We know IE!

Slow performance in Internet Explorer 8 after installing the Skype v4.1 application

Brent Goodpaster — Fri, 17 Jul 2009 15:00:00 GMT

Hi everyone!

We’re seeing another emerging issue around Internet Explorer that we wanted to make you aware of…

If you are seeing slow performance within Internet Explorer 8 (opening new tabs, for example), after just recently installing the latest version of the Skype application (v4.1), this could be the cause. We believe the reason behind this performance issue is an IE add-on that gets installed by the latest revision of the Skype software.

To resolve this issue quickly, please open Managed Add-Ons and disable the installed Skype IE add-on:

Please note: So far, we are only seeing this issue with this specific version of Skype in conjunction with Internet Explorer 8.

Regards,

The IE Support Team

Unexpected behaviors and failures in Internet Explorer with McAfee Host Intrusion Prevention installed

Brent Goodpaster — Thu, 16 Jul 2009 19:00:00 GMT

Hi everyone!

IE Support is seeing a huge influx of issues with weird IE behaviors and failures coming in over the last two days. We are seeing IE crashes, IE simply unloading from memory, and even script errors on web application that have been working in the past without issue. Currently, we are only seeing these errors with Internet Explorer 7 and 8.

The issue appears to be related to a recent signature update to McAfee’s Host Intrusion Prevention software that was released on July 14, 2009.

If you are seeing these kinds of behaviors with Internet Explorer since in or around the July 14th, 2009, we recommend that you review the details outlined in this McAfee KB article:

https://kc.mcafee.com/corporate/index?page=content&id=KB66316

Our understanding is that a signature update has already been released to resolve this issue. However, if you need further assistance from McAfee technical support in getting the signature update, you can contact them using the information located here:

http://www.mcafee.com/us/about/contact/index.html

More information: You can continue to browse in a limited capacity by starting Internet Explorer in No Add Ons mode by using the shortcut located under All Programs | Accessories | System Tools until you update the affected signature file:

There is also a command line option you can use as well. From a command line window you can using the below option:

Once you hit enter, IE will load with no Add Ons within the IE process:

Regards,

The IE Support Team

FYI: The patch has been released for the vulnerability outlined in KB972890, see MS09-032

Brent Goodpaster — Tue, 14 Jul 2009 17:00:00 GMT

Just in!

A cumulative release is now available for the vulnerability outlined in KB972890. Details and downloads can be found here:

http://www.microsoft.com/technet/security/Bulletin/MS09-032.mspx

If you have any questions regarding what do you if you already have a workaround in place, please review the FAQ for MS09-032 using the link above.

Please note:

The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

Regards,

The IE Support Team

Group Policy ADM template to implement the workaround from Security advisory 973472

Brent Goodpaster — Tue, 14 Jul 2009 16:30:00 GMT

Hi everyone!

Axel here from the IE Team with a quick Group Policy ADM template to help implement workaround described in security advisory 973472. I am also including the .reg file and .adm templates for both x86 and x64 versions.

Please note: This is an “as is” template, so feel free to tweak it as needed.

Important: This policy requires that you disable filtering in the group policy editor. See steps below on how to set this up.

How to load the Custom ADM Template?

To start Group Policy, click Start and then click Run. In the Open box, type GPedit.msc or GPMC.msc if from a Domain policy and then click OK.
Select Administrative Templates from the Computer Configuration branch.
Right-click the Administrative Templates branch, and then select All Tasks.
Select Add/Remove Templates.
Click Add.
Load the ADM templates.

