Managing Browser Settings with Group Policy Tools
If you use an Active Directory® environment to administer the computers in your network, Group Policy provides a comprehensive set of policy settings to manage Windows® Internet Explorer® 8 after you have deployed it to your users' computers.
You can use the Administrative Template policy settings to establish and lock registry-based policies for hundreds of Internet Explorer 8 options, including security options. You can also use the Internet Explorer Maintenance (IEM) extension in Group Policy to preset and manage some Internet Explorer 8 settings (including user interface and connection settings) in your domain.
Important
We recommend that you manage Internet Explorer 8 by using the Administrative Template settings in Group Policy whenever possible, because these settings are always written to a secure tree in the registry. This means that users cannot change settings by using the Internet Explorer 8 user interface or by modifying the registry. Most of the extension settings in IEM and the browser settings that you can manage in the Internet Explorer Administration Kit 8 (IEAK 8) provide preferences that users can modify after they are applied.
For more information about Group Policy, see:
Windows Server 2003 Group Policy
Group Policy Settings Reference for Windows Vista
Managing Windows XP Service Pack 2 Features Using Group Policy
Group Policy Frequently Asked Questions
Advanced Group Policy Management Console
Group Policy Preferences
Internet Explorer Maintenance Extension Technical Reference
Implementing Common Desktop Management Scenarios with the Group Policy Management Console
Windows Vista Security Guide
Appendix A: Internet Explorer Maintenance Extension Settings in this deployment guide
If you do not use an Active Directory environment and Group Policy to manage users' computers, you can use the IEAK Profile Manager to configure and update some browser settings and preferences after deployment.
Group Policy overview
Group Policy is a collection of settings that are used to define and manage configurations for groups of users and computers in an Active Directory environment. Group Policy enables you to define an Internet Explorer 8 configuration, and other software and system configurations, as part of Group Policy objects (GPOs). The GPOs are linked to hierarchical Active Directory containers, such as sites, domains, or organizational units. They enable you to manage your Internet Explorer 8 and other system configurations for multiple users on any computer that is joined to the domain.
Note
You must be a member of the Administrators group to work with GPOs.
Using Group Policy in your Active Directory environment allows you to set broad standards or restrictions for Internet Explorer 8 and other applications in a company or division, while specifying exceptions for smaller departments or groups.
In an Active Directory environment, a client-side extension ensures that your policies are applied and refreshed regularly. When you change policies, they are refreshed dynamically rather than relying on a logon or startup script on your users' computers.
Group Policy is flexible and includes options for registry-based policy settings, security settings, software installation, scripts (during computer startup and shutdown, and to log on and log off), and folder redirection.
Tools to manage Group Policy
Your Windows operating system provides you with several administrative tools to create, manage, view, and troubleshoot GPOs, as described in the following table.
Tool | Description |
---|---|
Group Policy Object Editor |
An interface for creating and modifying a single GPO. You can open Group Policy Object Editor in several ways, depending on the action that you want to perform and the object that you want to apply Group Policy to. For more information about this tool, see the Group Policy Object Editor Technical Reference (https://go.microsoft.com/fwlink/?LinkId=68957). |
Group Policy Management Console (GPMC) |
A scriptable Microsoft Management Console (MMC) snap-in, which provides a single, powerful administrative tool for managing Group Policy for multiple domains and sites within one or more forests. Editing a GPO from within GPMC launches Group Policy Object Editor. The GPMC is available for Windows XP with Service Pack 2 (SP2) and Windows Server 2003 R2, and it is built into Windows Vista and later versions of Windows. For more information, see Enterprise Management with the Group Policy Management Console (https://go.microsoft.com/fwlink/?LinkId=22814). |
Advanced Group Policy Management Console (AGPM) |
Microsoft Advanced Group Policy Management (AGPM) helps customers overcome challenges that affect Group Policy management in any organization, particularly those with complex information technology (IT) environments. A robust delegation model, role-based administration, and change-request approval provide granular administrative control. You can use AGPM to edit GPOs offline, outside of the production environment, and then audit changes and easily find differences between GPO versions. In addition, AGPM supports effective change control by providing version tracking, history capture, and quick rollback of deployed GPO changes. It also supports a management workflow, by allowing you to create GPO template libraries and send GPO change e-mail notifications. For more information, see the Advanced Group Policy Management Overview whitepaper (https://go.microsoft.com/fwlink/?LinkId=157947). |
Group Policy preferences |
