Internet Explorer ADM and Internet Explorer Maintenance Policies

Finding Internet Explorer ADM Policy Settings

Windows XP/SP2 and Windows 2003/SP1 now have an additional 619 possible policy settings at their disposal. You'll find most of these settings at Administrative Templates ˜ Windows Components ˜ Internet Explorer ˜ Internet Control Panel ˜ Security Page. These settings are under both User Configuration and Computer Configuration nodes. There's a ton to explore there, and it is beyond the scope of this book.

In Chapter 2, we discussed how Microsoft has an Excel spreadsheet with every policy setting available for download. To get a grip on all that's new here, I suggest you download it (track it down via GPanswers.com in the "Microsoft Resources" section) and then click on the "Inetres.adm" tab of the spreadsheet. Here you can isolate and check out just the Internet Explorer settings, select to see only the new policy settings for "at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1" and get a feel for what's new and what you might choose to use in your environment.

Internet Explorer Maintenance Policies

How about this lovely scenario: You spend Friday night at the office putting together a new Internet proxy server. You have 10,000 clients , and now you have to update them. You could walk around to each of them to tell Internet Explorer the name of the new proxy server. However, if you use Group Policy with Internet Explorer Maintenance policies, you simply set the name of the new proxy server from upon high and go home for the night.

You set Internet Explorer Maintenance settings for users by traversing down to User Configuration ˜ Windows Settings ˜ Internet Explorer Maintenance .

You'll find all sorts of gizmos to play with that control Internet Explorer: home page settings, proxy settings, security zone settings, favorites, and so on. Again, a complete rundown of all the Internet Explorer Maintenance Mode settings is beyond the scope of this book; however, there is one "not so obvious" element to this branch of Group Policy: the two modes you can use to deploy Internet Explorer Maintenance settings.

Mandatory Mode Acts like other Group Policy settings; that is, your desires are forced upon your client machines. If users change them, the settings are restored. Using this mode is helpful when you want to guarantee important options such as security settings and proxy settings. Additionally, you'll need to set the Internet Explorer Maintenance Policy Processing policy setting (located in Computer Configuration ˜ Administrative Templates ˜ Group Policy). You also need to ensure that the Process even if Group Policy Objects have not changed setting is selected. Again, you must specify both settings for this to work properly.

Preference Mode Sends down the settings only once and then allows users to change them if they desire . This mode is good for users whom you want to give some degree of liberty (for example, developers) but want to encourage to use your preferred settings.

The Internet Explorer Maintenance interface is a little goofy. For some items (such as customized program settings), you'll literally import the settings from the machine on which the Group Policy Object Editor is actually running. Additionally goofy is that once you make a change to Preference mode, you cannot return to Mandatory mode without wiping out all your settings (via the Reset Browser Settings option).

Windows 2003 and Windows XP allow for what is known as "Internet Explorer Hardening," which is meant to prevent rogue Active X controls and the like from applying. Active X controls are little pieces of code that enhance the Internet Explorer experience, but could be used maliciously. Microsoft has two great references on the subject: http://tinyurl.com/54wwd and http://tinyurl.com/cf7pt . You can also search Microsoft's website for "Internet Explorer Enhanced Security Configuration."

Internet Explorer Settings Warning

As stated, setting up the Internet Explorer settings can be a bit wacky. There's one more wacky piece that makes them sometimes very difficult to work with. Setting some policy settings within Internet Explorer are "sticky." That is, they don't act like regular policy settings that just revert to some default when they don't apply.

The one that comes to mind is the Internet Explorer Maintenance proxy server setting (mentioned previously). If you later choose to work without a proxy server and kill the GPO, the proxy setting you set sticks with all your clients. It doesn'tdoes notpeel off the setting. This is a major hassle and one that has no great answer to fix. I suspect it will get fixed in a hotfix for Windows XP/SP2 and/or Windows 2003/SP1, and likely be updated in future versions of Windows.

I've heard reports of other Internet Explorer settings being sticky; but in my testing, the proxy setting is the only one I've witnessed being sticky. In short, before rolling out Internet Explorer settings (of any kind), you should also ensure that the settings you roll out are nonsticky. Or, if they are sticky, you've got a backout plan to remediate the stickiness if you need to.