Please note: Windows 2003, Windows XP will display the policy under: Administrative Templates > New Policy

Here is how you disable the Group policy filer:

Right click on the Policy and select View > detail > Filtering
Remove the check mark from the check box next to "Only show policy settings that can be fully managed"
You should see the template now.

x86 ADM Template

;####################### Begin x86 adm setting ###########################

CLASS MACHINE

CATEGORY "Group Policy workaround for KB973472, x86"

POLICY "MS 973472 Activex component {0002E541-0000-0000-C000-000000000046}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}"
EXPLAIN "Group Policy to disable CLSIDs outlined in the workaround section of kb973472"
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY

POLICY "MS 973472 Activex component {0002E559-0000-0000-C000-000000000046}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}"
EXPLAIN "Group Policy to disable CLSIDs outlined in the workaround section of kb973472"
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY

[strings]
kb973472="kb973472"
kb973472="Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution "

;####################### End of x86 adm setting ###########################

x64 ADM Template

;####################### Begin x64 adm setting ###########################

CLASS MACHINE

CATEGORY "Group Policy workaround for KB973472, x64"

POLICY "MS 973472 Activex component {0002E541-0000-0000-C000-000000000046}"
KEYNAME "SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}"
EXPLAIN "Group Policy to disable CLSIDs outlined in the workaround section of kb973472"
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY

POLICY "MS 973472 Activex component {0002E559-0000-0000-C000-000000000046}"
KEYNAME "SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}"
EXPLAIN "Group Policy to disable CLSIDs outlined in the workaround section of kb973472"
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY

[strings]
kb973472="kb973472"
kb973472="Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution "

;####################### End of x64 adm setting ###########################

x64 Registry key

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}]
"Compatibility Flags"=dword:00000400

x86 Registry key

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}]
"Compatibility Flags"=dword:00000400

We also have the above samples available to download here.

Regards,

The IE Support Team

IE8: VS 2005 Script debugging is broken after installing IE8 on Windows Vista

Brent Goodpaster — Tue, 14 Jul 2009 16:00:00 GMT

Hi everyone!

Veena here to discuss an issue that might affect developers using Visual Studio 2005 to perform client side script debugging.

After you install Internet Explorer 8, you may no longer be able to perform client side script debugging using Visual Studio 2005. This issue is discussed in http://blogs.msdn.com/greggm/archive/2009/04/01/script-debugging-broken-in-vs-2005-after-installing-ie8.aspx.

Typically, setting the registry value : TabProcGrowth to a DWORD value of 0 is sufficient to resolve this problem. However, if you are using Windows Vista, you need to follow ALL of the steps below to resolve this issue:

1) Install VS 2005 update for Vista from http://www.microsoft.com/downloads/details.aspx?FamilyID=90e2942d-3ad1-4873-a2ee-4acc0aace5b6&displaylang=en.

2) Install Visual Web Developer express from http://www.microsoft.com/express/vwd/Default.aspx. This is to update PDM.DLL to the required version.

Please note: You don't need to actually use it and can remove it after it is installed. Visual Web Developer express is the free Express SKU for VS2008.

3) Set the registry value : TabProcGrowth to a DWORD value of 0 under HKCU\Software\Microsoft\Internet Explorer\Main.

4) Run Visual Studio 2005 with elevated permissions.

Please note: This is a problem in Visual Studio 2005 and doesn’t happen with Visual Studio 2008.

Regards,

The IE Support Team

How to bypass the web page to save Internet Explorer 7 settings

Brent Goodpaster — Tue, 14 Jul 2009 13:00:00 GMT

Hi everyone!

Here’s a quick blog to help users and administrators by-pass that initial web page asking you to save your settings after IE7 is installed…

After installing Internet Explorer 7 all users are supposed to save their settings, the IE automatically redirects the page to "http://go.microsoft.com/fwlink/?LinkId=74005" which redirects to "http://runonce.msn.com/runonce2.aspx" till the user saves the settings to set their preferences such as the default search engine, whether turn on automatic Phishing Filter, language settings and so on.

If the customer does not want to be auto-directed to this web page, then they need to follow the below steps. Two values should be added/modified in the registry, so that IE 7 will go to the home page instead of the external link above:

1. Open the regedit.exe applet.
2. Go to registry key:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
3. Right-click this key and select New -> DWORD Value.
4. On the right pane, create the new value to RunOnceComplete.
5. Right-click RunOnceComplete and click “Modify” and set the value data to 1.
6. Repeat Step 3 to Step 5 to create/modify the value name RunOnceHasShown and set the value data to 1.
7. Restart the IE 7 to see if it still visits the Save settings web site.

