Internet Explorer Administration Kit

Let's begin by considering how you can deploy and install Internet Explorer 5 and associated components in your enterprise. (Managing client connections is covered later in this chapter.) The installation of Internet Explorer 5 isn't an issue if your desktop machines all have Microsoft Windows 2000 Professional installed on them, because Internet Explorer 5 is included with the Windows 2000 Professional operating system, but configuring, managing, and updating these machines is an important aspect of network administration in a Microsoft Windows-based network.

Fortunately, Microsoft provides a set of tools—called the Internet Explorer Administration Kit (IEAK)—that makes it easy to deploy, install, customize, and manage Internet Explorer 5 on the desktop. The IEAK contains tools that can be used to customize the configuration of Internet Explorer 5 to match your organization's needs. For example, administrators can specify a home page, a Favorites list, a Links bar, and so on. This customization can be done prior to installing Internet Explorer 5 on desktop machines, and the Setup program that installs it can itself be configured to require minimal user intervention during installation.

In addition, administrators can prevent users from modifying specified configuration settings such as security and connection settings. This reduces the support costs of maintaining and troubleshooting Internet Explorer 5 deployments and facilitates adherence to corporate standards and policies with regard to Internet access. The tools and programs that make up the IEAK include the following:

• Internet Explorer Customization Wizard This wizard provides administrators with an easy way of configuring and building customized installation packages for Internet Explorer 5 and its associated components. Administrators can use the wizard to create special packages for mobile users with limited hard disk space on their machines; create packages that can be installed from network shares, CD-ROMs, or over the Internet; create packages with different security settings for different groups of users; and so on.
• IEAK Profile Manager This tool can be used by administrators to manage users' settings automatically after Internet Explorer 5 has been installed on their machines.
• IEAK Toolkit This is a miscellaneous collection of programs and files that helps administrators configure and manage various aspects of Internet Explorer 5 and its associated components. The Toolkit contents are located in the Toolkit folder of the IEAK program folder.

The IEAK is designed to be used by corporate network administrators, Internet service providers, and Internet content providers. This chapter focuses on its use within the enterprise network.

Another component of the IEAK is the Connection Manager Administration Kit (CMAK). This kit provides administrators with an easy way of configuring and building customized Microsoft Connection Manager dialers that can be installed on users' machines to configure their Internet connection. Windows 2000 Server includes a newer version of this component than the one included with IEAK 5; it can be used to create customized Connection Manager service profiles for client machines running Windows 2000 Professional. The version of CMAK included with the IEAK can create service profiles only for earlier versions of Microsoft Windows. The CMAK for Windows 2000 is discussed later in this chapter.

Obtaining the IEAK

The IEAK is included in the Microsoft Internet Explorer 5 Resource Kit, available from Microsoft Press. You can also download the IEAK for Internet Explorer 5.01 from Microsoft's IEAK Web site at http://www.microsoft.com/windows/ieak.

However you obtain the IEAK, you need to go to Microsoft's IEAK Web site afterward and register your copy to obtain the necessary customization code to run it. This involves creating a personal profile for yourself and choosing a licensing agreement. (You must specify whether you will be using the IEAK to distribute Internet Explorer 5 to either corporate intranet users or external Internet users.) Once you've completed the profile and accepted the agreement, the customization code is e-mailed to you immediately.

Installing the IEAK

Installing the IEAK is straightforward and is done from the main menu of the Microsoft Internet Explorer Administration Kit 5 CD (or the CD that accompanies the Microsoft Internet Explorer 5 Resource Kit). By default, the application is installed in the folder C:\Program Files\Ieak.

Planning Your Internet Explorer 5 Deployment

The IEAK gives administrators a great deal of control over most aspects of Internet Explorer 5 and its associated components, including the ability to lock down program settings to prevent users from changing them. Before actually creating the installation packages, you need to carefully plan how you want to customize them. In doing so, ask yourself questions like these:

• Which version of Internet Explorer (5.01, 5.5, 6, or later) should you deploy to which users? (Windows 2000 users already have 5.01 and Windows XP users already have 6).
• Which groups of users need their own specially tailored Internet Explorer 5 installation packages?
• What platforms (32-bit Windows, 16-bit Windows, UNIX) will you need to create packages for?
• What Internet Explorer 5 components will each group of users need?
• What settings need to be preconfigured for users?
• Which settings should users be able to modify and which should be controlled by administrators?
• What media (CD-ROM, floppy disks, network share, Web directory) will be used for storing your installation packages?
• What third-party software do you want to include in the installation packages?
• What additional desktop and user settings do you want to configure?

