Problem:

Recently I upgraded Internet Explorer on our Citrix farm from IE7 to IE8, everything went fine except for a very important site used for entering customer orders! When users tried to use this site they received the below message with IE.

xss_filter_error.png

Casue:

Internet Explorer 8 has a new security feature call “XSS Filter”, more details on what the “XSS filter” does can be found here;

http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx

Workaround 1:

By default sites that are a member of the “Local Intranet zone” will have the XSS Filter turned off, so if appropriate you could add the effected site to the “Local Intranet zone”

Workaround 2:

In my case the site that was having issues was with in the “Trusted Sites” zone so I felt it was ok to disable the “XSS Filter” for this zone.

You can disable this security feature using a GPO.

  1. Edit or create a new GPO that targets the effected users
  2. Drill-down to User Configuration > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone

Replacing “Trusted Sites Zone” with whatever zone you are interested in, if you are unsure what zone you site is a member of open the site and look in the bottom right corner of IE

xss_filter_site_zone.png

  1. Enable the policy “Turn on Cross-Site Scripting (XSS) Filer” and set the Option to disabled

xss_filter_gpo.png

After doing a gpupdate /force on a client and restarting IE you can verify the setting was applied under Internet Options => Security => Select Zone =>Custom Level

Then scroll to the scripting section near the bottom.

xss_filter_site_verify.png