If you are familiar with using .REG files, then you can use what’s below to create one and use:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"RunOnceComplete"=dword:00000001
"RunOnceHasShown"=dword:00000001

Please note: IE7 will query the two values RunOnceComplete and RunOnceHasShown every time it starts. If these values have been set as depicted above, IE will visit the home page set in the IE control panel.

For terminal server, you can set a log-on script, so that these two values will be added and set automatically when users connect to the server.

Regards,

The IE Support Team

Custom ADM template for managing “Check for publisher's certificate revocation” in Internet Explorer

Brent Goodpaster — Thu, 09 Jul 2009 19:00:00 GMT

Hi everyone!

We’ve had some requests come in asking for an ADM template that would give Administrators the option to Enable or Disable the “Check for publisher's certificate revocation” Internet Explorer option. In any event, here it is. Simply cut/paste the content below into a file with .ADM extension and then add custom template manually:

CLASS USER
CATEGORY "Windows Components"
CATEGORY "Internet Explorer"
CATEGORY "Internet Control Panel"
CATEGORY "Advanced Page"
POLICY "Check for publisher's certificate revocation"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"
EXPLAIN "Custom ADM template to Enable/Disable the IE advanced option, “Check for publisher's certificate revocation”"
PART State DROPDOWNLIST REQUIRED
VALUENAME "State"
ITEMLIST
NAME Enabled VALUE NUMERIC 146432
NAME Disabled VALUE NUMERIC 146944
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY
END CATEGORY
END CATEGORY

Please note: You will need to disable the Group Policy filter option, “Only show policy settings that can be fully managed”, before the custom ADM template policy will be displayed:

Well, that’s all for now!

Regards,

The IE Support Team

Quick and dirty Group Policy ADM template to implement the workaround from KB972890

Brent Goodpaster — Wed, 08 Jul 2009 20:30:00 GMT

Hey folks!

We’ve received many many requests asking if the workaround mentioned in KB972890 can be implemented via Group Policy. To that end, we’ve put together an ADM template to help Domain Admins roll this out through Group Policy. It’s an “as is” template, so feel free to tweak it as needed.

Important: This policy requires that you disable filtering in the group policy editor. See steps below on how to set this up.

How to load the Custom ADM Template?

To start Group Policy, click Start and then click Run. In the Open box, type GPEdit.msc or GPMC.msc if from a Domain policy and then click OK.
Select Administrative Templates from the Computer Configuration branch.
Right-click the Administrative Templates branch, and then select All Tasks.
Select Add/Remove Templates.
Click Add.
Load the ADM templates.

NOTE: Windows 2003, Windows XP will display the policy under: Administrative Templates > New Polcy

Here is how you disable the Group policy filer:

Right click on the Policy and select View > detail > Filtering
Remove the checkmark from the checkbox next to "Only show policy settings that can be fully managed"
You should see the template now.

Please see the attached file below that contains the ADM templates.

Note:

We have updated the template base on some great feedback from our readers. When the policy is enable will set the value to hex 1024 and when disable to 0.

In the Zip file [ADM_KB972890_v_07-09-09.zip], you should find:

The IE 32 bit custom adm version: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility]
The IE Wow6432Node (x64) custom adm version: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility
The registry export (.reg) export for both IE 32 bit and x64 IE version.
Readme.txt with our Registry import disclaimer.

Related Article:

FixIT available for the vulnerability in the Microsoft Video ActiveX Control, Microsoft Security Advisory (972890)

Regards,

The IE Support Team

FixIT available for the vulnerability in the Microsoft Video ActiveX Control, Microsoft Security Advisory (972890)

Brent Goodpaster — Tue, 07 Jul 2009 12:00:00 GMT

Hi Everyone!

