft.com
Example: autoprox -h http://www.microsoft.com c:\inetpub\wwwroot\wpad.dat
Example: autoprox http://www.microsoft.comhttp://proxy/wpad.dat

Here is the output with our sample:

C:\temp>autoprox http://us.msn.com c:\temp\sample.pac
The Winsock 2.2 dll was found okay
url: http://us.msn.com
autoproxy file path is : c:\temp\sample.pac
Calling InternetInitializeAutoProxyDll with c:\temp\sample.pac
        Calling InternetGetProxyInfo with url http://us.msn.com and host us.msn.com
        Proxy returned for url http://us.msn.com is:
PROXY myproxy:80;

When you want to see which DNS-related functions have been called, you can use the parameter “-h” in addition: 
Here the output, when this is used:

C:\temp>autoprox -h http://us.msn.com c:\temp\sample.pac
The Winsock 2.2 dll was found okay
Will call InternetInitializeAutoProxyDll with helper functions
url: http://us.msn.com
autoproxy file path is : c:\temp\sample.pac
Calling InternetInitializeAutoProxyDll with c:\temp\sample.pac
        Calling InternetGetProxyInfo with url http://us.msn.com and host us.msn.com
ResolveHostByName called with lpszHostName: us.msn.com
ResolveHostByName returning lpszIPAddress: 65.55.206.229
        Proxy returned for url http://us.msn.com is:
PROXY myproxy:80;

Error-Handling in autoprox.exe:
a) When you specify a non-existing PAC-file (e.g. typo in the command-line), the result from autoprox.exe will be:
  ERROR: InternetInitializeAutoProxyDll failed with error number 0x6 6.

b) When the Pac-file contains syntax-errors, you typically receive the following message displayed:
  ERROR: InternetGetProxyInfo failed with error number 0x3eb 1003.

After finishing the local test, the PAC-file should be copied to the webserver where it will be accessed through http-protocol.

Here would be the complete sample, as discussed above:

function FindProxyForURL(url,host)
{
  // NetBIOS-names
  if (isPlainHostName(host))
    return "DIRECT";
  // change to lower case – if not already been done
  host = host.toLowerCase();
  // internal DNS-suffixes
  if (shExpMatch(host, "*.corp.company.com") ||
      shExpMatch(host, "*.dns.company.com"))
    return "DIRECT";
  // Save the IP-address to variable hostIP
  var hostIP;
  var isIpV4Addr = /^(\d+.){3}\d+$/;
  if (isIpV4Addr.test (host))
    hostIP=host;
  else
    hostIP=dnsResolve (host);
  // IP could not be determined -> go to proxy
  if (hostIP==0)
    return "PROXY myproxy:80";
  // These 3 scopes are used only internally
  if (shExpMatch (hostIP, "95.53.*") ||
      shExpMatch (hostIP, "192.168.*") ||
      shExpMatch (hostIP, "127.0.0.1"))
    return "DIRECT";
  // Eveything else goes through the proxy
  return "PROXY myproxy:80;";
}

Here is a known issue:

• Internet Explorer 9 can't access the web or a corporate network when you try to connect through a different network – Hotfix !
• http://support.microsoft.com/kb/2815802

Good Blog Article:

• Understanding Web Proxy Configuration
• http://blogs.msdn.com/b/ieinternals/archive/2013/10/11/web-proxy-configuration-and-ie11-changes.aspx

This blog has been provided to you by another one of our Escalation Engineers for Internet Explorer, Heiko Mayer.

In this blog we will share a common scenario seeing more often in Controlled IT Environments where there is a need to push a new version of Internet Explorer on machines without internet Connection.

Method I:

Using the Downloaded Setup. EXE

• Go to Windows.microsoft.com download IE10: http://windows.microsoft.com/en-us/internet-explorer/ie-10-worldwide-languages

• Once you download the setup, from an elevated command window and run the IE10-Windows6.1-x64-en-us.exe setup with the  /update-no switch. Example: IE10-Windows6.1-x64-en-us.exe /update-no

TIP: You can use the /? or ? to view all available setup switches!

• Below, is a screenshot of the process installing on a machine with no network connectivity.

Method II:

Using IEAK Package. The only item you must know is which .exe you need to use.

Extract the IE10-Setup-Full.exe from your  C:\builds\FOLDER_NAME\FLAT\AMD64_WIN7\EN-US  and use the IE-Redist.exe with the /update-no switch.

