[gptalk] Re: Vista - Enable Protected Mode

  • From: "Tim Bolton" <jsclmedave@xxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Wed, 20 Aug 2008 07:38:58 -0500

I was setting the sit-to-zone assignments (all default settings).  The GPO
was Linked but NOT enabled.  There was an issue while documenting that were
the payroll person could not access an important site.  Of course all eyes
looked my way...  This turned out to be a Server Side 500 error.  Nothing I
was doing - or the new ISA server - had anything to do with it.  However the
GPO was deleted to make sure and several gpupdate /force commands were run.

So now I recreated the GPO with the same settings.  This time it is neither
Linked or Enabled.  I am now getting a call from one of the directors that
his Vista PC is prompting him to load ActiveX controls for almost everyone
of their frequented sites.  If they place the site into their Trusted Sites
the are no longer prompted.  This is an option that is not acceptable and
once again all eyes are looking my way.

1) Would setting the sit-to-zone assignments (all default settings) cause
the Vista PCs to start prompting?  I thought that Protected Mode was on by
Default..?

2) To verify that I made any changes or to turn off Protected Mode I would
have to make changes to the UAC settings in GP.  Is this not the case..?

3) Would anything that I have done caused this issue?  I don't see how, but
I have minimal testing with Vista only.  I do not even own a copy.  Most of
my time has been spent trouble shooting and documenting what I have found
for an upcoming migration to new equipment, so changes have been absolutely
minimal.

Feel free to shoot me an email off line if you want further info  jsclmedave
at Gmail DOT com

On Tue, Aug 19, 2008 at 7:21 PM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:

>  I'm a bit confused, Tim, by what your issue is. Is it that you set some
> site-to-zone assignments on IE, then removed the underlying GPO, and they
> are still being delivered? I guess I'm missing the connection between UAC
> and what you're seeing…
>
>
> Darren
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Salandra, Justin
> *Sent:* Tuesday, August 19, 2008 5:12 PM
>
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Vista - Enable Protected Mode
>
>
>
> Try installing the RSAT tools on Vista SP1
>
>
>
> Justin A. Salandra
>
> Network Engineer
>
> jsalandra@xxxxxxxxxxx
>
>  ------------------------------------------
>
>
>
>
>
> [image: MCSE(rgb)]          [image: MCTS(rgb)_528_534]
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Tim Bolton
> *Sent:* Tuesday, August 19, 2008 5:32 PM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Vista - Enable Protected Mode
>
>
>
> I am going to try to RDP into a vista box in the morning then load the
> client side GP there.  I was also going to run
>
> GPRESULT /H %TEMP%\UserRSOP.htm /scope user
> and
> GPRESULT /H C:\ComputerRSOP.htm /scope computer
>
> Especially sine RSOP does not work correctly on Vista SP1.
>
>
>
> Not sure what else to do...
>
>
>
>
>
>
>
> On Tue, Aug 19, 2008 at 4:18 PM, Salandra, Justin <jsalandra@xxxxxxxxxxx>
> wrote:
>
> You  will not see the UAC settings from a 2003 Server running GPMC, can you
> run it for a Vista machine?
>
>
>
> Justin A. Salandra
>
> Network Engineer
>
> jsalandra@xxxxxxxxxxx
>
>  ------------------------------------------
>
>
>
>
>
> *Error! Filename not specified.*          *Error! Filename not specified.*
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Tim Bolton
> *Sent:* Tuesday, August 19, 2008 4:47 PM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Vista - Enable Protected Mode
>
>
>
> I am working with a new site and was setting the Internet Security Zones
> for IE6 and IE7.
>
>
>
> The GP was Linked but not enforced.  I was setting them to the Default Zone
> Settings when an issue arose with access to a site for a user completing
> payroll.
>
>
>
> This turned out to be a Server Side error.  However, for a just in case
> measure, the new GP was un-linked and then deleted.  I ran gpupdate /force
> to clean up any issues.
>
>
>
> We installed an ISA server about a month ago.  Since then no changes have
> been made to it.
>
>
>
>
>
> Now I am told that the Vista PCs are getting prompted to add ActiveX
> controls.  When the user RT clicks they only get info not the ability to
> add.  The users are able to add the site to the Trusted List and that takes
> care of the prompt.
>
>
>
> However, the users do not want to have to perform this task for every site
> they go to and they are indicating that this started a couple of weeks ago,
> even though they have had these Vista PCs for over a year.
>
>
>
> I am checking ISA one more time.
>
>
>
> I have run the modeling test with that user and all indications are that
> the Default Domain policy is winning out.
>
>
>
> However, since I am RDPing into a 2003 Server, I cannot even see the Vista
> UAC settings or anything else that would affect Vista.
>
>
>
> Would the settings to IE6 and IE7 apply to the Vista instance even though
> it was not enforced?
>
>
>
> The ONLY thing I done this last week and this week is document AND gpupdate
> /force.  I am wondering if I woke up the Vista PCs..?
>
>
>
>
>
> Any advice will be greatly appreciated...
>
>
>
>
>
> --
> Tim Bolton
>
> "IMPORTANT NOTICE: The information in this email
>
> (and any attachments hereto) is confidential and may be
>
> protected by legal privileges and work product immunities.
>
> If you are not the intended recipient, you must not use or
>
> disseminate the information. Receipt by anyone other than the
>
> intended recipient is not a waiver of any attorney-client or work
>
> product privilege. If you have received this email in error, please
>
> immediately notify me by "Reply" command and permanently
>
> delete the original and any copies or printouts thereof. Although
>
> this email and any attachments are believed to be free of any virus
>
> or other defect that might affect any computer system into which it
>
> is received and opened, it is the responsibility of the recipient to
>
> insure that it is virus free and no responsibility is accepted by
>
> Transatlantic Reinsurance Company or its subsidiaries or affiliates
>
> either jointly or severally, for any loss or damage arising in any way
>
> from its use."
>
>
>
>
>
>
>
>
>
>
> --
> Tim Bolton
>
> "IMPORTANT NOTICE: The information in this email
>
> (and any attachments hereto) is confidential and may be
>
> protected by legal privileges and work product immunities.
>
> If you are not the intended recipient, you must not use or
>
> disseminate the information. Receipt by anyone other than the
>
> intended recipient is not a waiver of any attorney-client or work
>
> product privilege. If you have received this email in error, please
>
> immediately notify me by "Reply" command and permanently
>
> delete the original and any copies or printouts thereof. Although
>
> this email and any attachments are believed to be free of any virus
>
> or other defect that might affect any computer system into which it
>
> is received and opened, it is the responsibility of the recipient to
>
> insure that it is virus free and no responsibility is accepted by
>
> Transatlantic Reinsurance Company or its subsidiaries or affiliates
>
> either jointly or severally, for any loss or damage arising in any way
>
> from its use."
>
>
>
>
>
>
>
>


-- 
Tim Bolton

JPEG image

JPEG image

Other related posts: