In Parts 2 through 5 of this series of articles, I described the many security settings in Microsoft Internet Explorer (IE) 5.0. (To locate Parts 1 through 5 of this series, select one of the related articles from the Article Information box at the right.) You've probably now identified some areas where you need to improve browser security. Like many administrators, however, you might have hundreds or even thousands of workstations where you need to make these changes. In addition, you need to prevent users from going back and reversing your stricter security settings. To accomplish all this in Windows 2000 (Win2K), you can use Group Policy Objects (GPOs) that you link to your Active Directory (AD) domain or to organizational units (OUs) in your domain.
To begin, you need to edit a GPO. For instance, to define IE settings for all users in your domain, open Active Directory Users and Computers, right-click the root of the domain, and select Properties. Select the Group Policy tab and edit the Default Domain Policy GPO, which contains several settings that pertain to IE configuration. First, maneuver to User Configuration, Windows Settings, Internet Explorer Maintenance, as Figure 1 shows. In this area you can edit the same configuration settings that you access in IE through the Tools, Internet Options menu. The difference is that Win2K automatically applies the policies you define here to all the applicable users in the domain—you don't need to configure each user separately. The Browser User Interface folder lets you customize IE’s title, animated bitmaps, logo, and tool bar buttons. The Connection folder lets you configure how IE reaches the Internet, including proxy server settings. The URLs folder lets you configure Favorites, define standard home and search pages, and specify channels. The Programs folder lets you can tell IE which email client to use or where to find contacts.
The folder of current interest to us is Security. Click Security, and double-click Security Zones and Content Ratings, to bring up the Security Zones and Content Ratings Policy, as Figure 2 shows, where you can define settings for the same security zones I discussed in the previous four articles. Click Import the current security zones from the current computer where you are logged on to view the same dialog box you are accustomed to using in IE to configure security settings, as Figure 3 shows. You can now configure IE’s security settings the way I showed you in Parts 2 through 5 of this series of articles.
Preventing Users from Reversing Policies
The group policy folder Internet Explorer is great for configuring IE, but you also need to prevent users from going into the settings and reversing all the policies you just defined. To prevent users from reconfiguring IE’s security settings, go to User Configuration, Administrative Templates, Internet Explorer, click Internet Control Panel, and enable Disable the security page, as Figure 4 shows. When a user selects Tools, Internet Options in IE, the user won't see the Security Tab.
Take a minute to explore the other folders in the Internet Explorer folder. You'll find several other functions you can disable to make your systems more secure.
Choosing the Right Location
Another area where you can control IE settings in Group Policy is under Computer Configuration, Administrative Templates, Windows Components, Internet Explorer, as Figure 5 shows. Policies you apply under Computer Configuration are based on the computer’s location in AD, whereas policies you apply under User Configuration are based on the user’s location in the domain. (To understand how Win2K applies Group Policy, read Part 1 and Part 2 of "Controlling Group Policy," in Windows 2000 Magazine.) Security Zones: Use only machine settings lets you configure IE so that the computer’s local settings override the settings of whoever is currently logged on. You can also enable Security Zones: Do not allow users to change policies to prevent users from reconfiguring IE security. How do these policies differ from Disable the Security Page under User Configuration? IE uses the policies under Computer Configuration for special-purpose computers (e.g., Internet kiosks in public areas) where you want to define policies for the computer regardless of the user.
Creating Subsets of Users
If you set IE policies in Default Domain Policy, you affect every user in the domain. To restrict your policies to a subset of users, you can create a GPO that links to an OU. Win2K will apply policies that you've defined in that GPO to just the users and computers in that OU. For instance, by using the Default Domain Policy GPO, you can define the standard restricted IE configuration you want to apply to most users. However, you might have a subset of power users that you don't want to restrict. To accommodate these power users, you can create an IE Power Users OU. Move your power users to that OU, create a GPO that links to the IE Power Users OU, and disable the restrictions as necessary. Because Win2K applies GPOs from the root of the domain down through OUs and sub-OUs, the GPO that links to the IE Power Users OU overrides conflicting policies you defined in the Default Domain Policy. Remember the difference between enabling and disabling a restriction: If you enable Disable the Security Page, the Security tab disappears from Internet Options, but if you disable Disable the Security Page, IE displays the Security tab, even if other GPOs higher in the domain have enabled this policy.
But what if your power users are scattered throughout your existing OUs, and you can’t collect them into their own IE Power Users OU without interfering with other GPOs or delegated authority connected to your current OU hierarchy? In that case, you need to create an IE Power Users group instead of an OU. Add the proper users to that group, right-click the root of your domain, and select the Group Policy tab. Using the New button, create a new GPO called IE Power User Exceptions. Edit the new GPO, and disable the appropriate restrictions for power users before closing the GPO. Use the Up and Down buttons, as Figure 6 shows, to make sure that IE Power User Exceptions is higher in the Group Policy Object Links list than Default Domain Policy so that it overrides the restrictions made in the Default Domain Policy. Finally, select IE Power User Exceptions, click Properties, select Security, and click Advanced. Delete the access control entry that gives Apply Group Policy permission to Authenticated Users, and add a new entry that gives this permission to IE Power Users, as Figure 7 shows. Now the policies you define in IE Power User Exceptions will apply only to members of the IE Power Users group no matter where the power users are in the domain.