Just wanted to let everyone know that a FixIT is currently available to help users protect themselves against this latest ActiveX Control vulnerability outlined here: http://www.microsoft.com/technet/security/advisory/972890.mspx

The FixIT, when run, will automatically disable the Microsoft Video ActiveX Control. More information, as well as the FixIT files themselves, can be found here: http://support.microsoft.com/kb/972890

Related Article:

Regards,

The IE Support Team

How to disable DEP/NS Memory protection in IE 8 via policy

Brent Goodpaster — Thu, 02 Jul 2009 20:00:00 GMT

Hi Everyone!

Axel again, from the IE Escalation team, with another Group Policy pointer.

Recently, I was asked to assist in disabling DEP (Data Execution Prevention) for Internet Explorer. This can be done from Group. The policy will allow you to turn off the Data Execution Prevention feature that is now on by default when you install Internet Explorer 8. There are good reasons why this is turned on by default and you should read about it here before making a conscious decision to turn it off with this policy.

Please note: Please understand, that the policy should only be implemented if absolutely necessary as bypassing Memory Protection could cause serious damage to your computer and organization.

Policy description: This policy setting allows you to turn off the Data Execution Prevention feature for Internet Explorer on Windows Server 2008, Windows Vista SP1 and Windows XP SP3.

If you enable this policy setting, Internet Explorer will not opt-in to Data Execution Prevention on platforms that support the SetProcessDEPPolicy API.

If you disable or do not configure this policy, Internet Explorer will use the SetProcessDEPPolicy API to turn on Data Execution Prevention protection on platforms that support the API.

This policy has no effect if Windows has been configured to enable Data Execution Prevention.

Location: Computer Configuration > Internet Explorer > Security Features > Turn off Data Execution Prevention

Screenshot of the policy:

More information:

IE8 Security Part I: DEP/NX Memory Protection: http://blogs.msdn.com/ie/archive/2008/04/08/ie8-security-part-I_3A00_-dep-nx-memory-protection.aspx
How do I improve my website and add-ons?: http://www.microsoft.com/windows/internet-explorer/readiness/developers-existing.aspx

Regards,

The IE Support Team

How to disable IE Enhanced Security on Windows 2003 Server silently?

Brent Goodpaster — Tue, 23 Jun 2009 17:00:00 GMT

Hi Everyone!

Axel Rivera again from the IE Escalation team with another IE Enhanced security topic for your viewing pleasure!

UPDATE: I have tested the .exe and .bat file that will disable IE Enhanced Security for both Windows 2003 and Windows 2008 TS Servers. The key is that you have to execute the files while logon with the problem user. Basically, once your user have these setting on their profile, the only way to remove it is to either Delete the profile and let it re-create again from a fixed profile or execute the fix mention in this article.

In this Blog I would like to share a batch file I use to help disable IE Enhanced Security silently on Windows 2003 servers. The challenge is that if you have multiple servers, removing it from server console is not practical and can require tremendous administrative overhead.

Please note: This is the the same task can be achieved from the Windows Add Removed Programs User Interface.

Cut and paste the lines below into notepad and save the file as "DisableIEES.bat". This will create a simple batch which can be used to disable IEES (IE Enhanced Security):

:: START

::Related Article

::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server

::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

:: This will add the entry, as some cases we have seeing that the value is not even there, causing other problems. so, we just add it and later delete it

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f

::Removing IE Enhanced Security from System

Rundll32 iesetup.dll,IEHardenUser

Rundll32 iesetup.dll,IEHardenAdmin

Rundll32 iesetup.dll,IEHardenMachineNow

:: Disabling IEHarden for user

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /V "IEHarden" /t REG_DWORD /d 0 /f

:: Removes form Add Remove Components

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenadmin" /t REG_DWORD /d 0 /f

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenuser" /t REG_DWORD /d 0 /f

