Hi, I am new in SCCM. I'm installing a production environment and I have an internet explorer 8 issue, some PCs in any moments starts surfing the web with SCCM account, it make me thought sms agent http requests is being done with that credential (something like secondary logon) and internet explorer somehow remains using that account. I tried closing and opening internet explorer but doesn't work. Restarting the PC is not a good way. It is a problem because SCCM account is not supposed to work well with Web Sense. How could I fix it? Please help.. Joffre

I'm confused by what you mean by "surfing the web"? Does that mean you see a browser session (IE/Firefox/Chrome) launched or does it mean you are seeing traffic on port 80 and web service calls from the SMS Agent Host? If the latter, this is normal behavior is this is how ConfigMgr and the agent are designed to work. By default, all client traffic to the MP (and the optionally the DPs) is over port 80 using web services hosted on the MP (and DPs)Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys

Yes but I mean if http requests from client to SCCM server are done authenticated with local system, anonymous or the domain admin account (created to deploy agents).

There is no possibility of the credentials being shared. The SMS Agent host service uses client certificates for authentication to the server. Don't confuse web services with web browsing traffic. At the end of the day, at the protocol level, they are the same thing, but the details are very different. The agent host is only communicating with the MP (and DP for content download) using web services and these have nothing to do with browsing the web or any browser that you have installed. What symptoms are you seeing that are leading to this question?Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys

Very interesting symptoms. The ConfigMgr agent will never launch an instance of iexplorer (or any other executable) unless explicitly directed to do so by an advertised program. The ConfigMgr agent also never uses the credentials of any push installation account; this account is exclusively used to connect to the client system from the site server, drop a couple of files and create a service. After that, everything, including client install and actual agent activity happens as the local SYSTEM account. Although troubling activity indeed, ConfigMgr will not cause this by itself. Unless you can find an advertised program doing this, your culprit is elsewhere.Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys