IE Hangs for non-Admin users

[Guest]

I am one of three Desktop administrators in an environment consisting of
5000+ Windows XP Service Pack 1 desktops.

Our Helpdesk reports that by far the biggest call they are getting is to do
with Internet Explorer "hanging" when clicking on certain links (eg. "My
Ebay" link) or when trying to access the Media sidebar.

To date, the "usual" fixes are applied (clear TIF, clear History, Reboot,
Re-register DLLs, repair Internet Explorer), which fixes the problems as they
occur, however this is time-consuming and preventing the problem occurring in
the first place would potentially reduce calls to the Helpdesk by almost 5%.

Important factors:
- The desktop environment is VERY locked down. As mentioned, only 3 users
have Administrator rights, and there are no "Power Users". All users are just
"Users"

- The problem does not happen on all computers and can't easily be replicated

- Anecdotal evidence suggests that it happens after "about 3 weeks" but
there is no hard and fast data to back this up

- Moving to Service Pack 2 is NOT an option, due to the number of computers
involved and the massive cost to the business to test all applications (270+)
against the new SP2 features such as the Firewall and other security
"enhancements"

- All computers are completely up to date with all pre-SP2 hotfixes and
updates

- All computers are thoroughly checked for viruses, trojans and spy/adware

- The problem does not occur with users in the Administrators group

I *think* I have found a solution (see below), but would like further advice
before I proceed.

Investigation using the Regmon tool has revealed that, on computers that are
hanging, IE is trying to "crerate" the registry key
"HKLM\Software\Microsoft\CurrentVersion\Internet Settings\Connections", even
though that key already exists, and is returning an "Access Denied" error
message. Immediately after this occurs, the browser completely stops
responding.

If I change permissions on that registry key to allow Full Control for all
users, the problem goes away immediately, and I have confirmed that this
"fix" corrects the problem instantly on 5 different computers.

At this stage, I am considering using group policy to open this key up, but
I can't find any information regarding the possible implications, or reasons
for this.

Obviously the first question is "WHY is IE attempting to write to a section
of the registry to which users don't/shouldn't have access?" and the second
is "WHY is IE trying to create a key that already exists?"

Beyond that, any feedback would be appreciated.

Regards,
Stuart Travers
Department of Justice
Melbourne, Australia

 

[Rob Parsons]

I think you got the Registry Key wrong. Do you mean

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings

Anyway, Under that key there are some interesting values.. One of them being
UserAgent\PostPlatform

Usually no write access to the HKLM nodes is requested by IE. Its all HKCU
r/w and HKLM r/o.

My guess is that there is a third-party bho or perhaps even an in-house boh
or toolbar that is attempting ot write to this key to inject a UserAgent
value at this key.

You can test this easily by disabling third-party browser helper objects
(Advanced tab/Internet Options) on a test puter.

or just type the following into the address bar

javascript:alert(navigator.userAgent);

to view the useragent settings.

Oh. It may be a possibility that with machines that have the .net framework
installed, that this has been done with a user account and that windows is
still trying to inject the .Net CLR useragent strings on the HKLM... Can't
test this myself.

I will accept 1% of you Support Budget if this is the cause. Thx... sic.

 

[Guest]

Thanks for the suggestion but the registry key I initially stated is
DEFINITELY correct:

HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

There are DEFINITELY no third-party or non-standard BHOs, and users do not
have the required permissions to add their own. All other software is
packaged in MSI format and installed with an Administrator account via SMS.

The process attempting to create the key is IEXPLORE.EXE.

Once the problem occurs, IE will hang when clicking certain links (the My
Ebay example is one) and also when trying to open the Media sidebar.

I did note that the My Ebay link is unusual in that it points to a DLL on
the ebay server
(http://my.ebay.com.au/ws/eBayISAPI.dll?MyeBay&ssPageName=h:h:mebay:AU)
whereas links that still work are just standard links to html, asp etc.