::Removed the Values from the IEHarden installed components key

REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /f /va

REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /f /va

::END

Here is where you can set the login script in a policy:

> From Start\run type: gpedit.msc

> From User Configuration

> Windows Settings

> Scripts(logon\logoff)

> Select Logon

> Click on the Add... btn

> Click on the Browse... bnt

> Navigate to the directory where you have the file I sent you (EXE or BAT)

[You can copy the file to the default Logon script directory: %windir%\system32\grouppolicy\user\scripts\logon]

> Apply and OK btn to complete

> Close GPEdit.msc

> Start\run type: gpupdate /force to update the policy

> Login with a profile you know have the problem and see if this takes care of the problem.

More information:

There are two parts to turning off IE Enhanced Security.

We need to first identify the registry keys used to change the IE Enhanced Configuration Settings.

Here are the keys as a .reg export format:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]

"IsInstalled"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]

"IsInstalled"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

@=""

"IEHarden"=dword:00000000

"UNCAsIntranet"=dword:00000000

"AutoDetect"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents]

"iehardenadmin"=dword:00000000

"iehardenuser"=dword:00000000

Then, we use the rundll32.exe command to execute the IEHarden.inf with some parameters to help turn off , the Machine "IEHardenMachineNow", Administrator "IEHardenAdminand" and User "IEHardenUser" configuration.

Here is the command I use to turn off IE Maintenance using the IEHarden.inf file:

Rundll32 iesetup.dll,IEHardenUser

Rundll32 iesetup.dll,IEHardenAdmin

Rundll32 iesetup.dll,IEHardenMachineNow

After you execute the batch file from an existing user profile, you should consider logging out and login back in to make sure the changes take effect. New users should now have IE Enhanced Security disabled.

You can download an executable that will perform the change for you.

Regards,

The IE Support Team

How to bypass the security warning "Unknown Publisher" with the checkbox "Always Ask Before Opening this File"

Brent Goodpaster — Fri, 19 Jun 2009 20:00:00 GMT

Hi everyone!

Axel here from the IE Escalation team with a scenario related to Security Warning - Unknown Publisher pop-up when executing a file that came from a non trusted source.

Please note: The example below sets HIGH RISK files types to LOW RISK so that they can be executed without having to honor the warning dialog. We are creating this example because many corporate customers request this change to make their day-to-day operations easier to maintain. With that said, setting these options in attachment manager can put your system at risk, so please fully read the external documentation available on Attachment Manager and weigh the risks involved before making the decision to allow these files types to be executed without warning the user.

I am sharing this out because the immediate assumption is that by just adding the server name to the Local or Trusted Site zone will allow the file to be executed, which is not accurate. Once the file comes down from the untrusted source and with the Block file stream (see Fig. 1.1), until you remove the attribute you wont be able to run it without first getting the warning mentioned in this blog, see fig. 1.0.

Fig. 1.0 [Screenshot of the Warning with the checkbox “Always ask before opening this file” option]

Fig. 1.1 [Screenshot of the executable properties, showing the Security Unblock option]

Here is what it may look like once you have unchecked the option next to “Always ask before opening this file”.

Fig. 1.2 [Here is what you will still get, even after you have removed the checkbox]

Once you add the unc path to either the Local or Trusted Sites Zone, you will no longer get the warning.

In the above example, we can see that the application did not have a digital signature that verifies its publisher, so we will have to do more work to bypass the warning. You can either have the executable signed using signcode.exe or use the Build in Windows Attachment Manager Policy.

The reason why you get the warning in the first place is because in Windows XP/SP2 and Windows 2003/SP1 we have introduced a new feature called Attachment Manager. This feature was added to help protect your computer from unsafe file attachments. This include accessing files across your network (e.g \\servername\share), files that you might receive with an e-mail message and from unsafe files that you might save from the Internet.

If the Attachment Manager identifies an attachment that might be unsafe, the Attachment Manager prevents you from opening the file, or it warns you before you open the file.