Example: IE-Redist.exe /update-no

Note: The /update-no cannot be use with MSI packages. This is an IE setup command and not an msiexe.exe command. the from your IEAK FLAT folder. Example: C:\builds\IE10_1_08092013\FLAT\AMD64_WIN7\EN-US\IE10-Setup-Full

Here are the IE10 Prerequisites:  

• 2729094
• 2731771 --| This update are supersede by 2758857
• 2533623 --| This update are supersede by 2758857
• 2670838
• 2786081 - Note if this update is uninstalled, Internet Explorer 10 will also automatically be uninstalled (per article http://support.microsoft.com/kb/2818833 notes)

This blog has been provided to you by The IE Support Team.

Can't get Axis to work and very little clues as to why the activex is not installing? Perhaps, you are hitting this scenario.

Assume, you have configured the Axis GPO on your environment to manage Windows 7 client machines. These machines could be running IE8, IE9, IE10 or even IE11. You logon using the regular user account and open the internal web page, where is hosting the activeX control. You noticed that the activeX control is not loaded and failed to installed. When you review the  IE Temporary Files, there is a CodeDownloadErrorLog entry:

Process Monitor captures shows a few Access Denied messages but not cleared indication as to what is the problem.

You decided to then look at the Security Event log and find a few entries with attempts to access an object. Example:

The scenario outlined in this blog, is known to occur when security auditing has been enabled for file system objects in the Windows directory.

To fix this issue, you should Remove the auditing entries from the Advanced Security Settings for the Windows directory.

RELATED BLOGS:

• Guidelines on enabling, configuring and troubleshooting ActiveX Installer service (Axis)

 This blog has been provided to you by The IE Support Team.

Here is a quick post to provide guidance on how to address a scenario encounter due to a missing IE Cumulative update.

If you encounter the scenario where the Download Manager comes up instead of the IE window, when clicking on the Internet Explorer ICON, the installation sequence of the IE updates is incorrect. Here are the steps you would follow to correct it.

1. Removed MS14-021 [http://support.microsoft.com/kb/2964358] or MS14-029 [http://support.microsoft.com/kb/2953522] ( if that is the case )
2. Install MS14-018 - http://support.microsoft.com/kb/2936068 
3. Install MS14-029 instead of ms14-021 since MS14-029 replaced the MS14-021

Test your browser.

Hope this quick blog helps with your scenario.

This blog has been provided to you by the IE Support Team.

Here are the steps on adding a ProxyServer url and Port using Group Policy Preference Registry settings.

Requirements: GPMC.MSC Editor

• From User configuration / Preferences / Windows Settings / Registry
• Right click on the Registry item and select Registry Item

• From the New Registry Properties, set the Action to create if the value we are adding for your proxy does not exist.

NOTE: Adjust the Action option bases on your needs.

• Set the Hive location and Key Path.

In our scenario, we are setting the following:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer entry

"ProxyServer"=http://proxy.contoso.com:9500

• If applicable, from the Common tab, you can select what actions to take with this GPP Registry setting.  

• Click Apply and OK to commit the changes.

Here is what it looks like, once it is configured:

That is all, once you have defined this GPO and your Domain replication is completed or use GPUPDATE /FORCE from the client to see if this setting have come down, you are done!

Considerations:

• If you want to apply these settings to your machines (computers), you will need to implement the Security Zones: Use only machine settings group policy.
• REF: http://gpsearch.azurewebsites.net/#673
• If you want to push both User and Machine settings you would want to Configure user Group Policy loopback processing mode  
• REF:http://gpsearch.azurewebsites.net/#348 / http://technet.microsoft.com/en-us/library/cc978513.aspx

For references to GPO Location, use the online GPO Search Engine: http://gpsearch.azurewebsites.net

This blog has been provided to you by the IE Support Team.

Want to share a scenario I worked on recently that may help others understand what could cause Enterprise Mode not show in GPMC.

Condition:

• You want to manage IE11 Enterprise Mode GPO from a Central location using your Central Store Group Policies configuration
• You have already installed IE11 on the machine you are using to manage these group policies
• You have already install the require IE Cumulative update that introduces Enterprise Mode MS14-018

When you open GPMC on your Domain controller you do not see the 2 new Enterprise Mode Group Policy entries:

• Let Users turn on and use Enterprise Mode from the Tools menu
• Use the Enterprise Mode IE website list

Reason:

• You have not copied the new IE11 Enterprise Mode ADMX templates on your Sysvol Policies PolicyDefinitions  directory
• You had GPMC opened when copying the files

Actions taken to get your IE 11 Enterprise Mode GPO settings show in GPMC when using Central Store Group Policy Configuration

• Make sure GPMC is close!
• Copy both the inetres.admx from C:\Windows\PolicyDefinitions  and inetres.adml from C:\Windows\PolicyDefinitions\en-US to the Domain Sysvol\Domain\policies\PolicyDefinitions directory. You may also want to make sure you verify, the new files have the new EMIE entries present.
• Open gpmc and see if the IE Enterprise Mode GPOs are present

The key to this scenario was to make sure that GPMC console was closed.

