If the GPO was never enabled or even linked in your 2nd case, there is no way in heck that it will be applied to any systems. You can confirm that by running GP Results against one of those systems. In any case, I don't see anything that you did effecting those ActiveX prompts. Also note that setting site-to-zone assignments has no impact at all on whether IE runs in Protected mode. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Tim Bolton Sent: Wednesday, August 20, 2008 5:39 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Vista - Enable Protected Mode I was setting the sit-to-zone assignments (all default settings). The GPO was Linked but NOT enabled. There was an issue while documenting that were the payroll person could not access an important site. Of course all eyes looked my way... This turned out to be a Server Side 500 error. Nothing I was doing - or the new ISA server - had anything to do with it. However the GPO was deleted to make sure and several gpupdate /force commands were run. So now I recreated the GPO with the same settings. This time it is neither Linked or Enabled. I am now getting a call from one of the directors that his Vista PC is prompting him to load ActiveX controls for almost everyone of their frequented sites. If they place the site into their Trusted Sites the are no longer prompted. This is an option that is not acceptable and once again all eyes are looking my way. 1) Would setting the sit-to-zone assignments (all default settings) cause the Vista PCs to start prompting? I thought that Protected Mode was on by Default..? 2) To verify that I made any changes or to turn off Protected Mode I would have to make changes to the UAC settings in GP. Is this not the case..? 3) Would anything that I have done caused this issue? I don't see how, but I have minimal testing with Vista only. I do not even own a copy. Most of my time has been spent trouble shooting and documenting what I have found for an upcoming migration to new equipment, so changes have been absolutely minimal. Feel free to shoot me an email off line if you want further info jsclmedave at Gmail DOT com On Tue, Aug 19, 2008 at 7:21 PM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote: I'm a bit confused, Tim, by what your issue is. Is it that you set some site-to-zone assignments on IE, then removed the underlying GPO, and they are still being delivered? I guess I'm missing the connection between UAC and what you're seeing. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Salandra, Justin Sent: Tuesday, August 19, 2008 5:12 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Vista - Enable Protected Mode Try installing the RSAT tools on Vista SP1 Justin A. Salandra Network Engineer jsalandra@xxxxxxxxxxx ------------------------------------------ MCSE(rgb) MCTS(rgb)_528_534 From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Tim Bolton Sent: Tuesday, August 19, 2008 5:32 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Vista - Enable Protected Mode I am going to try to RDP into a vista box in the morning then load the client side GP there. I was also going to run GPRESULT /H %TEMP%\UserRSOP.htm /scope user and GPRESULT /H C:\ComputerRSOP.htm /scope computer Especially sine RSOP does not work correctly on Vista SP1. Not sure what else to do... On Tue, Aug 19, 2008 at 4:18 PM, Salandra, Justin <jsalandra@xxxxxxxxxxx> wrote: You will not see the UAC settings from a 2003 Server running GPMC, can you run it for a Vista machine? Justin A. Salandra Network Engineer jsalandra@xxxxxxxxxxx ------------------------------------------ Error! Filename not specified. Error! Filename not specified. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Tim Bolton Sent: Tuesday, August 19, 2008 4:47 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Vista - Enable Protected Mode I am working with a new site and was setting the Internet Security Zones for IE6 and IE7. The GP was Linked but not enforced. I was setting them to the Default Zone Settings when an issue arose with access to a site for a user completing payroll. This turned out to be a Server Side error. However, for a just in case measure, the new GP was un-linked and then deleted. I ran gpupdate /force to clean up any issues. We installed an ISA server about a month ago. Since then no changes have been made to it. Now I am told that the Vista PCs are getting prompted to add ActiveX controls. When the user RT clicks they only get info not the ability to add. The users are able to add the site to the Trusted List and that takes care of the prompt. However, the users do not want to have to perform this task for every site they go to and they are indicating that this started a couple of weeks ago, even though they have had these Vista PCs for over a year. I am checking ISA one more time. I have run the modeling test with that user and all indications are that the Default Domain policy is winning out. However, since I am RDPing into a 2003 Server, I cannot even see the Vista UAC settings or anything else that would affect Vista. Would the settings to IE6 and IE7 apply to the Vista instance even though it was not enforced? The ONLY thing I done this last week and this week is document AND gpupdate /force. I am wondering if I woke up the Vista PCs..? Any advice will be greatly appreciated... -- Tim Bolton "IMPORTANT NOTICE: The information in this email (and any attachments hereto) is confidential and may be protected by legal privileges and work product immunities. If you are not the intended recipient, you must not use or disseminate the information. Receipt by anyone other than the intended recipient is not a waiver of any attorney-client or work product privilege. If you have received this email in error, please immediately notify me by "Reply" command and permanently delete the original and any copies or printouts thereof. Although this email and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to insure that it is virus free and no responsibility is accepted by Transatlantic Reinsurance Company or its subsidiaries or affiliates either jointly or severally, for any loss or damage arising in any way from its use." -- Tim Bolton "IMPORTANT NOTICE: The information in this email (and any attachments hereto) is confidential and may be protected by legal privileges and work product immunities. If you are not the intended recipient, you must not use or disseminate the information. Receipt by anyone other than the intended recipient is not a waiver of any attorney-client or work product privilege. If you have received this email in error, please immediately notify me by "Reply" command and permanently delete the original and any copies or printouts thereof. Although this email and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to insure that it is virus free and no responsibility is accepted by Transatlantic Reinsurance Company or its subsidiaries or affiliates either jointly or severally, for any loss or damage arising in any way from its use." -- Tim Bolton