When using Internet Explorer 8 or 9, setting security for the Internet Zone to High, or otherwise disabling active scripting in the Internet security zone, breaks your ability to accept invalid (including self-signed) SSL certificates. You see the warning page, but clicking accept results in an IE error.
Internet Explorer uses a local dll (ieframe.dll) to present warning dialogs to the user. When the user visits a website which presents an invalid SSL certificate for example, the warning dialog (res://ieframe.dll/invalidcert.htm?SSLError=33554432) is shown and the user is prompted whether to accept and continue or not.
When FEATURE_LOCALMACHINE_LOCKDOWN (http://technet.microsoft.com/en-us/library/cc782928(WS.10).aspx) is enabled, which it is by default, ieframe.dll is placed into the Internet Zone. This can be verified by visiting a warning dialog and checking the zone in the page Properties.
This also subjects the warning dialog to any security restrictions placed on the Internet Zone. In cases where the Internet Zone security is raised to High, active scripting is disabled. The SSL warning dialog uses active scripting when the user clicks the link to accept the invalid certificate. The end result is IE produces an error to the effect of "Internet Explorer cannot display the webpage" when the user tries to accept a certificate.
The workaround is to add a mapping which places ieframe.dll in a zone which permits active scripting. On a single machine, simply add res://ieframe.dll to Trusted Sites on a local machine.
You may notice that Internet Explorer interprets this URL strangely in the zone map. It will show up as "about:internet" in the site list. You can also view the registry result under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains.
Finally, putting res://ieframe.dll directly into a GPO for the site to zone mapping is not interpreted correctly. To reproduce this setting via GPO, then, one must zone map "about:internet" as the site in question. This will add the comparative setting to the registry, and res://ieframe.dll will function again, even with active scripting disabled in the Internet Zone.
Nice post!
ReplyDelete