Here are the EMIE entries we need to have in the templates. You can search for it.

Inetres.adm entries:EnterpriseModeEnable and EnterpriseModeSiteList

 <policy name="EnterpriseModeEnable" class="Both" displayName="$(string.EnterpriseModeEnable)" explainText="$(string.IE_ExplainEnterpriseModeEnable)" presentation="$(presentation.EnterpriseModeEnable_1)" key="Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode">
      <parentCategory ref="InternetExplorer" />
      <supportedOn ref="SUPPORTED_IE11" />
      <elements>
        <text id="EnterReportBackPrompt" valueName="Enable" />
      </elements>
    </policy>

<policy name="EnterpriseModeSiteList" class="Both" displayName="$(string.EnterpriseModeSiteList)" explainText="$(string.IE_ExplainEnterpriseModeSiteList)" presentation="$(presentation.EnterpriseModeSiteList_1)" key="Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode">
      <parentCategory ref="InternetExplorer" />
      <supportedOn ref="SUPPORTED_IE11" />
      <elements>
        <text id="EnterSiteListPrompt" valueName="SiteList" required="true" />
      </elements>
    </policy> 

Inetres.adml entries: EnterpriseModeEnable and EnterpriseModeSiteList

If you disable or do not configure this policy setting, users can pin sites.</string>
      <string id="EnterpriseModeEnable">Let users turn on and use Enterprise Mode from the Tools menu</string>
      <string id="IE_ExplainEnterpriseModeEnable">This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.

If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.

If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.</string>
      <string id="EnterpriseModeSiteList">Use the Enterprise Mode IE website list</string>
      <string id="IE_ExplainEnterpriseModeSiteList">This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.

If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.

<presentation id="EnterpriseModeEnable_1">
        <textBox refId="EnterReportBackPrompt">
          <label>Type the location (URL) of where to receive reports about the websites for which users turn on and use Enterprise Mode</label>
        </textBox>
      </presentation>
      <presentation id="EnterpriseModeSiteList_1">
        <textBox refId="EnterSiteListPrompt">
          <label>Type the location (URL) of your Enterprise Mode IE website list</label>
        </textBox>
      </presentation>

This blog has been provided to you by the IE Support Team.

Hello,

This blog post is about the notification, which users receive one time after the installation of the last cumulative IE-Update in June MS14-035.

For IE10 on Windows 7, the following webpage is displayed: http://windows.microsoft.com/en-us/internet-explorer/ie-10-welcome-upgrade1

For IE9 on Windows 7 or on Windows Vista, the following webpage is displayed as a 2^nd tab: http://windows.microsoft.com/en-us/internet-explorer/products/ie-9/welcome-upgrade3

Both pages look contain the title "Your browser has been  upgraded", Check out Internet Explorer 10 (or 9) and then at the bottom the following text:

The reason why I wanted to blog about this is the expectation, that in corporate environments welcome-messages etc. are never been displayed to the user. Therefore the Admin may have configured the following policy, which does not apply to that change:

This means, that in case an Administrator wants to suppress the appearance of this Welcome-tab, he should deploy the following registry-key, which is also created when the page had been opened:

Alternate solution is to use Group Policy Preference Registry to push the registry to your clients.

Create a GPP registry item under User configuration \ Preferences \ Registry Items

Configured your GPP Registry with the following attributes:

Action: Replace
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Internet Explorer\Main
Value name: PrivacyPolicyShown
Value type: dword
Value data: 1

Screenshot:

Apply and Okay and you are done. Now, have to validate your Settings are pushed to your clients.

This blog has been provided to you by , Heiko Mayer 

Blog content was consolidated here:

How to manage the new "blocking out-of-date ActiveX controls"  feature in IE?

http://blogs.msdn.com/b/askie/archive/2014/08/12/how-to-manage-the-new-quot-blocking-out-of-date-activex-controls-quot-feature-in-ie.aspx

Thanks!

IE Support Team!

On the previous blog "How to manage the new "blocking out-of-date ActiveX controls"  feature in IE?" we showed you the location and settings for the new out-of-date ActiveX controls feature and on this one, we are outlining the step by step instructions covered in article KB2991000 | Update to block out-of-date ActiveX controls in Internet Explorer under the section "Testing the out-of-date ActiveX controls feature" to get your testing started and better prepare you for the upcoming changes.