If you use the Automatic Version Synchronization feature of the Internet Explorer Administration Kit, you'll be able to easily deploy Internet Explorer 5.01 with the latest service pack already applied. Windows 2000 users can obtain the latest Internet Explorer service pack from Windows Update. Windows 2000 service packs also update Internet Explorer to the latest service pack level; for example, installing Windows 2000 Service Pack 3 automatically updates Internet Explorer 5 to 5.01.

In addition, you need to think about these questions:

• What machine will you use for building installation packages? This machine must be running a 32-bit Windows operating system, have Internet Explorer 5 installed, and have sufficient hard disk space to store the packages you create.
• Have you created any custom bitmaps, Favorites lists, digital certificates, or other items required for creating installation packages? You can import Internet Explorer 5 settings from a machine that is already appropriately configured.
• What connection profile will you use? Have you already established one, or will you need to create a new one as part of the process of creating an installation package?

Creating an Installation Package

The Microsoft Internet Explorer Customization Wizard is used to create custom Windows Update Setup packages for installing Internet Explorer 5 and its associated components. These packages can then be distributed to users on CD-ROMs or floppy disks, as e-mail attachments, or as downloads available from a shared folder on the network or from a Web page. The wizard also lets you create different packages for different groups of users. Packages can be created either from scratch or with settings imported from an existing Internet settings (.INS) file (also called an IEAK profile) on a machine that is already configured. An IEAK installation package contains the following:

• The Internet Explorer 5 Setup file (Ie5Setup.exe) and its associated.INF file
• Various program files
• The branding cabinet file (Branding.cab) containing .INS, .INF, and other customization files
• The component information cabinet file (Iecif.cab) containing additional components and their customization files

To run the Customization Wizard on the build computer on which the IEAK is installed, click Start, point to Programs, point to Microsoft IEAK, and choose Internet Explorer Customization Wizard. This opens the initial screen of the wizard (Figure 30-1).

Figure 30-1. The opening screen of the Microsoft Internet Explorer Customization Wizard.

The Customization Wizard runs in five stages, using a series of step-by-step screens. The screens that are presented during each stage depend to an extent on the various choices you make along the way, so we can present here only a general outline of the steps that might be involved in a typical customization session. For a more detailed explanation of how to use the IEAK, see either the online Help file for the product or the Microsoft Internet Explorer 5 Resource Kit.

Stage 1: Gathering Information

Stage 1 of the Customization Wizard, the first screen of which is shown in Figure 30-2, prompts the user for basic information such as the company name, customization code, role, target media, and so on. You must provide a valid customization code or the wizard runs only in demo mode.

Figure 30-2. The screen that introduces Stage 1 of the Microsoft Internet Explorer Customization Wizard.

The wizard leads you through the following screens:

1. Company Name And Customization Code You must obtain a valid customization code or the IEAK runs only in demo mode. Specify also which title best describes your role in the company: corporate administrator, service provider, or content provider. You must be licensed for your particular role.
2. Platform Options Specify the platform for which you want to build the customized Internet Explorer 5 deployment package. Choices include 32-bit Windows (Windows 9x, Windows NT 4), 16-bit Windows (Windows 3.11, Windows for Workgroups, Windows NT 3.51), and UNIX. Note that different platforms support different features.
3. File Locations Specify a folder on the build server in which the finished package will be stored. By default, this folder is called C:\Builds \mmddyyyy, where mm is the current month, dd is the current date, and yyyy is the current year.
4. Advanced Options By default, Automatic Version Synchronization (AVS) is turned on. This feature provides version information for the various Internet Explorer 5 components you have available so that you can determine whether you have the most recent version of these components. To use AVS, you must be connected to the Internet. If you downloaded the IEAK from the Internet, you must run AVS at least once when you create the first package. You also specify here the folder in which AVS will store its downloaded Internet Explorer 5 components. You can optionally specify an existing .INS file (an IEAK profile) to use as a starting point for a custom package. Settings in the .INS file are imported into the wizard and used as defaults, but you can modify them as desired.
5. Language Selection Specify the localized language to which your customized package will be directed. A package can be customized for only a single language, so if you need pages for several different languages you must run the wizard several times.
6. Media Selection Specify the target medium for the package. This can be any of the following (not all options are available under all licensing schemes):
   • Download From A Web Site On The Internet (Or On An Intranet). For example, users could click a link to start the installation.
   • CD-ROM Distribution (Uses Autorun).
   • Flat. Select this option (which refers to a flat file system) if you want users to download the package from a shared folder on the network. The installation files are all written to the same folder.
   • Multiple Floppy Disks. Service providers can distribute their complete package on a set of distribution floppies, but CD-ROM is generally preferable.
   • Single Floppy Disk. Service providers can distribute a single floppy disk that will connect users to a distribution Web site so that they can download the rest of their package.
   • Single-Disk Branding. This produces a single floppy disk that can be used to brand an already existing Internet Explorer 5 installation with a corporate logo bitmap, Favorites list, and so on.
7. Feature Selection Use this screen of the wizard to specify which features of Internet Explorer 5 and its components you want to customize in succeeding stages of the wizard. (This walkthrough assumes that all options are selected.)

