Ask the Doctor - 17 May 2000

SEND US YOUR TIPS AND QUESTIONS.
For answers to more of your Windows 2000 and Windows NT questions, visit our online discussion forums at http://www.win2000mag.com/forums.

My company's ISP gave us a range of IP addresses that I've assigned to my internal servers and printers; I've assigned the addresses using the Network Address Translation (NAT) features that our Cisco 2501 router (which sits behind a Cisco PIX firewall) provides. I want to install Microsoft Proxy Server 2.0 on one of my servers to provide caching and to check user access permissions to browse the Internet. I want the users to be able to use a browser through the proxy server to go out through our Cisco PIX firewall. All the equipment, including the router, is sitting behind the firewall. How can I make this scenario work?

I recently set up a similar scenario—an internal server that runs Proxy Server 2.0 and resides behind a Cisco PIX firewall—for one of my clients. My client's organization, like yours, wanted to use Proxy Server's caching features and leverage the NT user database for access control, rather than let everyone go out directly through the PIX firewall.

In this setup you must make sure that the PIX firewall's NAT features are properly translating the IP address assigned to the proxy server's "external" NIC. (I use quotation marks because both NICs are technically internal and behind the firewall.) To make this determination, simply test a local browser's ability to connect to the Internet. Or, perform another test of your choice that confirms Internet connectivity on the proxy server. If that test works, and all the clients connect to the proxy server's "internal" NIC/IP address, everything will work fine. In this situation, you're essentially creating a NAT-to-NAT scenario in which the proxy server provides the first level of IP translation and the PIX firewall provides the second.

My company's Windows NT environment uses roaming profiles, which are great for users who log on to different machines in the office. However, logon and logoff times have recently become extremely sluggish. I was baffled until I checked the User Profiles tab in the Control Panel System applet on one user's machine—the user's profile was larger than 170MB. Further checking revealed that other users had the same problem. I checked the users' profile directory structures (in C:winntprofilesusername) but couldn't find any large files that might explain the abnormal profile size. Why are these profiles becoming so large, and what can I do about it?

Bloated roaming profiles that cause poor logon and logoff performance are one of the most common problems I encounter. Here's a quick rundown of the typical causes of this problem.

By far, the biggest culprit contributing to excessively large roaming profiles (or any bloated profile) is Microsoft Internet Explorer's (IE's) Temporary Internet Files folder. By default, IE places this folder in the user's profile directory (e.g., in C:winntprofilesusernametemporary internet files). Over time, IE can store enormous amounts of cached data in this directory, and all this data must synchronize to and from the server at logon and logoff. You can alter this behavior in several ways.

The first option is to change IE's configuration so that it doesn't save cached pages when you close the browser (i.e., IE clears the contents of the Temporary Internet Files folder at shutdown). To enable this option, choose Internet Options from the View or Tools menu. On the Advanced tab, go to the Security section and select the Delete saved pages when browser closed or Empty Temporary Internet Files folder when browser is closed check box. (These options delete cached pages, but not cookies, from the folder.)

If you need to make this change on several machines and you're willing to reinstall IE, you can use the Internet Explorer Administration Kit (IEAK), the Outlook Deployment Kit (ODK), or Microsoft Office 2000 Setup (essentially a superset of the IEAK and ODK) to establish this option as a default for the browser. However, if you use the IEAK, ODK, or Office 2000 Setup to modify this behavior, you'll need to set an additional option: During setup, clear the Disable Roaming Cache option. (This option appears during the setup wizard, within the User Profiles section of the System Policies and Restrictions configuration.) Although this step seems counterintuitive, the Microsoft article "How Not to Save Cached Internet Files with Roaming User Profiles" (http://support.microsoft.com/support/kb/articles/q185/2/55.asp), assures that it is the appropriate setting.

If reinstalling IE on all your machines doesn't appeal to you, you can use System Policy Editor (SPE) to implement a system policy file (i.e., ntconfig.pol) that includes references to the Registry value that controls this behavior. The IEAK and ODK ship with a policy template file called inetset.adm. This file contains several IE-related policy settings, including one to disable saving cached pages at exit. If you load this .adm policy template file into SPE with your other templates (e.g., winnt.adm, common.adm), you'll have a new Advanced Settings menu whenever you create or edit a user policy. If you select the Delete saved pages when browser closed check box on this menu, which Screen 1 shows, IE will discontinue caching pages in the Temporary Internet Files folder.