I'm really tempted to just open this key across all computers via group
policy and see if we get fewer support calls, but I'm not 100% certain what
the implications of opening the key would be.

Regards,
Stuart Travers
Department of Justice
Melbourne, Australia

 

[Rob Parsons]

Hi Stuart,

Hear's a url to look at
http://support.microsoft.com/default.aspx?scid=kb;en-us;182569

Nothing specific about the key in question but there is info about group
policy for security and ratings.

I am no networking expert, so I am only guessing, but it is obvious that
somewhere there is a user policy that is different from those of the
Administrator account.

In the Group Policy control panel (gpedit.msc) under the User
Configurations\Windows Settings\Internet Explorer
Maintenance\Security\Security Zones and Content Ratings
choose Content Ratings - Modify button to display the Content Advisor
dialog.
On the Approved Sites tab check you approved sites listing.
On the General tab, try changing the User options settings..
Users can see sites that have no rating
Supervisor can type a password to allow users to view restricted content

If you are using the RSACi content advisory service here is a link to
important information

http://www.icra.org/support/contentadvisor/#3

Regards.

 

[Guest]

Again, thanks for the suggestion, however I don't think it's a question of
content being restricted by policy, simply that IE is trying to create a key
under HKLM (even though the key doesn't exist) and can't because normal
"users" don't have access to that key.

Note also that IE security is set by group policy and the Content Advisor is
turned off (restricted sites/content are blocked at proxy server level).

Also note that the problem links USUALLY work for all users, but
intermittently this problem crops up on PCs, and opening the permissions on
this key fixes the problem instantly.

Any other ideas?

 

[Charlie Tame]

Again, thanks for the suggestion, however I don't think it's a question of
content being restricted by policy, simply that IE is trying to create a
key
under HKLM (even though the key doesn't exist) and can't because normal
"users" don't have access to that key.

Note also that IE security is set by group policy and the Content Advisor
is
turned off (restricted sites/content are blocked at proxy server level).

Also note that the problem links USUALLY work for all users, but
intermittently this problem crops up on PCs, and opening the permissions
on
this key fixes the problem instantly.

Any other ideas?

Well, could it be that once the key exists the permissions to create it
become irrelevant? I mean is it simply a key that should be there in the
setup but somehow was missed? I appreciate that if this key has to be
changed this is worthless but if it's simply a matter of "If key not exist
then create it" somewhere in the link processing maybe it's not a real
problem? You wouldn;t have to leave the permissions open permanently then,
just create the key once. I haven't been paying proper attention but was
just curious

Charlie

 

[Guest]

And again the suggestion makes perfect sense so thanks, however the key
already exists, and IE doesn't actually make any changes to it.

For some weird reason, IE sends a "Create Key" to the registry (even though
the key is already there) and Windows returns "Access Denied" (again, even
though the key is there).

Even worse, once I do open up the permissions IE makes absolutely no changes
to the key or its contents, so there's a routine somewhere in IE that says
"hey, let's go create this key" without first checking to see if it already
exists, so Windows says "nope, you don't have permission to do that, sorry",
again without first checking to see if the key exists.

Crazy, crazy stuff.

 

[Charlie Tame]

We are assuming that IE is not looking for that key and then simply trying
to create it - are we sure IE is not looking, or is it maybe that IE is
looking but is somehow blocked from finding it - not all the time of course,
just sometimes when some set of conditions happen to occur?

You mentioned that SP2 is out of the question so I'm wondering (since SP2
was supposed to be a lot to do with security) if someone has suggested that
SP2 might fix this and if so whether it's a glitch in security somewhere
rather than an IE fault per se.

I must admit my knowledge of group security policy isn't worth a light, but
your problem seems intriguing, especially where machines are pretty well
locked down.

http://www.microsoft.com/technet/pr...Ref/01bdc344-efcb-45f5-b7ef-aa6f8f0b8c47.mspx

mentions this key - if you haven't seen this page does it ring any bells?

Charlie