Ever since the release of Presentation Server 4 and ICA Client 9, there has been a lot confusion over the webica.ini file. Sometimes it’s there and sometimes it isn’t!?! There’s also confusion over when you can actually modify settings in the Connection Center. Sometimes they’re grayed out and other times they’re accessible. This article explains why this is.
Prior to version 9, the ICA client would ask the user to choose the level of file security when starting a session. This was in the form of a popup box that informed the user that a remote application was trying to access the local drives. What access should be allowed? Full, Read Only, or None. That box would also ask the user whether the system should remember the chosen option for the next time a session was started. If the user chose to have the system remember their selection, the ICA client software would write the changes to a configuration file called webica.ini and store it in the Windows root folder.
Administrators could suppress this dialog box on a client device simply by preconfiguring the webica.ini file on a client.
That was then, this is now. Starting with ICA clients version 9, the client doesn’t always prompt the user with the security options and the webica.ini file doesn’t always work. For better or worse, there’s now a bit of intelligence built into the client that now determines whether the client will not only ask, but allow changes made to the different security settings. The client (wfica32.exe to be exact) now determines whether it is “trusted” or “untrusted” (these are not Citrix terms). A client is “trusted” if it’s started from the Program Neighborhood or Program Neighborhood Agent. The client is “untrusted” if it’s started from the Web Interface or an ICA file. When a client is “trusted,” full access is given to the client drives and the options are grayed out in the Connection Center. There is currently no way to override this. If a client is “untrusted” then the user is asked how they would like the settings set and the options are available in the Connection Center.
What’s really interesting about this is that this trusted versus untrusted distinction is even made between the connections made via the Program Neighborhood Agent and the Web Interface, even though they are both based on the same back-end Web Interface technology. The reasoning behind this is that when using the Program Neighborhood Agent, a user must manually configure a backend Web Interface server and will only get applications from it. A browser-based Web Interface launch, however, could potentially occur from a malicious Internet site which is why it falls into the untrusted realm.
Citrix is currently working on adding more control over this new aspect of the client.