If neither option appeals to you, or if you want to prevent more than the Temporary Internet Files folder from roaming, you have a third option. In NT 4.0 Service Pack 4 (SP4) or later, you can use a system policy file to instruct NT to exclude specific directories within the profile when the system saves the profile back to the server. This policy, which Screen 2 shows, is part of the winnt.adm policy template file; you can find it in the Windows NT User Profiles section of any user policy. To use this policy, select the Exclude directories in roaming profile check box and enter the directories you want to exclude, separated by a semicolon. You must enter the directory string relative to that directory's position from the root of the user's profile folder. For example, Temporary Internet Files is in the profile's root directory, so all you need to enter is Temporary Internet Files. However, if you want to exclude the C:winntprofilesusernameapplication datamicrosoftoutlook folder from roaming, you must enter it as Application DataMicrosoftOutlook (without a leading backslash).

Apart from IE's cache folder, the other major space culprits I've found inside user profile directories are Outlook Personal Storage Folders (i.e., .pst files) and miscellaneous large files that users have stored on their desktop or in a desktop subfolder. In these cases, you might need to tell users to avoid storing these large files in their profile folder and teach them how to move the files to a better location. SPE also contains an option that lets you limit the size of a user's profile. The user receives an error message if the profile exceeds this limit during the profile's synchronization at logoff.

Determining which is the most effective method to reduce profile size depends largely on the number of machines involved and which approach will work best for you. If you have many machines to change, I recommend the system policy or redeployment methods. Although this problem also affects Windows 2000 (Win2K), it does so to a lesser degree because Win2K has a more efficient algorithm than NT 4.0 has for copying roaming profiles to and from the server. However, for best performance, you'll still want to make sure that profiles remain as small as possible.

My Microsoft Outlook 2000 mail client is acting strangely. Occasionally, a legitimate message (i.e., not an unsolicited commercial email—UCE—message) arrives in my Inbox and automatically moves to the Deleted Items folder. Although I've enabled the Junk E-mail filtering feature (in Tools, Organize, Junk E-mail), I verified that these messages' senders aren't in the Junk Senders list (in the Organize, Junk E-mail, Edit Junk Senders dialog box.) Do you have any idea what is causing this behavior?

Outlook is flagging the messages in question as junk email, then deleting them. This deletion occurs not because you've flagged the message senders as junk-email senders but because the contents of the messages have met Outlook's predefined criteria for identifying junk messages. The software defines these criteria separately from the Junk Senders list, but unfortunately you can't see these rules within the Outlook GUI.

The file that contains these rules is called filters.txt, which you can find in C:program filesmicrosoft officeoffice. This file contains a list of identification rules that recognize the contents of junk email. However, the original filters.txt file that most versions of Outlook include is woefully outdated, and some versions contain rules that are too loose, thereby resulting in false triggers. Microsoft is aware of this problem and has updated the filters.txt file. You can obtain the updated filters.txt from the Microsoft Web site at http://officeupdate.microsoft.com/articles/newfilters.htm. (You need to use a text editor to manually copy the file.)

Although the newer rules list helps you reduce false triggers, you might still encounter them. For example, family members might use emphatic strings such as "xxx" (as a symbol for hugs) in their email messages, or you might subscribe to newsletters that occasionally contain strings such as "$$$" (as in "This will cost you $$$"). In both cases, Outlook would instantly send the email message to the Deleted Items folder. If you've set your Deleted Items folder to automatically empty when you exit Outlook, you're at particular risk for losing valid messages. Therefore, I recommend that you disable the Empty the Deleted Items Folder upon exiting option until you've had the new filter list in place for a few months. I also recommend that you manually examine the rules list and see whether you can identify any rules that might be causing your problems. You can customize the file for your environment by adding, modifying, or deleting lines. If you do so, be sure to back up the original file in case you make any mistakes during the editing process. Again, be sure to get the most recent version of filters.txt from Microsoft's Web site. I hope Microsoft improves this feature by exposing the rules list within Outlook's interface or at least providing a feature that lets you audit and log this feature (e.g., through the Registry or a separate email message) so that you can see why Outlook flags particular messages as junk. These solutions would simplify the process of identifying problematic rules.

I've included the current version of Outlook's filter.txt file (as of this writing). The filter contains two sections. Listing 1 is for junk-sender identification, and Listing 2 is for adult-content identification. The rules that cause me trouble appear highlighted; these rules are more likely to occur in legitimate email messages.