Jaa


Internet Explorer Administration Kit and Group Policy in IE7

I am a program manager on the Internet Explorer team and in this post I would like to share what we are doing in the manageability, customization and deployment space. The two key features are IEAK 7 - The Internet Explorer Administration Kit, and GP - Group Policy in Internet Explorer 7.

Before going on to IEAK & GP, I want to briefly talk about some terms I have used ahead -

Deployment - The process of distributing and installing a software program on a number of machines. This becomes important as administrators move up to hundreds, thousands, or even hundreds of thousands of computers.

Customization - The process of specifying the defaults, like default home page, favorites, or security settings.

Preferences - are defaults for various settings that administrators might want to provide as a one time thing. Users always have the option to change these as desired by them. E.g. administrator specifying the home page as a preference and user having the ability to change it by going to tools, internet options and general tab in Internet Explorer.

Policies - are restrictions on settings that administrators would want to enforce to respect a company policy, as opposed to allowing the users to configure the application as per their preference. Policies can be applied to any logical groups E.g. when Group Policy is set at the local computer level, everyone who logs on to the local machine is affected by the policy settings (Local Group Policy).

Manageability - ability to manage or lock down the settings in an application using policies. It is required for enforcing company policies and most importantly, to avoid misuse of the applications and safeguard interests of corporations by enforcing (policies) security settings. E.g. an administrator might want to turn on anti-phishing and avoid the users from turning it off in his organization. He can do so by setting a policy to "Turn off managing the phishing filter".

Thus in an end to end scenario,a corporate administrator might want to install (deploy) internet explorer on a number of machines in his corporation. He may want to customize it by specifying the default home page, favorites etc. He may also want to manage internet explorer by pre-specifying certain security settings and locking them down so that users can’t modify them.

Active Directory – This is a part of the Windows Server environment and is used by companies with domains and organizational units (OUs). An organizational unit is a logical container into which users, groups, computers, and other organizational units are placed and to which a Group Policy object can be linked and policy be applied. Active Directory provides essential directory services for the domain and provides features that enable advanced controls through Group Policy.

IEAK vs. Group Policy

In an Active Directory environment, the administrator can deploy and manage Internet Explorer using the Active Directory infrastructure. He has the ability to lock down Internet Explorer settings using Group Policy. This is the best way for managing Internet Explorer settings and is consistent with how other Windows settings can be managed. Also in an Active Directory environment, a client side extension ensures that policies are applied all the time. If policies are changed, they can be refreshed immediately rather than relying on a logon or startup script of the user machine for policies to get applied.

Consider a non Active Directory environment where a corporate administrator wants to deploy, customize and manage Internet Explorer. In such a scenario, the admin can use the IEAK to perform all three.  Administrators can deploy Internet Explorer using IEAK in a variety of ways, including creating a CD or hosting on an internal server or creating flat files (all files in one directory). If you build your packages on a local area network you can select the flat file option to place all the necessary files in one folder under the target destination

For those of you who can’t use Group Policy and wish to customize Internet Explorer 7 by setting preferences, IEAK 7 is the way to go.

Target scenarios for IEAK 7

  • A corporate system admin wants to deploy IE7 and have it immediately configured according to specifications.
  • A corporate system admin wants to give IE7 to users but wants to add additional updates for internal apps in the same deployment.
  • An ISP wants to provide a customized IE7 to its users.
  • An ISV/ICP wants to include a customized IE7 with its application.
  • An OEM wants to deploy a custom IE7 package on its machine.

What is new in Internet Explorer Group Policy - We have made most existing IEM (Internet Explorer Maintenance - snap in to the Group Policy Editor) settings, including IEM preference mode settings, available outside of Preference Mode as true policies. This will provide corporate administrators greater control in locking down some of the legacy Internet Explorer settings. We have also provided policies for all new IE7 features and made the Internet Control Panel Group Policy aware.

What is new in IEAK 7? - As I described above, IEAK 7 allows deployment, customization & management of Internet Explorer for corporations, Internet Service Providers (ISPs), Original Equipment Manufacturers (OEMs), Independent Software Vendors (ISVs) and Internet Content Providers (ICPs). IEAK 7 makes this available for IE 7, providing customization abilities for all new features in IE7. Here’s a sneak preview of some of them -

Customization of Feeds -

Customize Feeds

Ability to Add Search Providers and set Default Search Providers

Ability to customize multiple Home Pages for various tabs -

Customize Multiple Home Pages

Additional improvements in IEAK 7 include -

  • Improved user experience through a better layout and structure of the wizard aimed at exposing key features in a user-friendly manner.
  • Components that shipped with previous Internet Explorer versions but are not shipping with Internet Explorer 7, such as Outlook Express and Windows Media Player, will no longer be configurable in IEAK7
  • Ability to create small branding packages that can customize existing installations of Internet Explorer 7 without requiring Internet Explorer to be downloaded on the client machine.

Thus if you have large number of machines and a number of Organizational Units (OUs) to manage, we strongly recommend Group Policy as the best way to do it. If you can’t, there are a number of changes in IEAK7 that will make your life easier. You can check out IEAK by downloading and trying the following – IEAK7 B2P or IEAK6 SP1. You can read more about IEAK at Technet.

Have a feature suggestion? Love to hear from you…

 - Puneet

Comments

  • Anonymous
    February 21, 2006
    PingBack from http://dancmorgan.wordpress.com/2006/02/21/internet-explorer-administration-kit-and-group-policy-in-ie7/

  • Anonymous
    February 21, 2006
    > Ability to customize multiple Home Pages for various tabs

    Sounds great. But just to make sure I understand correctly, your saying that IE will have multiple tabs already open upon launch of the application?