You can use Group Policy preferences to better deploy and manage operating system and application settings. Group Policy preferences enable IT professionals to configure, deploy, and manage operating system and application settings they previously were not able to manage using Group Policy. Examples include mapped drives, scheduled tasks, and Start menu settings. For many types of operating system and application settings, using Group Policy preferences is a better alternative to configuring them in Windows images or using logon scripts. Group Policy preferences can be used to implement settings which are “preferred” but not mandatory. This enables IT professionals to deploy software (including Internet Explorer 8) in a standardized initial configuration and still permit users to customize some aspects to their liking. For more information, see the Group Policy Preferences Overview whitepaper (https://go.microsoft.com/fwlink/?LinkId=157946). |
Resultant Set of Policy (RSoP) Snap-in |
An addition to Group Policy to assist with policy implementation and troubleshooting. RSoP polls existing policies based on site, domain, domain controller, and organizational unit, and then reports the results of those queries. For complete instructions, see https://go.microsoft.com/fwlink/?LinkId=68958. |
Group Policy log files |
Detailed client- and server-side Group Policy log files, which provide detailed information in cases where RSoP does not. For more information, see Fixing Group Policy Problems by Using Log Files (https://go.microsoft.com/fwlink/?LinkId=83244). |
Event Viewer in Windows Vista |
Interface for Group Policy operational log and a system log. For more information about Windows Vista event logs, see https://go.microsoft.com/fwlink/?LinkId=74139. |
Using Administrative Template settings to manage Internet Explorer 8
This section describes how to use registry-based Administrative Template policy settings in Group Policy to manage Internet Explorer 8 on users' computers that are running Windows XP with SP2, Windows Server 2003 with SP1, or Windows Vista.
Overview of Administrative Templates
The Administrative Template files allow you to configure and manage registry-based Group Policy settings. They are Unicode text files with the extension .adm in Windows XP with SP2 and Windows Server 2003 with SP1, and XML files with the extensions .admx and .adml in Windows Vista and later versions of Windows.
Standard Administrative Templates are deployed with your Windows operating systems. Administrative Templates display the registry settings that you can apply to your users' computers in your GPOs. Information in the templates populates the administrative interface in Group Policy Object Editor, which you use to set secure registry-based policy information.
A number of standard templates automatically populate the Group Policy Object Editor, and you can add or remove templates later. Developers can create custom templates as needed.
An Administrative Template file consists of a hierarchy of policy categories and subcategories that define how the policy settings appear in Group Policy Object Editor. The file also contains the following information:
Registry locations that correspond to each setting.
Options or restrictions in values that are associated with each setting.
A default value for many settings.
Text explanations for the purpose of each setting.
The versions of Windows and Internet Explorer that support each setting.
When you modify Group Policy settings that are based on a template, user configurations are saved in HKEY_CURRENT_USER (HKCU), and computer configurations are saved in HKEY_LOCAL_MACHINE (HKLM). HKCU and HKLM place registry information that is specific to Group Policy under \Software\Policies or under \Software\Microsoft\Windows\CurrentVersion\Policies. Therefore, there are four areas of the registry that contain Group Policy registry settings.
For an overview of the concepts and architecture of the Administrative Templates, see https://go.microsoft.com/fwlink/?LinkId=157948.
Registry-based Internet Explorer policy settings
The following table describes categories of registry-based Internet Explorer policy settings that you can administer. These settings are available in the standard Administrative Template file Inetres.adm (Inetres.admx in Windows Vista and later versions of Windows).
You can locate these categories in the following policy paths for your GPOs:
User Configuration\Administrative Templates\Windows Components
Computer Configuration\Administrative Templates\Windows Components
Note
For each policy setting, Group Policy Object Editor displays the versions of Internet Explorer and Windows that support the policy. Not all available settings apply to Internet Explorer 8 on all Windows operating systems.
Category | Description | ||
---|---|---|---|
Internet Explorer |
Contains settings to enable or disable standard Internet Explorer configurations. |
||
Internet Explorer\Administrator Approved Controls |
Contains settings to enable or disable ActiveX® controls. |
||
Internet Explorer\Security\AJAX |
Contains settings to enable or disable technologies that allow communications between clients and server, or cross-domain communications. |
||
Internet Explorer\Application Compatibility |
Contains settings to enable or disable Cut, Copy, or Paste operations from the clipboard if URLACTION_SCRIPT_PASTE is set to Prompt. |
||
Internet Explorer\Browser Menus |
Contains settings to show or hide menus and menu options in Internet Explorer. |
||
Internet Explorer\Compatibility View |
Contains settings to enable or disable Compatibility View settings. |
||
Internet Explorer\Delete Browsing History |
Contains settings to enable or disable Delete Browsing History settings. |
||
Internet Explorer\Internet Control Panel |
Contains options to enable or disable pages in Internet Options, and subcategories to manage settings on the Security and Advanced pages. |
||
Internet Explorer\Internet Settings |
Contains subcategories for Advanced Settings, AutoComplete, Display Settings, and URL Encoding.
