次の方法で共有


How Internet Explorer Maintenance Extension Works

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

How Internet Explorer Maintenance Extension Works

In this section

  • Internet Explorer Maintenance Extension Architecture

  • Internet Explorer Maintenance Extension Physical Structure

  • Internet Explorer Maintenance Extension Processes and Interactions

  • Related Information

The Internet Explorer Maintenance Extension of the Group Policy Object Editor enables administrators to define an Internet Explorer configuration as part of a Group Policy Object (GPO). The GPO is linked to Active Directory containers such as sites, domains, or organizational units (OUs), and enables management of the Internet Explorer configuration for multiple users on any computer joined to the domain that is capable of using Group Policy.

Deployment of Internet Explorer Maintenance Extension settings requires Group Policy in a Windows 2000 or Windows 2003 Active Directory environment, and Windows 2000 Professional or Windows XP clients.

Internet Explorer Maintenance Extension Architecture

The following figure illustrates the components important to the Internet Explorer Maintenance Extension.

Internet Explorer Maintenance Extension Architecture

IE Maintenance Extension Architecture

These components are described in the following table. Components not seen in the figure, but important to the process, are also described.

Internet Explorer Maintenance Extension Logical Architecture Components

Component Description

Group Policy engine

This component is the framework that manages and implements the Group Policy settings and configurations, made by the admin, across all client-side extensions (CSE). Userenv.dll is the Group Policy engine module.

Internet Explorer Maintenance Client-Side extension (CSE)

The Internet Explorer Maintenance CSE is the component that is called by the Group Policy engine, and that applies the Internet Explorer Maintenance settings. The Internet Explorer Maintenance CSE writes the relevant information into the registry.

WinLogon

WinLogon is the service that contains the Group Policy engine.

Resultant Set of Policy (RSoP) snap-in

This component displays the results of Group Policy, including what Group Policy settings have been applied and when they were last applied. For more information about RSoP, see “What Is Resultant Set of Policy?.”

Local GPO

Contains Group Policy settings for the local computer, including potential Internet Explorer Maintenance policies.

The CSE registration information is written at setup to the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ GPExtensions registry key. This registry key structure exists on both the target and domain controller systems.

Internet Explorer Maintenance Extension Physical Structure

Understanding where Internet Explorer Maintenance Extension policy settings are stored and how they are structured can help you troubleshoot problems you might encounter when you implement Internet Explorer Maintenance. Although GPOs can be linked to sites, domains, and OUs, they are stored only in the domain. See the “How Core Group Policy Works” topic in this collection for more information about how Group Policy stores its data.

The following table lists the setting types and the locations where Internet Explorer Maintenance Extension policy configuration files are stored on both the local computer and the domain.

Physical Structure Components

Setting Type Policy File Name

Browser Title

install.ins

Custom Bitmaps

Install.ins

\Branding\Logo\<<small logo file name>>

\Branding\Logo\<<big logo file name>>

\Branding\Animbmp (empty folder created)

Toolbar Customization

\install.ins

\Branding\Btoolbar\<<color logo file name>>

\Branding\Btoolbar\<<grayscale logo file name>>

\Branding\Toolbmp\<<toolbar bmp file name >>

Connection Settings

\install.ins

\Branding\cs\connect.set

\Branding\cs\cs.dat

Automatic Browser Configuration

\install.ins

Proxy Settings

\install.ins

User Agent String

\install.ins

Favorites and Links

\install.ins

Important URLs

\install.ins

Security Zones

\install.ins

\Branding\Zones\seczones.inf

\Branding\Zones\seczrsop.inf

Content Ratings

\install.ins

\Branding\Ratings\ratings.inf

\Branding\Ratings\ratrsop.inf

Authenticode Settings

\install.ins

\Branding\Authcode\authcode.inf

Programs

\install.ins

\Branding\Programs\programs.inf

Corporate Settings

\Branding\Adm\inetcorp.adm

\Branding\Adm\inetcorp.inf

Internet Settings

\Branding\Adm\inetset.adm

\Branding\Adm\inetset.inf

Domain policy settings use the Fully Qualified Domain Name (FQDN) to reference GPOs. There are two main paths where the configuration files are stored:

  • Domain policy files are stored in the folder \\FQDN\Sysvol\FQDN\Policies\<GPOGUID>\User\Microsoft\IEAK

  • Local Machine policy files are stored in the folder %windir%\System32\GroupPolicy\User\Microsoft\IEAK

The following figure shows the files used by the Internet Explorer Maintenance Extension and where they are stored on both the domain controller and client computers.