    If so, is it possible to have IE do this without the IEAK?

  • Anonymous
    February 21, 2006
    The comment has been removed

  • Anonymous
    February 21, 2006
    How does the new IEAK7 compare to the Firefox 1.5 CCK (Client Customization Kit)?

  • Anonymous
    February 21, 2006
    > How does the new IEAK7 compare to the Firefox 1.5 CCK (Client Customization Kit)?

    Like Saab 9-5 Aero to Open Ascona :)

  • Anonymous
    February 22, 2006
    I'm confused a little by this post.  Right now for my IE 6 users there home page is set by group policy and they cannot change this.  However in IE& Beta 2, I can change the home page by selecting the drop down from the Home icon and select change home page.  Will this be fixed differently or do I now need the IEAK?

  • Anonymous
    February 22, 2006
    What about deploying a customized version of IE using the IEAK, and then managing that IE installation with GPOs?  Is this possible, and are there any drawbacks to managing IE this way?

  • Anonymous
    February 22, 2006
    The comment has been removed

  • Anonymous
    February 22, 2006
    Oh, almost forgot.
     We want to rollout mass extensions too.  E.g. As soon as the Firefox "AdBlock" equivelent is available for IE, we will want this on all PC's.  Will the new extension developers be able to develop to work within the IEAK? or will we need to spawn a task to install this seperately on each PC?

    Thank you

  • Anonymous
    February 22, 2006
    I know it's horrifyingly rude to ask questions off-topic, so please ignore if you see fit, but...

    Will IE7 be installed automatically with Windows Update, or will users be required to download and install it manually?

  • Anonymous
    February 22, 2006
    When I try and download the new iTunes from Apple (dam them) then there is a mixed content page, i.e. secure and non-secure items. IE7 has displays a bar at the top as a warning but when you say "allow blocked content" then it tries to resend the info and the apple website doesn't handle it.

    While this is because Apple is stupid, it's annoying that I have to open up firefox to download the software and would be nice if it was fixed up.

    Here's the URL to try for yourself: http://www.apple.com/itunes/download/

  • Anonymous
    February 22, 2006
    Hi Jonathan and Jacob,

    Yes the Home page can still be locked down using Group Policy as before and you dont need IEAK for this.
    The issue you pointed out about the Home icon for Beta 2 Preview is a known issue and will be fixed.

    thanks
    -Puneet

  • Anonymous
    February 22, 2006
    I would like to be able to customise the Popup Blocker via group policy. We have a web based application that we use and this has popups which are then blocked by IE6 and we have to manually go through with the user setting up an exemption

    Also to do with popups, I would like to be able to disable specific add-ons via group policy. After we go through the above with allowing popups they then still report a problem because Google or Yahoo toolbars are separately blocking them.

    Thanks

  • Anonymous
    February 23, 2006
    Puneet,

    Thanks for the response, is this the best place to report issues like this?  Or the Channel9 wiki or some other location?

  • Anonymous
    February 23, 2006
    Jonathan,

    Please see the blog post at http://blogs.msdn.com/ie/archive/2006/01/31/520817.aspx on how to report issues.

    - Al Billings [MSFT]

  • Anonymous
    February 23, 2006
    It sounds as if for public use (e.g., college)deployment, you'd want a configuration that, while not necessarily locked down, always launched "clean" (as configured), with nothing (bookmarks, cookies, cache, settings) persisting once the browser is closed.

  • Anonymous
    February 23, 2006
    The comment has been removed

  • Anonymous
    February 23, 2006
    The comment has been removed

  • Anonymous
    February 27, 2006
    In Re: Feeds

    I just moved to another computer and reloaded my "Feeds" for IE7 that I had exported from my other computer and stored in my private sharepoint files area (a great way to move things across the net and thru firewalls, etc.)

    When I opened IE7 it proceeded to mark every feed as "new /unread".

    Not sure if possible, but with hundreds of feeds it would be nice if the export/import functions would save the state indicating the date/time of last refresh so when importing feeds they don't all default to "unread".

    Would also like to see a single "Save state" command instead of having to use both "File export bookmarks" and "file export feeds" to move the whole "personality" of IE7 on one machine to another.

  • Anonymous
    June 12, 2006
    Hello, we are Durga and Bala, from the IE IDC team. We would like to describe to you, a new feature in...

  • Anonymous
    November 07, 2006
    http://blogs.msdn.com/ie/archive/2006/02/21/536353.aspx A great article by the ieblog team talking about...

  • Anonymous
    January 18, 2007
    Hello everyone, I blogged earlier about the work we have done in IE7 for IT Pros. For those of you who

  • Anonymous
    May 13, 2008
    PingBack from http://macie.freemusicoutletdesign.info/samplescustomgrouppolicy.html

  • Anonymous
    January 21, 2009
    PingBack from http://www.hilpers.it/1861731-distribuire-ie7-via-gpo

  • Anonymous
    May 29, 2009
    PingBack from http://paidsurveyshub.info/story.php?title=ieblog-internet-explorer-administration-kit-and-group-policy-in-ie7

  • Anonymous
    June 09, 2009
    PingBack from http://sharovatov.wordpress.com/2009/06/10/firefox-build-your-own-browser-a-copy-of-ieak/

  • Anonymous
    June 09, 2009
    PingBack from http://sharovatov.wordpress.com/2009/06/09/firefox-build-your-own-browser-and-ieak/

  • Anonymous
    June 13, 2009
    PingBack from http://barstoolsite.info/story.php?id=1107