|
||
Internet Explorer\InPrivate Filtering |
Contains setting to configure InPrivate Filtering features. |
||
Internet Explorer\Offline Pages |
Contains settings for offline pages and channels. Note These settings do not apply to Internet Explorer 8. |
||
Internet Explorer\Persistence Behavior |
Contains settings for file size limits in Internet security zones. |
||
Internet Explorer\Security Features |
Contains settings to enable or disable security features for Internet Explorer, Windows Explorer, and other applications. |
||
Internet Explorer\Toolbars |
Contains settings to allow or restrict users from editing toolbars in Internet Explorer. Administrators can also set the default toolbar buttons. |
||
RSS Feeds |
Contains options for managing RSS feeds in Internet Explorer. |
For an expanded list of available registry-based Internet Explorer 8 policy settings, see the Group Policy Settings Reference for Windows Vista (available for download from https://go.microsoft.com/fwlink/?LinkId=54020).
This Microsoft Excel® workbook lists the policy settings for computer and user configurations that are included in the Administrative Template files within Windows Vista. A subset of the policy settings included in the workbook is supported on computers running Windows XP with SP2 or Windows Server 2003 with SP1.
To use the filtering capabilities in this workbook to view a specific subset of settings, click the drop-down arrow in one or more column headings to select the value or combination of values that you want to filter. For example, you can view Group Policy settings introduced for Internet Explorer 8.
To view registry-based Group Policy settings specific to Internet Explorer 8
Open the workbook VistaGPSettings.xls.
Click the All worksheet.
Click the drop-down arrow next to File name, and then click Inetres.admx.
Click the drop-down arrow next to Supported on, and then click At least Internet Explorer 8.
Modifying registry-based Internet Explorer 8 policy settings
You can modify the Internet Explorer 8 policy settings that apply to individual users, individual computers, or both.
To modify registry-based Internet Explorer 8 policy settings
Open Group Policy Object Editor by using one of the methods described in the Group Policy product documentation (https://go.microsoft.com/fwlink/?linkid=67717).
The method you use will depend on the GPO that you want to manage. One way to open Group Policy Object Editor is to click Start, click Run, and then enter Gpedit.msc.
If you are modifying policy settings for individual users, double-click <Group_Policy_object_name> Policy, and then double-click User Configuration. If you are modifying policy settings for individual computers, double-click <Group_Policy_object_name> Policy, and then double-click Computer Configuration.
Double-click Administrative Templates, double-click Windows Components, and then double-click Internet Explorer.
In the left pane, click the category you want to work with, and then in the right pane, double-click the item that you want to edit.
Click the Setting tab, and then configure the policy setting. Typical choices for a setting are Not Configured, Enabled, or Disabled. Some settings require you to make additional selections or enter additional information.
Note
Some policy settings have the same behavior for Not Configured and Disabled states. For these policies, setting the policy to Disabled will automatically be reverted to Not Configured.
Note
To access the RSS Feeds settings in Group Policy, double-click Administrative Templates, double-click Windows Components, and then click RSS Feeds.
Using the Internet Explorer Maintenance extension
The Internet Explorer Maintenance (IEM) extension enables you to define and implement certain Internet Explorer 8 configurations as part of a GPO. IEM uses two sets of extensions to accomplish this purpose:
A server-side snap-in extension to Group Policy Object Editor (ieaksie.dll), which is used to configure a number of legacy Internet Explorer settings in a GPO.
A client-side extension (iedkcs32.dll), which is a dynamic-link library (DLL) on each user's computer that implements the IEM settings contained in the GPO.
Important
We recommend that you use IEM only in Preference mode to avoid conflict with Internet Explorer 8 policy settings that you specify using the Administrative Templates. Preference mode allows you to specify browser settings that the user can later change if desired.
For more information about Administrative Templates settings for Internet Explorer 8, see Registry-based Internet Explorer policy settings earlier in this section.
For more information about using IEM in Preference mode, see Normal mode and Preference mode later in this section.
IEM settings
You can import and customize settings in the following categories by using IEM.
For more information about the settings, including which settings are available in Preference mode, see Appendix A: Internet Explorer Maintenance Extension Settings in this deployment guide.
Category | Description |
---|---|
Browser User Interface |
Contains options to customize the browser's appearance. |
Connection |
Contains options to preset and control the users' connection settings, such as dial-up and local area network (LAN) connections. |
URLs |
Contains options to customize the Favorites folder, the Links bar, and important URLs such as the home page URL. |
Programs |
Contains options to specify the default Internet programs for performing common Internet tasks, such as reading e-mail or viewing newsgroups. |
Security |
Contains options to configure your users' security settings, to prevent them from accidentally compromising network security. |
Advanced |
(Preference mode only.) Contains options to specify the values for additional settings. These settings include the disk space that is allowed for temporary Internet files, the location of ActiveX controls or Java code downloads, browser display settings, and connection settings for your corporation. |
Modifying IEM settings
The method for starting Group Policy depends on the type of group that you want to administer.
For more information about starting Group Policy, see:
The in-product Help for Gpedit.msc
The Group Policy Object Editor Technical Reference
For more information about using IEM, see:
The in-product Help for the IEM snap-in for Microsoft Management Console
The Internet Explorer Maintenance Extension Technical Reference
To use IEM to maintain Internet Explorer 8
Open Group Policy Object Editor by using one of the methods described in the Group Policy product documentation (https://go.microsoft.com/fwlink/?linkid=67717). The method you use will depend on the GPO that you want to manage.
In Group Policy Object Editor, double-click <Group_Policy_object_name> Policy, double-click User Configuration, double-click Windows Settings, and then double-click Internet Explorer Maintenance.
In the left pane, click the category that you want to work with, and then in the right pane, double-click the item you want to edit.
Normal mode and Preference mode
By default, IEM is in Normal mode. In Normal mode, you can configure Internet Explorer 8 settings so that they are refreshed on users' computers on a periodic basis (or each time the users log in). However, users can temporarily change these settings between the times scheduled for their setting refresh. For this reason, these settings in Normal mode behave as "pseudo-policies."
For more information about refreshing IEM settings, see Enabling IEM policy processing later in this section.
In Preference mode, you can configure default browser settings, but allow users to change these settings later by using the Internet Explorer 8 user interface. Preference mode also exposes several additional advanced settings that you can configure. Unlike the pseudo-policies you configure in Normal mode, the settings you configure in Preference mode are true preferences. You cannot refresh these settings on users' computers unless you change the settings in the GPO.
Note
Normal mode and Preference mode settings cannot coexist in the same GPO.
To set IEM Group Policy to Preference mode
Open Group Policy Object Editor by using one of the methods described in the Group Policy product documentation (https://go.microsoft.com/fwlink/?linkid=67717). The method you use will depend on the GPO that you want to manage.
In Group Policy Object Editor, double-click <Group_Policy_object_name> Policy, double-click User Configuration, double-click Windows Settings, and then click Internet Explorer Maintenance.
Right-click Internet Explorer Maintenance and then click Preference Mode.
If a policy is already defined, you must click Reset Browser Settings before you can set this policy to Preference mode. When you reset the browser settings, any policy settings that are specified to that GPO are reset.
Note
Preference-mode settings are set by a member of the Administrators group. However, a user can change the settings in Internet Explorer 8 after the policy is applied—for example, the settings for a home page or the settings on the Advanced tab of the Internet Options dialog box.
When you are using IEM in Preference mode, the text (Preference Mode) appears next to the items that can be configured. In addition, the Advanced category appears in the left pane.
Enabling IEM policy processing
To use IEM to create policies that are regularly reapplied on users' computers, you must:
Use IEM in Normal mode.
Enable the Internet Explorer Maintenance policy processing setting in Group Policy.
To enable Internet Explorer Maintenance policy processing
In the Microsoft Management Console (MMC), open Group Policy Object Editor.
Double-click Computer Configuration, double-click Administrative Templates, double-click System, and then double-click Group Policy.
In the right pane, double-click Internet Explorer Maintenance policy processing.
On the Properties tab, click Settings, then select the Enable check box.
Important
If you enable this policy, any customized settings that you apply to users' computers by using IEM in Normal mode will be enforced—even if your users reset their Internet Explorer 8 settings.
Exporting IEM settings
You can use Group Policy to export all of the IEM settings to an .ins file, and if necessary, to cabinet (.cab) files. These settings can then be used to configure automatically computers that run other supported operating systems. Only the IEM settings in Group Policy are exported.
For more information about applying exported settings, see Managing Browser Settings Through IEAK 8 Profile Manager in this deployment guide.
To use IEM to export the settings from your computer to an .ins file
In the Microsoft Management Console (MMC), open Group Policy Object Editor.
Double-click Local Computer Policy, double-click User Configuration, and then double-click Windows Settings.
Right-click Internet Explorer Maintenance, and then click Export Browser Settings.
In the Save dialog box, type the full path and name of the .ins file that you want to export.
If applicable, type the URL path and names of the .cab files. The URL will be inserted in the .ins file as the server location of the .cab files.