Saturday Link Roundup–Bitlocker & Display Driver Crashes

Bitlocker Group Policy Settings
How can I prevent users from using USB removable disks (USB flash drives) by using Group Policy (GPO)?

Display driver stopped respondingLimiting Repetitive GPU Hangs and Recoveries
Display Driver Stopped Responding and has Recovered [Solved]
TDR Registry Keys

Microsoft: Understanding Web Proxy Configuration
How a $5 Raspberry Pi Zero can hack your locked laptop
local .pac-file URL format that works with IE and Safari (Windows)?

Internet Explorer Compatibility Mode

“When people inside the building visit our web site, IE Compatibility mode is being forced on.  People on the internet don’t get compatibility mode.  Please fix.”

Internet Compatibility mode was created by Microsoft, for corporate customers.  It was first introduced with Internet Explorer 8.  Corporate customers predominately had websites coded for Internet Explorer 6.  Websites in the “Intranet” Security Zone get Compatibility Mode.

The solution to the customer query is to configure their webpage to specify what compatibility mode it is compatible with.  Microsoft have some guidance on this:
Defining document compatibility
Attaining IE8 Site Compatibility – Short Reference
Understanding Compatibility Modes in Internet Explorer 8
Specifying legacy document modes

If you visit a website with Internet Explorer, and press the F12 key, you’ll launch the Developer Tools screen.
IE Compatibility Mode

The webpage shown in the Developer Tools screenshot above is running in IE8 Standards mode.  The IE8 Standards mode has been forced by the X-UA-Compatible meta tag.


Some other things to be aware of.

Document Mode vs. Browser Mode
Document Mode.
Influences how the page displays in the browser,
The web server can force the document mode to what it wants.  In the example above, “IE8 Standards” mode has been forced by the X-UA-Compatible tag.
So, in essence, the Document Mode setting is “owned” by the web server.

Browser Mode
Browser Mode is simply put, is Internet Explorer telling the web server what it can display. 
In a corporate environment, placing a site into the Intranet Zone forces IE Compatibility Mode on.

Document Mode will in all (most?) cases override Browser Mode.
And this makes sense when you think about it.  The web server, and the webpage author, should know what their webpage page is designed for.

Gotta’s I’ve seen / heard of:

  • Placing the X-UA-Compatible meta tag in the HEAD section AFTER any scripts or CSS, DOES NOT WORK
  • The X-UA-Compatible meta tag MUST be in the HEAD section before all other elements except for the title element and other meta elements.
  • Having multiple X-UA-Compatible meta tags in the one page DOES NOT WORK.

Intranet site is identified as an Internet site when you use an FQDN or an IP address
When you access a local area network (LAN), an intranet share, or an intranet Web site by using an Internet Protocol (IP) address or a fully qualified domain name (FQDN), the share or Web site may be identified as in the Internet zone instead of in the Local intranet zone. For example, this behavior may occur if you access shares or Web sites with Microsoft Internet Explorer or Windows Internet Explorer, with Microsoft Windows Explorer, with a command prompt, or with a Windows-based program when you use an address in any one of the following formats:
  • \\\Share
  •  \\\share
  •  file://

What happens when you uninstall Internet Explorer 8?

It makes itself hard to reinstall itself.  The install program looks at registry and decides, “heck, I’m already installed.”

At least that’s happened when I had to reinstall it via Microsoft SMS.  Perhaps it’s a feature of using a Corporate IE8 install (via IEAK).

Here are the registry keys it leaves behind:






And the GUID of this key may/will change:


Internet Explorer 8 – users complained it was freezing

They were just upgraded from Internet Explorer 6.  I have two guesses why this was happening:

  1. IE6 would have been freezing as well, but because website was in it’s own browser process, the user would just close the frozen Internet Explorer, and that was that.
  2. users now had TABBED browsing, and were using the new functionally to open websites in TABs.  A website would freeze, say due to Adobe Flash or Shockwave; and Internet Explorer 8 would freeze.

The solution I eventually found?

For up to 10 TABs, allow each TAB to run it’s own iexplore.exe process.  You can do this via a registry key called TabProcGrowth.

TabProcGrowth >1: multiple tab processes will be used to execute the tabs at a given MIC level for a single frame process. In general, new processes are created until the TabProcGrowth number is met, and then tabs are load balanced across the tab processes.
Microsoft "We know IE!" Blog: Opening a New Tab …

TabProcGrowth is a DWORD registry entry, which you set under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main .

For my users, I’ve set TabProcGrowth to 10.

Further reading:
We know IE! blog: Opening a New Tab may launch a New Process with Internet Explorer 8.0
HttpWatch: Seven Things You Should Known About IE 8

The "Always ask before opening this type of address" issue

We’re rolling out a new version of Internet Explorer for a customer.  They were on IE6…

During the pilot, they reported this issue.

The error about is actually generated by a Windows feature called the "Attachment Manager".

"The Attachment Manager in Windows can help protect your computer from unsafe attachments that you might receive with an e-mail message and from unsafe files that you might save from the Internet."

It seems I had gotten two things wrong.