Stage 2: Specifying Setup Parameters

Stage 2 of the wizard, the first screen of which is shown in Figure 30-3, lets you specify which Microsoft download sites you want to receive the Internet Explorer 5 components from and, optionally, to specify any custom software components. The Setup engine is designed to be able to resume after a broken connection and continue downloading at the point at which it was interrupted, which saves time when performing long downloads over unreliable Internet connections.

Figure 30-3. The screen that introduces Stage 2 of the Microsoft Internet Explorer Customization Wizard.

This stage of the wizard takes you through the following screens:

1. Download Locations If you left AVS enabled in the previous stage, you need to specify which Microsoft site you will use for downloading the latest versions of Internet Explorer 5 components. Choose a location that is close to your geographical region.
2. Automatic Version Synchronization Shows the status of each of the Internet Explorer 5 components you currently have available for installation. The first time you run the wizard, all components are displayed with a yellow exclamation point icon, which indicates that you have an older version of this component. After you run AVS, some of the components show up with a green check mark icon, indicating that you have the most recent version of the component, whereas new components available on the Microsoft site you are connected to show up with a red X icon, indicating that you have not yet downloaded those components. You can select a specific component that you want to update and click Synchronize to download it from the Microsoft site, or you can just click Synchronize All.
3. Add Custom Components Allows you to package up to 10 third-party components in an Internet Explorer 5 package. You can include scripts and self-extracting executable programs that you want to distribute to users. You can compress custom components into .CAB files for distribution as well. Applications that will be distributed with Internet Explorer 5 over the Internet should be digitally signed to verify their authenticity to users downloading them.

Stage 3: Customizing Setup

Stage 3 of the wizard, the first screen of which is shown in Figure 30-4, lets you customize the Setup title bar, bitmap, custom component install title, installation options, user install sites, and other information.

Figure 30-4. The screen that introduces Stage 3 of the Microsoft Internet Explorer Customization Wizard.

This stage of the wizard takes you through several screens:

1. CD-ROM Autorun Customization If you specified CD-ROM as the distribution medium, you can specify an Autorun splash screen and a Readme file.
2. Customize Setup Lets you customize how the Windows Update Setup program will appear to users installing the package. You can specify the title bar and bitmap graphic for the Setup screen, as well as other information.
3. Silent Install If you have selected the corporate (intranet) licensing option, you can specify the degree to which users interact with the computer during the installation. The three choices are as follows:
   • Interactive Install Users are prompted to make decisions and enter information during the installation.
   • Hands-Free Install Users are not prompted during the install, but message screens inform users of the progress of the installation and any errors that occur are displayed.
   • Completely Silent Install Users do not even know that the installation is taking place, as no prompts, messages, or errors are displayed.
4. Installation Options Specify which components are included in the installation and provide up to 10 setup options for users to select or deselect components. You can create custom installation options or use the standard ones, which are Minimal, Typical, and Full.
5. Component Download Sites Specify up to 10 different Web or FTP sites from which users can download the package. These can be either corporate intranet or public Internet sites, depending on your licensing scheme. (This option assumes that you indicated that users will perform their installation from a Web site in Stage 2 of the wizard.) For silent installations you can specify only one site.
6. Component Download Customize the URL that is pointed to by the Windows Update option of the Tools menu in Internet Explorer 5.
7. Installation Directory Specify the folder on users' machines where the package will be installed (or leave this decision to users).
8. Corporate Install Options If you selected a corporate installation during Stage 1 of the wizard, this screen provides a number of options. You can disable the Custom Installation option so that users cannot choose which components to install, disable the saving of uninstall information that allows users to revert to their previous version of Internet Explorer, and specify whether Internet Explorer will be the users' default browser (or leave the choice up to them).
9. Advanced Installation Options Allows you to further customize installation by indicating which components will be displayed in the Customize Component Options screen during setup.
10. Components On Media Specify whether components not selected for installation should nevertheless still be installed on the medium to make them available for automatic install later if desired.
11. Connection Manager Customization The CMAK, which is included with the IEAK, is designed to allow administrators to customize and manage Internet connections for users. You can either start the CMAK Wizard at this point to customize a connection or use an existing custom connection profile created earlier with the CMAK. The CMAK is discussed later in this chapter.
12. Windows Desktop Update This option is for corporate administrators only; it allows you to specify whether to include the Windows Desktop Update in the package. You do not need to include this component for users who are currently running Microsoft Windows 98 or later.
13. Digital Signatures Specify whether to digitally sign the package. By using the Certificates snap-in for Windows 2000 Server, you can generate digital certificates and public/private key pairs, acting as your own certificate authority (CA).