Internet Explorer Maintenance Extension File Storage

Maintenance Extension File Storage

Internet Explorer Maintenance Extension Processes and Interactions

When working with Internet Explorer Maintenance settings, you can use one of two interfaces. To configure Internet Explorer Maintenance Extension settings, use the Group Policy Object Editor. Use the Group Policy Management Console (GPMC) to view the Internet Explorer Maintenance Extension settings contained within a GPO.

Using Group Policy Object Editor with Internet Explorer Maintenance

To configure Internet Explorer Maintenance settings, an Administrator sets up Internet Explorer on a client computer with the settings to be included in the GPO. The Administrator then uses the Group Policy Object Editor to import the settings for the Security Zones, Content Ratings, Authenticode Settings, Programs, and Connection Settings, areas of the Internet Explorer Maintenance Extension and saves them as part of a GPO. The following figure shows the Internet Explorer Maintenance Extension interface used to import Connection Settings into a GPO.

Importing Internet Explorer Settings

Importing Internet Explorer Settings

Configuring and Importing Internet Explorer Maintenance Settings to a GPO

Administrators import settings from the appropriate settings dialog boxes in the Internet Explorer Maintenance extension of Group Policy Object Editor. The following things occur when the settings are imported:

  • The IEAK Engine (ieakeng.dll) hosts the Internet Options Control Panel (inetcpl.cpl), which then reads the current settings from the registry.

  • The Administrator then modifies the settings using the user interface of inetcpl.cpl.

  • When the settings are saved, they are written back to the registry by inetcpl.cpl. Ieakeng.dll then imports them to the appropriate GPO files.

The following figure illustrates the process of importing Internet Explorer Maintenance Extension settings.

Importing Internet Explorer Settings in XP

Importing Internet Explorer Settings in XP

Note

  • If an administrator tries to view the settings in a GPO by clicking Modify Settings, the current settings from the registry, instead of the GPO, are immediately imported. Clicking OK then overwrites the settings stored in the GPO with the settings in effect on the client, deleting the settings previously contained in the GPO. In this event, the administrator cannot view the GPO to find out what the previous settings were. It then becomes difficult to reconfigure the settings.

Using the Group Policy Management Console to View a GPO

To avoid overwriting the Internet Explorer Maintenance settings in a GPO, use GPMC to view the Internet Explorer Maintenance settings. GPMC runs on Windows XP Professional SP1 and Windows Server 2003 computers, and can manage Group Policy in either Windows 2000 or Windows Server 2003 domains. To see the settings contained in a GPO using GPMC, an Administrator views the Settings tab of the GPO as shown in the following figure.

Viewing Internet Explorer Maintenance Settings in GPMC

Viewing Maintenance Settings in GPMC

Applying GPO Settings to a Client Computer

The Internet Explorer Maintenance Extension uses the Internet Explorer Administration Kit (IEAK) infrastructure for both storage of settings and application to the client system.

When Group Policy is applied, Client-Side Extensions process the GPO. Internet Explorer Maintenance settings are handled by the Internet Explorer branding DLL (iedkcs32.dll). The Group Policy CSE invokes iedkcs32.dll, and two things happen:

  1. The Group Policy CSE copies all IEAK settings files created using Internet Explorer Maintenance, listed in the previous Physical Structure Components table, to the following locations:

    Documents and Settings\<<username>>\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0\

    And

    Documents and Settings\<<username>>\Application Data\Microsoft\Network\Connections\pbk\Rasphone.pbk (for connection settings)

    Note that the policy’s directory structure shown in the previous Physical Structure Components table is not replicated.

  2. The Branding DLL then applies the settings from the downloaded files to the registry on the client system. There are four possible locations for the registry settings:

    • HKLM\Software\Policies (preferred)

    • HKLM\Software\Microsoft\Windows\CurrentVersion\Policies

    • HKCU\Software\Policies (preferred)

    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

    These locations have security permissions that a standard user cannot modify in order to change applied policy settings. These keys are created the first time a GPO configures them.

Because the IEAK settings files are stored in the user’s profile, the user has full-access permissions and can modify their contents. When the GPO is updated, the files are copied from the policy’s directory structure back to the user profile and any changes the user might have made are overwritten. Although users can modify files in their own profile, attempting to execute the .inf file will give them an Access is denied error if they attempt to write settings to a key located in the secure registry branches previously specified.

If the user has a roaming profile, the IEAK settings files in the profile can be applied when roaming. This will happen if a roaming profile user logs on to the network from a computer that can’t use Group Policy, or from one that isn’t linked to a GPO containing Internet Explorer Maintenance Extension settings. If a user has manually changed the Internet Explorer Maintenance Extension settings located in their user profile, the user’s settings will be applied to the computer. This has the potential of circumventing browser and security settings configured by the administrator. However, any settings appropriately locked-down in the registry (such as security and connection settings) will not have this problem.

The following contains additional information that is relevant to this section.