Overview of Internet Explorer Group Policies
Friday, July 06, 2007 4:59 AM
Today we're going to discuss IE Group Policies. If you're unfamiliar with Group Policies, I highly recommend that you read our earlier post on the Basics of Group Policies. When dealing with IE group policies, there are two types of settings to consider - IE Maintenance and IE Administrative templates. Let's look at IE Maintenance policies first.
IE Maintenance policies are a collection of registry settings and files that can be used to configure either mandatory or default settings for IE. The IE Maintenance Extension leverages the Internet Explorer Administration Kit (IEAK) management infrastructure to configure IE. The settings for these policies are located in User Configuration\Windows Settings\Internet Explorer Maintenance. The IE Maintenance Extension uses two sets of extensions, a snap-in extension to the GPO editor (ieaksie.dll) and a Client-Side Extension (iedkcs32.dll). IE Maintenance settings can be set in two different modes, Policy mode or Preference mode. The mode setting for IE Maintenance extension settings is exclusive within a GPO - policy and preference mode settings cannot coexist in the same GPO.
Policy mode sets mandatory IE settings and is used to enforce security, interface and other IE settings. The settings are reapplied either when the GPO is forcefully reapplied, or when the policy changes. Although a user may make some changes to the settings while they are in IE, the next time the policy is reapplied (for example at system startup), these changes will be reverted to the policy settings.
By contrast, Preference mode sets the default IE settings for user the first time that the GPO is applied to the machine. Thus, the starting configuration for the users is the same at first, but they are able to personalize their configuration.
Preference Mode allows for one time branding. Even if an Administrator modifies the IE Maintenance Policy to make changes to the policy in Preference mode, they will not be applied unless the the browser options are reset. Preference mode enables two additional groups of settings - Corporate and Internet as shown in the diagram.
Corporate settings are used to configure temporary internet file settings, and download locations for ActiveX controls and Java code. Internet settings are used to configure IE link and text colors, Autocomplete settings, how often IE checks for updates and other advanced settings.
When IE maintenance policies are configured, an install.ins file is created. This file resides in the unique GUID subfolder for the policy in the SYSVOL folder of the domain controllers. During user login this file is downloaded to the client when the IE Maintenance policies are applied. The file resides in the Application Data\Microsoft\Internet Explorer\Custom Settings\Custom# folder. If there are multiple IE maintenance policies being applied, then there will be multiple Custom# folders. The install.ins file may also be applied from IEAK packages or from the Internet Connection Wizard.
Now let's take a look at IE Administrative Template policies. These policies are used to configure IE via registry based policies using .ADM files. The standard IE settings are located in the GPO editor under (Computer or User)\Administrative Templates\Windows Components\Internet Explorer as shown in the diagram. The client side extension that processes the .ADM files and registry settings is userenv.dll. Similar to normal group policies, the user cannot override these settings. When the policy is created, a REGISTRY.POL file will be placed in the unique GUID subfolder for the policy in the SYSVOL folder. Depending on where the settings are configured within the policy, the file may be user or computer specific.
And that brings us to the end of our overview on IE Group policies. In our next post on IE GPO's we'll take a look at troubleshooting IE Policy issues.
Additional Resources:
- IE Maintenance Extension Technical Reference
- Using Administrative Template Files
- KB 816662: Recommendations for managing .adm files
- KB 316977: Group policy template behavior in Windows Server 2003
Comments
- Anonymous
July 28, 2011
Hi,Please help me to find 'Allow previously unused ActiveX Controls to run without prompt' settings in IE 8 GPOunder Administrative Templates.Is it removed or exist with another description. - Anonymous
March 06, 2012
GPO Location: Windows ComponentsInternet ExplorerAvailable in Machine and User configurationPolicy name: Turn off ActiveX opt-in promptRegistry Location: SoftwareMicrosoftWindowsCurrentVersionPoliciesExt!NoFirsttimepromptApplies to: At least Internet Explorer 8.0If you enable this policy setting, the ActiveX opt-in prompt will not appear.Internet Explorer spreadsheet gpo list can be downloaded from this link:www.microsoft.com/.../details.aspxThe policy settings included in this spreadsheet cover Internet Explorer 5, Internet Explorer 6, Internet Explorer 7, Internet Explorer 8 and Internet Explorer 9.