  1. failed to configure the corporate internet address as being in the "Intranet" zone.
  2. failed to configure the Attachment Manager at all.

So about that Attachment Manager.
The group policy to configure Attachment Manager can be found in System.Adm.
I created a Attachment Manager only ADM file, which you can download here.

Some reference articles:
Description of how the Attachment Manager works in Microsoft Windows
How To Configure Trusted Sites In Internet Explorer For A Group Policy
Why don’t the file timestamps on an extracted file match the ones stored in the ZIP file?

Internet Explorer Security Tab Restrictions

One of our web developers contacted me, and asked how they could look at the settings for the Trusted Zone in Internet Explorer.  The Custom Level and Default Level buttons were greyed out.  And it’s not an Admin vs. Non-admin rights problem, as I have the same problem:

Internet Options - Security - Custom settings

The answer? Set the Security_options_edit value, t0 0 (that’s zero) in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings.

The Web Developer can now play to her heart’s content.  (if the Web Developer wanted to remove all of the group policy settings, they could do that by following these instructions.)

A breakdown of the security tab restrictions follows.

Continue reading

“No, you can’t upgrade Internet Explorer 6”

Many don't have a choice.  They are using work computers and can't upgrade.In a week when one of our customer’s senior management team said
“No, we’re not upgrading Internet Explorer 6, we’re waiting for Internet Explorer 8 in Windows 7”

A user rings up and tells me “Google Maps doesn’t work with Internet Explorer 6.  I want Internet Explorer 8”

It was with some sense of Schadenfreude that I pointed the user at their senior management.

(graphic from the most excellent: The Life, Times (and Death?) of Internet Explorer 6 (Comic Strip))

Yes, we want our customers on a later browser.  But the customers have internal business websites, which we don’t manage; which only work with IE6.

It’s enough to make an IT support guy cry.

If you’re silly enough to using IE6 on your home PC?  It’s time to stop using it

Bookmark and Share

Semi-regular web-link clearance (3) – January 2010

How to Install GPMC on Server 2008, 2008 R2, and Windows 7 (via RSAT)

Can You See Me – Open Port Check Tool

Is a free utility for remotely verifying a port is open or closed. It will be useful for users who wish to check to see if a server is running or a firewall or ISP is blocking certain ports.

Setting up a Windows 7 Media Center

Windows XP Power Management and Group Policy Preferences

Windows XP only has one active power scheme for the entire computer and that scheme is based on the current or previously logged on user—that is to say Windows XP power schemes are only user-based. This means the power scheme can change as each user logs on. Also, it means that last logged on user’s power settings are the settings that remain once the user logs off. And yes, each user has its own power configuration; however, the entire operating system only has one active power scheme.

PHP and IE8 Web Slices

Internet Explorer 8 (IE8) shipped with a new feature for web users called Web Slices. … Essentially it lets you add enhanced links to your favorite bar that allow you to preview snippets of content from websites that you frequently visit without having to open up the page. It’s really useful to do little tasks like check on your web based Inbox, check the weather in cities you live or visit, traffic status, stock tickers, headlines, sports, the list goes on and on and you can check the IE add-on gallery for more examples of useful web slices and for inspiration.

How to customize default user profiles in Windows 7 (KB973289)

To customize a default user profile or a mandatory user profile, you must first customize the default user profile. Then, the default user profile can be copied to the appropriate shared folder to make that user profile either the default user profile or a mandatory user profile.

Bookmark and Share

Internet Explorer has issues with session cookies, fancy that.

The problem was reported thus.

Internet Explorer is not storing session cookies for XYZ website.  The session cookies are stored when we use Firefox.

Two hours later, I can tell you that:

  • I learnt more about web cookies than I will ever need to know again.
  • Firefox does things differently to Internet Explorer.

Gentle reader, Session Cookies are cookies which only exist for the time which your web browser is open for.  They are deleted when you close your browser.  They are often used to cache your user name and password.

If you don’t have your username/password cached, you repeatedly get prompted for it.  Which is annoying.  Hence the need for session cookies.

So I started investigating the cookies not being stored issue..  The first thing I noticed was that Internet Explorer wasn’t even bothering to write the cookie down to the local hard disk.  So I broke out the network sniffer (Wireshark).  It didn’t tell me much, as all the web traffic was encrypted.

The next step was to load up Fiddler, the Web Debugging Proxy.  Fiddler allows you to inspect all the encrypted web traffic between your computer, and the rest of the world.  The session cookie that the XYZ website was trying to push down, had the following details:
Web browser cookie

There are two issues with this session cookie:
Cookie - Expires Parameter

  1. It sets an Expires date.
    This normally means that it is a Persistent Cookie, and not a Session Cookie.
    In other words, we should not see Expires in a session cookie.
  2. The Expires date was set to a date/time in the past, which is not supported behaviour either.

So why does it work with Firefox then? – Firefox seems to be treating the expired Expires date as no date at all.  So it defaults to a Session Cookie.

Internet Explorer? – A bit more complicated:







Some further reading:
The Unofficial Cookie FAQ
Wikipedia HTTP Cookies

Bookmark and Share