Stage 4: Customizing the Browser

Stage 4 of the wizard, the first screen of which is shown in Figure 30-5, asks you to provide information concerning browser customization by specifying a browser title, default home page, search bar URL, online support page, preset list of favorites and links, and other information.

Figure 30-5. The screen that introduces Stage 4 of the Microsoft Internet Explorer Customization Wizard.

This stage of the wizard takes you through the following screens:

1. Browser Title Specify the text that will appear in the title bar of Internet Explorer 5 once the package is installed. For example, if you specify the title bar text as Scribes.com, that text will be displayed in the title bar of users' copies of Internet Explorer 5 as "Microsoft Internet Explorer provided by Scribes.com." You can specify a toolbar background bitmap image here as well.
2. Browser Toolbar Buttons Specify additional custom toolbar buttons that you want to appear on users' browser screens once installed. You can add these additional buttons to existing ones or delete the existing ones first and then add your own buttons. Developers can create new buttons for the toolbar and attach them to scripts and executables. (See MSDN Online for details.)
3. Animated Logo If you don't like the rotating Internet Explorer logo in the top right corner of the browser window, you can replace it with your own animated corporate logo. Specify the path to the bitmap here.
4. Static Logo Here you can specify a static logo to replace the Internet Explorer logo.
5. Important URLs Specify the home page, search bar, and online support page URLs for your customized browser.
6. Favorites And Links This is one of the most useful IEAK options. In this screen you can preconfigure the Favorites folder and Links bar on your customized browser. You can specify individual URLs one by one here, or you can import them from the \Windows\Favorites folder (or some other folder) of any machine that is accessible on the network. Note that, unfortunately, you can import a maximum of only 255 URLs in this way. You can also test each URL prior to creating the package.
7. Channels Specify which custom channels or channel categories you want to include in the package. You need a Channel Definition Format (.CDF) file for each channel. Corporate administrators might want to delete all existing channels for the package if this feature is not used internally on the network.
8. Welcome Page Specify a custom welcome page that is displayed when Internet Explorer 5 is started for the first time, use the default Internet Explorer 5 welcome page, or go directly to the user's home page. Custom welcome pages are specified by entering their URLs.
9. User-Agent String This advanced feature allows you to append a custom string to the user-agent string for Internet Explorer. User-agent strings are part of HTTP and can be used for tracking site visits and other things.
10. Connection Settings Allows you to import connection settings for the package and modify those settings. You can also delete existing settings if any are present.
11. Automatic Configuration Specify a pointer to a configured file on a server that can be used to globally change configuration settings on all stations where you have deployed the package, instead of having to modify these settings on each user's computer. This useful feature reduces the administrative overhead and support costs of managing Internet Explorer on users' desktops. Changes to users' configurations are performed using the IEAK Profile Manager, which is discussed later in this chapter.

    Most settings are specified using an IEAK profile (an .INS file), but special advanced proxy settings can be specified using JavaScript files in .JS, .JVS, or .PAC format. Select the Enable Automatic Configuration option, specify the URL to the .INS file and script files, and specify a time interval in minutes to indicate how often the browser will check for a newer version of the configuration files. If you select the Automatically Detect Configuration Settings option and are using DNS and DHCP on the network, Internet Explorer is automatically customized the first time users start it on their machines. This allows administrators to create Internet Explorer 5 packages that are not fully customized and then have users' copies of Internet Explorer 5 further customized when the users first start the program on their desktops.

