Why is SiteToZoneAssignment GPO applying, but sites not appearing in IE

group-policyinternet explorerremote-desktop-serviceswindows-server-2012-r2windows-update

We have a Windows server 2012 R2 remote desktop farm, which we have applied a GPO to, to control site to zone assignments.

This was working fine up until recently, but just lately, we have found that this setting is not applying.

If I toggle ESC on, and then back off on the server I am on, the sites now show up in IE zone list for the currently logged in user. It does not however, seem to apply to all users. That list of sites will then follow them to other servers and that user will be ok moving forward.

We use user profile disks, so the users registry hive is not available on that server unless they are logged in, which might explain why it only occurs for the logged in test user.

EDIT: I can see the registry entries being created under HKCU ZoneMapKey and HKLM ZoneMap.

According to this article, IE should read settings from both of those locations, but they simply do not appear in the site list in IE control panel.

Is it possible that there has been an update for 2012 that has altered some ESC registry setting that causes us this issue?

Best Answer

I created a new user account, and when logged on for the first time, it too experienced the same issue with sites not showing in IE, even though the GPO was applied.

I found in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap, there is a key called IEHarden (remembered the name back from my 2003 days with a similar ESC kind of issue). It looks like even though the server has ESC turned off, this key is set to 1. When either deleting, or setting this to 0, the sites immediately appear in internet control panel, and works as expected.

So while I know what is causing the problem, and have enough to fudge a workaround by deleting that key for each user on login, I still don't understand why that key is set to 1, or even exists in the first place (some users who could see the sites already, don't even have that key!). Again I can only come back to an update that has messed with IE ESC in some way.

EDIT:

Now have the full answer;

Two of our 8 session host created profiles with the IEHarden key, while the others did not (these two were setup by our consultants, although after asking them they are clueless).

Seems under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap the IEHarden key existed, so was being given to all new profiles created on that server.

Deleted the key from both, and all now back to normal!

Related Topic