Bookmark: Running EXE Over UNC
https://social.technet.microsoft.com/Forums/windows/en-US/70b2dd7e-833c-4240-92e0-9b865e917307/trusted-sites-and-internet-zone-security-level-gpo-is-not-applying-in-windows-server-2008-r2?forum=winserverGP
Apparently, on server2008, despite a domain-wide GPO was applied dictating the trusted sites zone, it seemed to be NOT applied to server2008 !
More specifically, you can see in Internet Options, tab Security, a yellow info line stating that “Some settings are managed by your system administrator”, but when checking the list with Trusted sites, this turns out to be empty !
The exact GPO setting I’m referring to:
Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page :
Site to Zone Assignment List ENABLED
With (example):
http://*.myowncompany.com 2
http://*.microsoft.com 2Despite this setting, when checking in IE on any Server2008, the list of sites in Trusted Zone is EMPTY !!
This is caused by the fact that by default Internet Explorer Enhanced Security Configuration (IE ESC) is ENABLED for both users and administrators !
You can disable it for administrators:
Start > Administrative Tools > Server Manager
under Security Information, click Configure IE ESCUnder Administrators : click Off.
Now, after closing and reopening IE, you will find the list with Trusted Sites in place !
The correct step is this way: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
“Site to Zone Assignment List” , click “Enable” and edit the list.
Add the site and the number two for Trusted Site. (1 = Intranet, 2 = trusted sites, 3 = Internet Zone and 4 = Restricted Site Zone.
To have a list like that (2 is for trusted site)
*.hotmail.com 2
*.outlook.com 2
*.bing.com 2
The PRO of that method:
– It standardizes all domain-joined computers as they will use the same list for everyone.
– It blocks users from entering new trusted sites. Though this can be a con for small offices or for Power Users wanting more autonomy.
The CON of this method:
– It block user for entering new trusted sites. This can be considered a PRO in big offices, as the list is standardized by the IT’s team.
https://blogs.msdn.microsoft.com/microsoft_press/2014/04/14/from-the-mvps-setting-internet-explorer-trusted-site-settings-via-group-policy-object-in-windows-server-2012-r2/
Go to Group Policy and then expand:
Local Computer Policy / User Configuration / Administrative Templates / Windows Components / Attachment Manager
2. On the right pane, double click Inclusion list for low file types.
3. Click Enable.
4. Include the file types such as .exe;.bat;.reg;.vbs in the Options box.
5. Click OK.
Hope this helps.
Regards,
Linda
https://social.technet.microsoft.com/Forums/windows/en-US/5277371b-dea2-4a2b-802a-bbdc639f627f/disable-open-file-security-warning-unknown-publisher?forum=w7itprogeneral