Testing Guidance

If your organization has a dependency on an outdated version of Java, you can run the following test to mirror the end-user experience on September 9, 2014.

1. On a test computer, install the August cumulative update for Internet Explorer
         (http://vkbexternal.partners.extranet.microsoft.com/VKBWebService/ViewContent.aspx?scid=KB;EN-US;2976627)    
   .
2. Set a registry key to stop downloading updated versions of the VersionList.xml file. To do this, run the following command: 
   reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVersionList /t REG_DWORD /d 0 /f
   Important: After testing, you must delete this registry key or this computer will stop receiving an updated VersionList.xml file that lists the out-of-date ActiveX controls. We do not recommend ever setting this registry key on an in-production computer. 
3. Copy the current VersionList.xml file from hereor direct link (https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlist.xml)    to the following location: 
   %LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml
   Note: If you are asked, overwrite the existing file. 
4. To start blocking out-of-date versions of Java, open the VersionList.xml file and delete the first occurrence of latestgroup="1" (the bolded portion below):
   
   < groupentries>
   < groupentry groupname="Java(TM)" fwdlink="https://go.microsoft.com/fwlink/?LinkID=401352" latestgroup="1"/>
   < groupentry groupname="Java(TM) 1.4.2_43" fwdlink="http://" latestgroup="1"/>
   < groupentry groupname="Java(TM) 1.5.0_71" fwdlink="http://" latestgroup="1"/>
   < groupentry groupname="Java(TM) 1.6.0_81" fwdlink="http://" latestgroup="1"/>
   < groupentry groupname="Java(TM) 1.7.0_65" fwdlink="http://" latestgroup="1"/>
   < groupentry groupname="Java(TM) 1.8.0_11" fwdlink="http://" latestgroup="1"/>
   < /groupentries>   
5. Restart Internet Explorer. You should see that websites that attempt to load out-of-date Java ActiveX controls will now display the out-of-date ActiveX control blocking notification.

If your organization needs more time to mitigate dependencies on out-of-date Java controls, you have the following two options:

• Turn off the feature completely: Use the Turn off blocking of outdated ActiveX controls for Internet Explorer Group Policy setting (or corresponding registry key)
   Note  This is the less secure option.
• Turn off the feature for a specific domain: Use the Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains Group Policy setting (or corresponding registry key). This setting allows you to turn off the feature on the specific domains on which your enterprise has an out-of-date Java dependency.

RELATED ARTICLES:

•  Internet Explorer begins blocking out-of-date ActiveX controls
• http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx
• How to manage the new "blocking out-of-date ActiveX controls" feature in IE?
• http://blogs.msdn.com/b/askie/archive/2014/08/12/how-to-manage-the-new-quot-blocking-out-of-date-activex-controls-quot-feature-in-ie.aspx
• Out-of-date ActiveX control blocking
• http://technet.microsoft.com/en-us/library/dn761713.aspx
• Internet Explorer begins blocking out-of-date ActiveX controls
• http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx

This blog has been provided to you by the IE Support team!

In this post, I like to share a scenario that you may find when trying to open a procmon pml file that was captured on a 32bit operating system and trying to open it from a 64bit client machine.
 
If you find your self asking someone to gather some process monitor from a 32-bit client machine and once you received it and try to open it on a 64-bit client machine you may experience a little message.

The message may read like this:

This is because, in order for you to open the 32bit procmon capture you need to be using the same version or use the /run32 switch which will allows you to Run the 32-bit version on a 64-bit client machine.
 
NOTE: This process was tested using the Process Monitor V 3.01

How to get to the command Line Options…?

From Process Monitor, select the help menu and click on the Command Line options… submenu

Here are the command line arguments:

Creating a shortcut

You can create a shortcut on your desktop for the next time you may have to review a 32-bit procmon log from a x64-bit client machine.
 
The easiest way is to right click on the Procmon.exe process and select Create Shortcut

Then from the properties of the Procmon.exe – shortcut (right click and select properties) the /Run32 at the end of the target entry.

Now, you can put this Procmon.exe – shortcut wherever you like, to make it easier next time you have to review 32-bit procmon logs from a 64-bit client machine.
 

Hope you enjoy this little trick to help those that may have encounter this scenario before!

This blog has been provided to you by another one of our Escalation Engineers for Internet Explorer, Louis Shanks.

After installing the latest October IE Cumulative Update from  MS14-056 kb article 2987107 you may find a new feature for tab browsing adding the "Search in the address bar and the search box on the new tab page". This is a really good option to have and makes the tabs much more useful!. This is currently available only in Internet Explorer 11 after updating to the October IE Cumulative update.

