AD Group Policy Settings for eRPortal IE Client Config

The following settings are required for the eRPortal software to run. They include registry values, IE settings and changes in .NET security/permissions for the Trusted Sites zone for .NET code from that zone. All these settings can be pushed via Group Policies in Active Directory.

Required settings can be included in the new policy assigned to the group of users or implemented in existing policies or Default Domain Policy depending on the environment.

The following document explains which Group Policy objects need to be modified.

  1. Registry settings/new keys

On 64-bit computerHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework

Add EnableIEHosting as a DWORD

set the value to 1

On 32-bit computer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework

Add EnableIEHosting as a DWORD

set the value to 1

Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

Add HangRecovery as a DWORD

Set the value to 0

Group Policy settings to add the registry keys:

  • On the server open Group Policy Management, select the policy or create the new one.
  • Highlight it and Edit it.
  • Go to Computer Configuration, Preferences, Windows Settings, Registry.
  • Create New Registry Item for each of the key listed above:

To prevent the policy from being applied to some users or groups, press Properties. Select the Security tab. Add the user or group that you want to prevent from having this policy and clear the Read and the Apply Group Policy boxes in the Allow column. Press OK

  1. Internet Explorer Settings
  • Add eRPortal server to Trusted Sites zone
  • This will vary depending on server, would be *.erportalhost.com for any hosted customers, for on-premise would be
  • Reset Trusted Sites Zone security to Low
  • Set all settings under Active X Controls to Enabled for Trusted Sites
  • Add eRPortal server (same URL as above for Trusted Sites) to Compatibility View sites

Group Policy Settings for Internet Explorer:

Site to Zone Mapping allows you to configure trusted sites with Group Policy Administrative Templates. This setting can be found at:

  • Computer Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List
  • User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List

When possible, use the computer configuration option as it will not impact user logons. When you enable the setting, you will be prompted for a value name (the website) and a value (the zone list). Here are the possible values and the zone that they correspond to:

1 = Intranet/Local Zone

2 = Trusted Sites

3 = Internet/Public Zone

4 = Restricted Sites

Next, set up Trusted Zone template to Low:

Add eRPortal server (same URL as above for Trusted Sites) to Compatibility View sites

Set all settings under Active X Controls to Enabled for Trusted Sites.

Configure and enable following settings for Trusted Zone Template:

  1. Changing .NET permissions

The following batch file needs to be run As Administrator:

c:

cd\Windows\Microsoft.NET\Framework\v2.0.50727

caspol.exe -polchgprompt off

caspol.exe -cg 1.2 -zone Trusted FullTrust

cd\Windows\Microsoft.NET\Framework64\v2.0.50727

caspol.exe -polchgprompt off

caspol.exe -cg 1.2 -zone Trusted FullTrust

exit

The batch file is actually running a Microsoft command-line utility, caspol.exe, that's part of the Microsoft .NET Framework. It sets .NET security / permissions for the Trusted Sites zone for .NET code from that zone.

We can push this command with the Group Policy Logon script or Startup Script.

Since this batch file needs to run “as administrator” we recommend using PsExec utility from Microsoft which will let us execute the command with elevated privileges.

This batch files will need PsExec.exe file located in the same folder and another batch file with the caspol.exe command. It also contains hard-coded credentials. We recommend creating separate account with Domain Admin privileges and using it for the script purposes.

The output from the batch file should look like this: