Internet Explorer Feature Control Settings in Group Policy
Applies To: Windows Server 2003 with SP1
The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Notification Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the enhanced security configuration on your server, these features will function as they do in Windows XP Service Pack 2.
What does Internet Explorer Feature Control Settings in Group Policy do?
Windows XP Service Pack 2 introduced new registry keys and values for Internet Explorer security features called Feature Controls. These security features have been incorporated in Windows Server 2003 Service Pack 1. The specific behavior of the feature control registry settings is discussed with each security feature throughout this section.
A modified Inetres.adm file contains the feature control settings as policies. Administrators can manage the feature control policies by using Group Policy objects (GPOs). When Internet Explorer is installed, the default preferences settings for these feature controls are registered on the computer in
HKEY_LOCAL_MACHINE. In Group Policy, the Administrator can set them in either
HKEY_LOCAL_MACHINE (Computer Configuration) or
HKEY_CURRENT_USER (User Configuration).
Who does this feature apply to?
Group Policy administrators can uniformly configure the Internet Explorer Feature Control settings for the computers and users that they manage.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Group Policy Internet Explorer settings
The new feature control policies are:
Binary Behavior Security Restriction
MK Protocol Security Restriction
Local Machine Zone Lockdown Security
Consistent MIME Handling
MIME Sniffing Safety Feature
Object Caching Protection
Scripted Window Security Restrictions
Protection from Zone Elevation
Restrict ActiveX Install
Restrict File Download
Network Protocol Lockdown
In the Group Policy Management Console, the local computer policies for Feature Controls are in \Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features.
The current user policies for Feature Controls are in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features.
The policy for the feature needs to be enabled for the process — for example, IExplore.exe — before the zones’ individual security setting policies or preferences will be applied. For more about the behavior of Feature Controls keys and setting them for a process, see the section on each feature and the section Internet Explorer Using Feature Control Registry Settings with Security Zone Settings. For more information about specific security settings by zone, see Internet Explorer URL Action and Advanced Security Settings in Group Policy.
Administrators of Group Policy can manage these new policies in the Administrative Templates extension to the Group Policy Management Console. When configuring these policies, the administrator can enable or disable the security feature for explorer processes (Internet Explorer and Windows Explorer), for executable processes that they defined, or for all processes that host the WebOC.
Users cannot see the feature control policies or preference settings through the Internet Explorer user interface, except for Local Machine Zone Lockdown Security. Feature control policies can only be set using the Group Policy Management Console, and feature control preference settings can only be changed programmatically or by editing the registry.
Configuring policies and preferences
Group Policy is the recommended tool for managing Internet Explorer for client computers on a corporate network. Internet Explorer supports Group Policy management for the IE feature controls included in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 as well as for Security page settings or URL actions. Administrators of Group Policy can manage these policy settings in the Administrative Templates extension of the Group Policy Management Console.
When implementing policy settings, it is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific client computers.
Policies can be read by users but can only be changed by Group Policy management or by an administrator. Preference settings can be changed programmatically, by editing the registry, or in the case of URL actions and Local Machine Zone Lockdown Security, by using Internet Explorer. Note that settings that are associated with policies will take precedence over settings specified using Internet Explorer preferences.
For operating systems prior to Windows XP SP2 and Windows Server 2003 SP1 and previous Internet Explorer versions, Internet Explorer Administration Kit (IEAK) 6 Service Pack 1 remains the recommended tool for solution providers and application developers to customize Internet Explorer for their end users. IEAK support and the IEAK/IEM process does not change for Internet Explorer versions prior to Windows XP Service Pack 2. The process also has not changed for using IEAK/IEM to set user setting preferences in Internet Explorer versions prior to and including Windows Server 2003 SP1. This includes the new Internet Explorer 6 in Windows XP Service Pack 2 and Windows Server 2003 SP1 preference settings. However, the true policy settings incorporated by this feature can only be managed within Group Policy. For more information about IEAK, see "Microsoft Internet Explorer 6 Administration Kit Service Pack 1" on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=26002.
In summary, the IEAK can still be used as before for all Internet Explorer versions prior to Windows XP Service Pack 2, and is still the tool to use for branding in Windows XP Service Pack 2 and Windows Server 2003 SP1. IEM/IEAK can be still be used to set user preference settings, but true policies should be set using the Group Policy Management Console.
Frequently asked questions for existing users of the IEAK
I currently use the IEAK with a corporate license to configure Internet Explorer on desktop computers and I don’t have Active Directory in my organization. How can I configure Internet Explorer if the IEAK doesn’t work with Windows XP SP2 or Windows Server 2003 SP1?
You can still use Group Policy to configure settings even if you don’t use Active Directory. You can use Group Policy to create a local Group Policy object (GPO) with your settings and then deploy that GPO. After you have configured your GPO for Internet Explorer, you can deploy it using your standard deployment methods. For example, you might use startup or logon scripts, Systems Management Server scripts, or you might send links to users in e-mail.
I currently use the IEAK with a corporate license to configure Internet Explorer on desktops and I don’t have Active Directory in my organization. What happens if I keep running my IEAK 6 SP1 packages against Windows XP SP2 or Windows Server 2003 SP1?
If you install an IEAK 6 SP1 package on a computer running either Windows XP SP2 or Windows Server 2003 SP1, the settings from Internet Explorer 6 SP1 will be updated, but the security settings will not be configurable, since IEAK 6 SP1 wasn’t designed to deploy those settings.
I currently use the IEAK with an Internet service provider (ISP) license to brand Internet Explorer bits and setup connections for my ISP customers. Will my IEAK 6 SP1 packages still be able to apply settings on Windows XP SP2 and Windows Server 2003 SP1?
The branding settings in your ISP license IEAK 6 SP1 package should be applied correctly.
Why is this change important?
By adding the Internet Explorer Feature Controls policies to Group Policy, administrators can manage these true policies to establish standard security settings for all the computers that they configure.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
Internet Explorer in Windows Server 2003 SP1 adds policies to Group Policy but does not change how policies are managed. Developers need to be aware of how each feature control setting affects security-related behavior for their applications. The effects of the different security-related behaviors on application development are discussed within this document in the specific sections for each feature.