Internet Explorer 7.0

Depending on the selected options for the features to be customized, you might need to configure whether the user is prompted for input during installation and whether the system reboots automatically. Additional customization options include program settings for add-ins and HTML editing programs. Some of the options that are configurable as part of Group Policy are also available as settings. Note that these preferences are set during installation configuration and aren't reapplied if the user modifies them, which is an advantage of using Group Policy for customization.

After you configure all the options to create your customized package, you can use SMS or a third-party solution to deploy the package to clients. Depending on the options you selected, users might see IE updates downloading and might need to click to accept various validation screens. After you use the Internet Explorer Customization Wizard to create a package, you can use the IEAK Profile Manager to edit the package's .ins file to modify settings and create new profiles as necessary, as Figure 4 shows.

Configuring Internet Explorer 7.0
Deploying IE 7.0 to users is only half the battle. You also must ensure that users know how to use the browser and that your administrative configurations create an optimal end-user experience. The IEAK is useful for creating a deployment package with initial settings and a degree of lockdown. However, the IEAK doesn't let you make configuration changes after the browser deploys. In an environment that doesn't use AD, using the IEAK for initial configuration is acceptable—with later changes made through local policy pushes or registry changes. But in environments that use AD, Group Policy is preferable for configuration management.

An updated Group Policy template for IE 7.0 is installed automatically during IE 7.0 installation. The IE Client Side Extension (CSE) that's responsible for processing Group Policy settings related to the browser refreshes constantly and corrects changes that conflict with Group Policy. IE 7.0 settings that were previously preferences (i.e., registry value settings that aren't in standard Group Policy areas and are considered tattooed on the client computer) are now true policies.

Perhaps you don't want to install IE 7.0 on your servers to obtain the updated IE configuration file (i.e., inetres.adm). Two alternatives are available. You can copy the file from the C:\Windows\inf folder on a client with IE 7.0 installed to the C:\Windows\inf folder on the server, or you can edit Group Policy from an XP workstation that has IE 7.0 installed.

To see new Group Policy settings for IE 7.0, open the file in Notepad or another text editing application and search for the text !!SUPPORTED_IE7. You'll also notice some !!SUPPORTED_IE7Vista entries; these settings are for IE 7.0 running on Vista and relate to protected-mode operation, which stops elevation-of-privilege type attacks.

When you view a policy in the Group Policy Object Editor window, which Figure 5 shows, the description text shows whether the policy is IE 7.0 or above. You might want to spend some time familiarizing yourself with the Group Policy areas so that you understand how IE 7.0's new functionality will affect your organization. You need to know which policies are available to configure and control new areas, and you need to be aware of improved methods for controlling existing functionality.

One of the new functionality areas is RSS Feeds. You can use Group Policy to configure how feeds are discovered, which stops IE from highlighting and advertising whether an RSS feed is available on a Web page. In addition, you can restrict users from subscribing to or unsubscribing from feeds, as well as block users from downloading enclosures (i.e., files attached as part of a feed). Finally, several core features have a Group Policy entry on the IE administrative template. For example, you can enable phishing protection to highlight Web sites that might be trying to fraudulently obtain information.

Beyond Deployment
IE 7.0 has many security perks and useful features that make the browser valuable for most organizations. Unless your enterprise subscribes to Microsoft's automatic updates, you need to plan for IE 7.0 deployment. However, simply deploying the browser isn't enough. To take full advantage of IE 7.0's features, you also must plan for its long-term configuration and management.