6

This seems like it shouldn't be hard, but I haven't had any luck with either guessing or searching. I'll admit I'm no Windows guru, so forgive me if the answer should be obvious.

I'm trying to get Windows to stop giving me security warnings when I open files or links from a DFS share. I already have a GPO in place which does this for a couple of other network shares:

Policies
  Administrative Templates
    Windows Components
      Internet Explorer
        Internet Control Panel
          Security Page
            Site to Zone Assignment List

Here, I've added host1.mydomain.org and host2.mydomain.org to zone 1 (intranet), and the network shares from these hosts are correctly treated as trusted intranet sites.

However, I now want to add \\mydomain.org\shares to the intranet zone as well. Adding it just like that appears not to work (and on my client machine it appears in the list as file://*.mydomain.org). Other things I've tried include *.mydomain.org and explicitly listing the hosts where the DFS shares originate.

"Turn on automatic detection of the intranet" is also enabled, although I've never been clear on how that actually works.

Servers and DCs are 2008 R2 and clients are (mostly) 7 Pro.

Edit: The next day, it appears that the listing of mydomain.org is in fact having the desired effect. I hadn't logged out and back in during testing; I just did a gpupdate /force and confirmed that the GPO settings appeared in the Internet Options dialog. Is this a bug or just another arcane Windows thing that I don't quite understand?

eaj
  • 423
  • 2
  • 4
  • 17
  • For those finding this via a search: run gpedit.msc to edit the policy nicely enumerated above, then gpupdate /force – Stan May 12 '16 at 22:48

2 Answers2

3

When refreshing group policy it is usually necessary to log out and for some settings a restart (sometimes 2!) is necessary. I wouldn't call it arcane but it won't be obvious if you haven't documentation regarding group policy processing.

will
  • 46
  • 1
  • 1
    I understand that, but when I saw that the GPO settings appeared properly in the Internet Settings after the gpupdate, I naturally assumed they had been applied. – eaj Oct 06 '11 at 14:30
  • 1
    Ok. I wonder if the network connection to the share was still alive, then had to be recreated to be recognized under the new security zone setting for the policy to take affect? – will Oct 06 '11 at 15:20
  • 1
    That sounds like a pretty good theory to me. You win the green checkmark. :) – eaj Oct 06 '11 at 15:27
3

The shell (explorer.exe) is caching the policy. Simply restart the shell and many settings will start to be applied. There is no need to log out/back in for many scenarios.

Exiting the shell:

  • Windows 7: Ctrl+Shift+right click on blank area of Start Menu | Exit Explorer
  • Windows 8: Ctrl+Shift+right click on Start Menu button | Exit Explorer

Restarting shell:

  • Ctrl+Shift+Esc, File | New Task (Run...) | "explorer"
INCANDE
  • 31
  • 2