Cant log onto HTTPS websites while using a mandatory profile
Hello, I am in IT support for a school district, and we are implementing Windows 7 at a new school, and have run into a problem accessing certain webpages. I will do my best to describe the situation and environment involved, so it may be a long post and plenty of irrelevant information, so bear with me, but here goes:
The symptom we are seeing is that when students try to login to a secure website, the login fails and they only receive a "Internet Explorer Cannot Display the Webpage" page, with a "Diagnose connection problems" button. The easiest way to check if the pages will work is just visit gmail.com, though several sites can exhibit the problem. Other websites are accessible, I can go to Bing, and perform searches, everything works there, but most sites that require logins are failing to the "Page cannot be displayed".
We do have a content filter, but I have verified that we are not blocking any ports or addresses related to this website at this level. Turning the content filter completely off during off hours we were still able to reproduce the problem.
We are running Windows 7 Professional 32-bit Service Pack 1 on the client machines. They have all current recommended updates, including Internet Explorer 9.
The domain controller is Windows Server 2008 R2 Enterprise, as well as the file server which stores profiles and documents.
We have created a mandatory profile that is used for all student accounts, and I think this is where the problem exists. All students are members of a security group, which has full read and execute permissions to the student profile share as well as the mandatory profile folder itself.
We have had some partial success with this problem by unlocking the mandatory profile by changing ntuser.man back to ntuser.dat, and logging in as a student account temporarilly made local admin on the machine, and then logging into the novanet website, which works in these conditions. Upon logoff after the profile has been synched back to its location on the file server, we change it back to ntuser.man. Then clearing all old profiles from the machine, and logging back in as a student using the mandatory profile, we can now log into novanet on some machines and not others, in other words it is not consistent enough to call fixed.
Another problem is that even if this method worked 100%, we would have to unlock the profile to "customize" it for every site a student could conceivably log onto, which is not very practical. Since this appears to be a larger issue, solving it at its root would be the most helpful.
Another thing we tried was to make an individual student a local administrator on a machine, and then log onto the machine using the mandatory profile, which still fails.
We have tried compatibility mode, enabling SSL and TLS protocols in internet options, also to no avail, the only thing that seems to allow it to work consistently is to leave the profile non-mandatory, which we would like to avoid.
What other options am I missing here, any suggestions at all?
Thank you for taing the time to read this!