How to make the most of a challenging browser-management scenario
I must admit that when I sat down to write this article, I was tempted to say, “If you want to manage your browser’s configuration from Group Policy, migrate to Firefox.” Why would a dyed-in-the-wool Group Policy fan such as myself make such a statement? Well, Internet Explorer (IE) configuration through Group Policy has been a mess for a long time.
With no fewer than three separate and sometimes conflicting methods for configuring IE through Group Policy, I would be hard-pressed to tell anyone that using this technology is easy. But given the importance of locking down IE in many organizations, you must face this challenge and make the best of it. In this article, I’m going to offer some tips and best practices to help navigate the morass that is Group Policy management of IE. (See also, "Browser Apps and the Future of Web Browser Management").
Pick Your Poison
As I mentioned, there are three main methods for managing IE configuration through Group Policy:
- Administrative Templates settings under Computer Configuration (or User Configuration)\Administrative Templates\Windows Components\Internet Explorer: These settings are the typical Administrative Templates policy lockdowns, which set certain options in IE and which cannot be changed by the user.
- User Configuration\Windows Settings\Internet Explorer Maintenance: This is the original mechanism by which you could configure IE through Group Policy. Early versions of this mechanism had lots of bugs, and configuration behavior was unpredictable. The Windows 7 version is more reliable.
- User Configuration\Preferences\Control Panel Settings\Internet Settings: This Group Policy Preferences–based IE configuration method fills the gaps of the previous two methods, but it doesn’t cover some key areas.
The bottom line is that, for most scenarios you’re likely to encounter, you can’t get away with using only one of these methods. Instead, you will probably have to use two, and possibly all three, to fully control IE behavior on your desktops and servers. I’ll take a look at what each of these methods brings to the table and at some of the behaviors you need to be aware of in each case. Additionally, I’ll mention areas where I’ve seen other folks take a different tack to work around the behavior of one of these three methods. For example, I’ve seen people simply write registry scripts to modify the underlying registry values of the IE options they want to control (e.g., proxy settings) rather than relying on the poor behavior of IE Maintenance policy.
Administrative Templates Policy
The IE Administrative Templates options are available under both the Computer Configuration and User Configuration sections of a Group Policy Object (GPO). This means that you can set them to apply to all users of a given set of machines (Computer Configuration) or to specific targeted users (User Configuration). It’s generally a good idea to avoid conflicts between per-computer and per-user policies for a particular user who is logged on to a particular machine. When conflicts occur, the per-computer settings usually win, but that’s not always the case, and you should verify this behavior if you find that you are unavoidably put in a conflict situation. I usually stick to defining only per-user IE Administrative Templates settings, especially if I plan to use the other two policy areas in conjunction with this one. I do this because the other two are per-user only, and that keeps things cleaner when it comes to targeting IE-related policy.
When you upgrade to a new version of IE, that upgrade process will typically install a new ADM or ADMX template file on the system where you perform the upgrade. I’m sure the forthcoming IE 9 will be no different in this respect. If you’re installing on Windows XP or Windows Server 2003, the updated file that contains all the relevant settings is named inetres.adm, and it will be saved in the C:\Windows\inf folder on the system where you perform the IE upgrade. You’ll have to manually copy the inetres.adm file to a domain-based GPO if you want to start using those new settings. If you’re working on Windows Vista, Windows 7, Windows Server 2008, or Server 2008 R2, you probably know that Microsoft shifted to the new ADMX template file format. Therefore, when you install a new version of IE, an updated inetres.admx file is saved in the C:\Windows\policydefinitions folder on your upgraded Windows system. If you’ve deployed an ADMX Central Store in your Active Directory (AD) domain, you’ll have to manually copy the inetres.adm file into it, overwriting the existing version of this file.
Administrative Templates strengths. The IE Administrative Templates settings, like other Administrative Templates settings, are primarily designed to enforce behaviors on your IE users. When you configure an IE Administrative Templates setting, the user typically cannot undo it—the setting appears dimmed, or a corresponding tab is removed. For example, you can hide the Security tab in the Internet Options dialog box of this policy area, and the user won’t see those options at all. In fact, when it comes to settings for disabling IE configuration features, you’ll most likely find them all in this policy area, as Figure 1 shows.
Generally, it works best to use Administrative Templates to configure a particular setting and to remove that setting from the menu altogether so that the user can’t even access it. Table 1 lists some common tasks that you can perform with this policy area and describes where you can access those settings.
Administrative Templates weaknesses, The biggest weakness of IE Administrative Templates is that you can’t use this functionality to configure many areas of IE behavior. The list of items you can’t configure includes the home page, proxy settings, and the options on the Advanced tab of the Internet Options dialog box (on the IE Tools menu). Additionally, if you want to configure a setting but also want to leave the user free to modify it, IE Administrative Templates is probably not where you’re going to do this, since none of its mandates can be changed by the user.
IE Maintenance Policy
As I mentioned earlier, I have a love-hate relationship with this policy area. Older versions of IE Maintenance were super buggy, and this led to a lot of frustration. That said, this mechanism was the only policy-based method for configuring settings such as proxy addresses until Internet Settings in Group Policy Preferences came along. Additionally, it’s still the only way to configure site-to-zone assignments that doesn’t prevent your users from adding their own sites to zones if they need to.
However, there’s still some irritating behavior in IE Maintenance. When you first configure an IE Maintenance policy and you want to define, for example, Security Options, you open the interface in Group Policy Editor (GPE) to find a dialog box that resembles Figure 2.