Here are the steps to bypass the warning using Attachment Manager Group Policy. I am also including the registry key modified by the policy.

From Start Run type: gpedit.msc

From User Configuration> Administrative Template> Windows Components> Attachment Manager

Set the following:

Configuration Settings:

> Default risk level for file attachments: Set it to Enabled and Set the default risk level to[Low Risk]

> Inclusion list for low file types: Set it to Enabled and add the file extension [.exe;.vbs;.msi]

> Do not preserve zone information in file attachments: Set it to Enabled.

Close Gpedit.msc and run gpupdate /force

Screenshot of the policy:

Final Step:

> Add the UNC to Local Intranet or Trusted Sites

> Log off and log back in

> Test accessing the UNC share

Registry keys:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]

"LowRiskFileTypes"=".exe;.vbs;.msi"

"DefaultFileTypeRisk"=dword:00001808

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]

"SaveZoneInformation"=dword:00000001

Article below explains everything about Attachment Management.

883260 Description of how the Attachment Manager works in Windows XP Service Pack 2 http://support.microsoft.com/default.aspx?scid=kb;EN-US;883260
How would you sign your file. You could use signcode.exe from Microsoft. Here is also an article:
Steps for signing a .cab file: http://support.microsoft.com/default.aspx?scid=kb;en-us;247257

Regards,

The IE Support Team

How do I add the ‘X-UA-Compatible’ HTTP Header to a NGINX Web Server?

Brent Goodpaster — Fri, 19 Jun 2009 17:30:00 GMT

Hi Everyone!

It’s Bac again with another solution for you…

Just in case you are running NGINX Web Server and wondering how to add the ‘X-UA-Compatible’ HTTP Header to the web server, here are the steps:

1) Open the nginx.conf file in WordPad from nginx\conf folder

2) Add the line in red below to the server{..} section and save

…

server {

listen 80;

server_name localhost;

#charset koi8-r;

add_header 'X-UA-Compatible' 'IE=EmulateIE7';

#access_log logs/host.access.log main;

location / {…

3) Stop and restart NGINX server

Please note: the above steps have been tested on version 0.6.

For information on how to add this Header to IIS Server see http://msdn.microsoft.com/en-us/library/cc817572.aspx and Apache Server see http://msdn.microsoft.com/en-us/library/cc817573.aspx

Regards,

The IE Support Team

Change in behavior with Internet Explorer 7 and later in regard to CONNECT requests

Brent Goodpaster — Thu, 18 Jun 2009 12:00:00 GMT

Hi everyone!

Well, we’ve come across another behavior that some of you are running into so we thought it was time to do a quick write up on the behavior and why it has changed. The behavior is a little complicated if you are real savvy with how IE makes connections using the HTTP protocol. Hopefully, we can give you an overview of the behavior that won’t bore you to tears!

Starting with IE7, a behavior change has been made in how IE handles Server certain response codes to web browser connections that originate as a CONNECT request. Specifically, if a CONNECT request is made by IE to a Web Server and it receives a Server response to that CONNECT request with something other than 200, IE could reject that response as invalid (ERROR_HTTP_INVALID_SERVER_RESPONSE).

Below is an example of what you might see when connecting to a secure web site with IE using an initial CONNECT with a Proxy Server in between the IE client machine and the Web Server you are connecting to:

CONNECT www.MyTestSSLSite.com:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Proxy-Connection: Keep-Alive
Content-Length: 0
Host: www.MyTestSSLSite.com
Pragma: no-cache

HTTP/1.1 200 Connection established
Proxy-Connection: Keep-Alive
Connection: Keep-Alive
Via: 1.1 MyTestProxyServer

This is a working example because the Server response to the CONNECT request is a level 200 response code which means the CONNECT request by the IE client has been honored.