Where can I managed this new setting?

• You can manage this new setting from the IEUI Manage Add-ons / Search Providers

STEPS: Hit the Alt+X key combination to bring the Settings context menu and select Manage Add-Ons

From the Manage Add-Ons, select the Search Providers and uncheck the option "Search in the address bar and the search box on the new tab page"

 Where is the registry being modify by this setting?

REGISTRY LOCATION: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

VALUE:  "AutoSearch"=dword:00000001

1 = ON/SELECTED

0 = OFF/DESELECTED

Can this setting be managed by GPO?

GROUP POLICY LOCATION: If you Enable this GPO, it will removed the Search from the about:Tabs  

Policy Name: Prevent configuration of search on Address bar

Online link reference: User GPO: http://gpsearch.azurewebsites.net/#1737 /  Machine GPO:  Computer GPO: http://gpsearch.azurewebsites.net/#7307 

Category Path User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Searching\

Registry Key: HKCU\Software\Policies\Microsoft\Internet Explorer\Main

Value AutoSearch

If you are using Internet Explorer 11, either on Windows 7 or Windows 8.1, and have deployed EMET 5.0, it is particularly important to install EMET 5.1 as compatibility issues were discovered with the November Internet Explorer security update and the EAF+ mitigation.

Resources:

• EMET 5.1 is available
• http://blogs.technet.com/b/srd/archive/2014/11/10/emet-5-1-is-available.aspx
•  
  Enhanced Mitigation Experience Toolkit 5.0: November 10, 2014
• http://support2.microsoft.com/kb/3015976

If you are looking for the GPO Only use the ActiveX Installer Service for installation of ActiveX controls in a Windows 7 running IE9 or above  you may not find it.

The reason is that the GPO was renamed to Specify use of ActiveX Installer Service for installation of ActiveX controls  was introduced in IE9 and above.

GPO Location: User Configuration\Administrative Templates\Windows Components\Internet Explorer\

Registry location: Software\Policies\Microsoft\Windows\AxInstaller

Value: OnlyUseAXISForActiveXInstall

Description:

This policy setting allows you to specify how ActiveX controls are installed.

If you enable this policy setting, ActiveX controls will only install if the ActiveX Installer Service is present and has been configured to allow ActiveX controls to be installed.

If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, will be installed using the standard installation process.

The Policy Applies to: Windows 7, Windows 2008, Windows 2008 R2, Windows 8 and 8.1 and Windows 2012.

Screenshot:

GPO Search Location:  

• User Configuration: http://gpsearch.azurewebsites.net/#1778
• Computer Configuration: http://gpsearch.azurewebsites.net/#1779

This blog has been provided to you by the IE Support team!

By default, Internet Explorer will have the automatically detect settings enabled and for some managed network, this may need to be uncheck.

As you know, the IE Maintenance GPO famously used to configure this and other IE Settings was first deprecated in IE10 in favor of Administrative Templates and Group Policy Preferences and it is important to familiarize yourself with GPP registry to make your Administrative work a little easier. 

NOTE: Please read the article [http://technet.microsoft.com/en-us/library/jj890998.aspx] for more detailed information about the changes and other policies!

In this blog, we will cover how to use Group Policy Preferences to uncheck the automatically detect settings in Internet Explorer.

Lets get started.

• Open GPMC.MSC, edit the GPO you would like to define the new IE Setting Policy.
• Navigate to User configuration / Preferences / Windows Settings / Registry
• Right, click on Registry and select New >Collection Item

• Name the Collection Item AutomaticallyDetectSettings (or something you like)
• Right, rick on the new Collection Folder and SelectNew > Registry Wizard

• Select Local computer or Another Computer that contains the Settings you want to push down to your clients. In this case, you want to import the keys from a machine that you have already prepared with the Automatically Detect Settings option unchecked. For this example, I have selected the host machine [Local Computer] which already have the option deselected!
• Click on the Next> button to continue
• You will see the Registry Browser Dialog

• Navigate to the following registry location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

• And select the following 2 options:
• DefaultConnectionsSettings
• SavedLegacySettings

• Click on the Finish Button
• You have configured the GPO setting.

• You can test the GPO on the client one your Policy has refresh or use gpupdate/force command to force the GPO Settings. If you open the Internet Explorer Connections Tab / LAN Settings the Automatically Detect Settings should be unchecked

As you can see, the GPP Registry is a GREAT way to get your settings configured. The same approach can be used to implement any number of IE settings and I hope this helps you in the future.

This blog has been provided to you by the IE Support team!