What’s the best new feature of Microsoft Application Virtualisation 4.5? There’s plenty to pick from, but I’m digging the new Vista style icons:
SoftGrid has suffered from some clunky UI in the past, but thankfully 4.5 had made plenty of changes in the client, sequencer and server console which are most welcome. There are still some icons that haven’t been updated yet - here’s hoping they don’t get missed for the final release.
Want the Remote Desktop Connection 6.1 client for Windows XP but can’t update to Service Pack 3 or Windows Vista? No need to hack files from SP3, just grab the update from here:
Update for Windows XP (KB952155)
Install this update to use new Terminal Services features on a computer that is running Windows XP Service Pack 2 connecting to computers that are running either Windows Vista or Windows Server 2008 operating systems.
There’s a MUI pack available too. The knowledge base article for this update should be available soon, hopefully. Unfortunately there doesn’t appear to be an update available for Windows Server 2003.
Last week I wrote about avoiding Explorer’s Security Warning prompts, this time around I want to document a related fix that I’ve had to implement because Explorer’s expected behaviour was not just not working.
First a quick background on what we’re trying to solve. By default, Windows Explorer will place network locations (mapped drives and UNC paths) with a period (.) in the path, into the the Internet zone. This means that when users access files from these locations, they will see security warnings like these:
These warnings attempt to ensure users are aware of the potential risks when opening files from un-trusted locations. You can make a location trusted by adding it to the Local Intranet or Trusted Sites zones. This is exactly what you would do via script, Group Policy or some other workspace management tool, for your internal network locations, so that users do not see these prompts. However, a bug exists where drives mapped to these network locations are not placed into the right zone.
If you map a drive to a UNC path that that includes two or more periods in the name you will see that the network drive is marked as being in the Internet zone even though you may have added the location to the Local Intranet zone. In my example here, I’ve mapped drive S: to \\dc.dev.local\Apps, and as you can see, it’s in the Internet zone:
If I open the same location via a UNC path you will see that Explorer sees it as being in the Local Intranet zone:
Oddly enough, if I map a network drive to a path with only a single period on that path, the detection process works correctly and the location is seen as Intranet. In the example here, I’m mapping a drive to the same location as the previous two screen shots, but via a DFS path - \\dev.local\Public\Apps that redirects to \\dc.dev.local\Apps.
This issue is addressed in the following knowledge base article:
The article details a hotfix that is available for Windows Vista and Windows XP Service Pack 2 and the issue has been addressed in Windows Vista Service Pack 1 and Windows XP Service Pack 3. For Windows Server 2003 the issue is fixed in the latest cumulative security update for Internet Explorer. To install the fix when deploying this update you need to use the QFE switch:
IE7-WindowsServer2003-KB950759-x86-ENU.exe /B:SP2QFETo enable the fixed behaviour for each of the operating system versions, including Vista SP1 and XP SP3, you also have to add the following registry value. See the KB article for more details.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESPECT_ZONEMAP_FOR_MAPPED_DRIVES_KB929798]
"*"=dword:00000001For anyone who can’t yet deploy Windows Vista SP1 or Windows XP SP3, you may be able (I haven’t tested) to deploy the IE cumulative security update instead of the hotfix.
Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 made some changes to the way Windows handles specific file types opened or downloaded from certain locations, which results in Open File – Security Warning prompts like these:
Quite often users see these prompts in environments where files are opened from UNC paths (think mapped drives or redirected folders) on Distributed File System namespaces. If you have this scenario (which I think you should be) because you are doing something like redirecting Start Menus, you can disable these prompts for your internal network locations.
Ideally you would do this by deploying specific Intranet zone settings (as in the screenshots below) or adding your internal sites to the Intranet zone via a script, Group Policy (Preferences or Internet Explorer Maintenance) or your tool of choice.
There’s a heap of information on how this stuff works at these links:
But all of that is not really the point of this post. I stumbled across a really simple method of telling Windows to avoid those checks and just open the files – create the environment variable SEE_MASK_NOZONECHECKS and set it to 1. You can set this as system environment variable but it appeared to be a little more consistent if set as a user environment variable. Not recommended for wide scale deployment but useful none the less.