Of course, this isn’t the scenario in where IE fails to honor the Server response. Failure cases we see are when a Proxy Server returns a Server response code other than the expected 200, as seen above. This can happen for several reasons and is often done purposely by Proxy Server. The below response, for example, will indeed be rejected by IE is connecting to a Web Server, through a proxy, where a CONNECT request would be used to make the initial secure HTTP connection:

HTTP/1.1 302 Redirected
Date: Wed, 17 June 2009 14:21:38 GMT
Proxy-Connection: Keep-Alive
Connection: Keep-Alive
Location: http://10.1.0.5/MyTestRedirectPage.html

As you can see in this second example above, the Server response code is now a 302 instead of the 200 expected by IE. This Server response is telling the IE client to redirect it’s request to a different site than it made the initial CONNECT request to. Allowing this Server response to be honored by the IE client would be risky because the Proxy Server could return content that IE would interpret as being from the origin server, which Microsoft sees as an unsecure scenario and so honoring the 302 response in this scenario is no longer allowed. This change in behavior doesn’t mean that all Server responses which are not 200 are rejected. Support for 400-level response codes are still valid and honored in the above scenario.

Please note: You can see HTTP protocol traffic using an HTTP tracing tool such as Fiddler or a network analyzer tool such as Microsoft Network Monitor. Of course the CONNECT request is setting up a secure HTTP connection and so further traffic will be encrypted. A debug version of wininet.dll can allow you to view encrypted HTTP traffic via the wininet log it can generate.

Well hopefully this blog was more entertaining that fingernail scratches on a chalkboard – until next time!

Regards,

The IE Support Team

Printing functionality fails in Internet Explorer 7 and 8 on Windows XP

Brent Goodpaster — Tue, 16 Jun 2009 18:30:00 GMT

Hi everyone!

We’ve got an emerging issue showing up in our support channels in where IE printing functionality (printing, print preview) fails on the Windows XP operating system. This issue is specific to IE7 and IE8 and we have only reproduced the issue with service pack 3 installed, thus far, but we certainly aren't ruling out other platforms that can install and run either of these revisions of IE.

The behavior is easily recognizable as you will see a blank screen within the print preview dialog instead of the page to print out. Furthermore, if you try and actually print the page, nothing happens and the page does not print out.

Please note: Some user have noted seeing this behavior after installing the latest IE cumulative update, KB969897.

In troubleshooting this behavior, we have found that uninstalling the Microsoft Software Inventory Analyzer software, via Add or Remove Programs option in Control panel, resolves these printing functionality issues. This is our recommendation.

Deeper troubleshooting of this issue indicates a registry key added by the Microsoft Software Inventory Analyzer, may be the root cause of the failure. The registry key in question is seen below:

[HKEY_CLASSES_ROOT\.dlg]

@="MsiaUtils"
"Content Type"="application/msia-dlg"

Removal of this registry key also seems to resolve the printing functionality issues within Internet Explorer. However, if you are not proficient at using the registry editor tool, we do not suggest using this method but instead suggest that you simply uninstall the Microsoft Software Inventory Analyzer software.

You can also remove the extension type via Explorer:

1. From the Windows desktop, double-click on My Computer.
2. Click on Tools and then Folder Options from the menu.
3. Click on the File Types tab within the Folder Options dialog.
4. Within the Registered file types listing, find the DLG extension.
5. Highlight and then click the Delete button and then choose Yes to remove.

Please note: This tool is not supported by Product Support Services.

We have some new information coming in that the inclusion of this key seems to be effecting the rendering of text inside CSS styled textboxes. Applications, for example WordPress, may be negatively affected as well.

UPDATE!

We’ve been working directly with the MSIA team and they have informed us that they will be making a code change to the product to help resolve this issue. More detail on the availability of this update can be found here. The MSIA teams also suggests that instead of just removing the above values from the registry, that users install, use, and then uninstall the MSIA tool to mitigate the app-compat issue with IE. This is because removal of the registry information can cause certain areas of the MSIA tool to fail, such as the feedback and licensing display forms.

Regards,

The IE Support Team