12. Proxy Settings Proxy servers are used with firewalls to protect corporate networks over their Internet connections. They can also be used to cache frequently requested Web content and help balance network traffic. Specify your proxy settings for individual Internet protocols like HTTP, Secure HTTP, FTP, Gopher, and Socks Proxy.
13. Security Lets you import CAs and customize Microsoft Authenticode security to allow Internet Explorer 5 security settings to function properly. An additional screen called Security Settings lets you customize different security settings for each zone and customize content ratings.
14. Sign-Up Screens These screens appear only when the service provider licensing option is specified; they allow service providers to specify how their users will sign up for their services and connect to their Internet sites. We won't discuss these options further, because this chapter focuses on corporate deployment of Internet Explorer 5.

Stage 5: Customizing Components

Stage 5 of the wizard, the first screen of which is shown in Figure 30-6, lets you customize additional options for the components you have included in the installation package. You do this by using the System Policies And Restrictions screen, a two-pane view in which the left pane displays a tree view of the various groups and categories of restrictions you can configure, and the right pane shows the options you can configure for the restriction you have selected. The IEAK includes support for importing your own system policy template (.ADM) files for customizing what is displayed here.

Figure 30-6. The screen that introduces Stage 5 of the Microsoft Internet Explorer Customization Wizard.

This stage of the wizard takes you through the following screens:

1. Programs Lets you import current default program settings to specify which Windows program is used for which Internet service. You can specify the programs to use for each of the following:
   • HTML Web page editor (no default)
   • SMTP e-mail client (Outlook Express is the default.)
   • NNTP news client (Outlook Express is the default.)
   • Internet call client (Microsoft NetMeeting is the default.)
   • Calendar client (no default)
   • Contact list (Windows address book is the default.)
2. Outlook Express Accounts Specify the Internet hosts (servers) to which Outlook Express will connect for mail and news services. You can supply a host for each of the following:
   • Incoming mail (POP3/IMAP4) server
   • Outgoing mail (SMTP) server
   • Internet news (NNTP) server

   You can also specify that the applications must log on to any of these servers using Secure Password Authentication, which requires a Security Service Provider Interface (SSPI) provider such as Microsoft NT LAN Manager (NTLM), which is Windows 2000's authentication protocol for Windows NT 4 servers and clients. You can lock down these settings so that users can't change them or modify their Internet accounts.

3. Outlook Express customization screens Specify a custom welcome message that will appear when users first start the program on their desktops. You can also specify Outlook Express as the default mail and news client, indicate newsgroups that will automatically be subscribed to, turn on junk mail filtering, choose which view elements of the program will be enabled by default, specify the signature that will be appended to messages, indicate whether plain text or HTML will be used for sending messages, and other options.
4. Address Book Directory Service Specify additional options for dir-ectory services to be used by the Windows address book. Any LDAP-compliant directory service can be specified here, such as Four11 or Bigfoot on the Internet or Windows 2000 Active Directory on a corporate network.
5. System Policies And Restrictions This screen is a powerful tool that allows administrators to configure and lock down various desktop, shell, and security options for all users in their organization. You can also import policy files to customize the settings you can configure here.

Deploying IEAK Packages

When you've completed the wizard, click Finish to generate and compress the custom installation package files and create the customized version of Internet Explorer 5. The final result will be stored in the appropriate subfolder of the \Builds folder on the build computer. You can then do the following:

• Digitally sign the package (for 32-bit Windows platforms only).
• Prepare your distribution Web site or virtual directory (or network share or some other medium) and create a link to the Ie5setup.exe file that users download and use to install Internet Explorer 5. See Chapter 28 for information on creating Web sites and virtual directories.
• Copy the language version folder and its contents to the appropriate virtual directory on the Web site. For example, if your package is an English language version, you need to copy the contents of the \Builds\mmddyyyy\Download\Win32\En folder on the build machine (assuming a 32-bit package was created) to the appropriate virtual directory on the Web server.
• Copy the Ie5sites.dat file, which points to the download sites you specified during the wizard. This file is typically found in the IEAK profile folder for that package on the build machine—for example, \Builds \mmddyyyy\Ins\Win32\En.
• Notify your users of the Web page (or other medium) they need to visit so that they can install the package by clicking a specified link to the Ie5setup.exe file.
• If you want to later manage users' Internet Explorer 5 configurations automatically, using the IEAK Profile Manager, you need to copy the IEAK profile (the .INS file) for your build to the URL you specified during the wizard.

IEAK Profile Manager

The IEAK Profile Manager is a tool for modifying and maintaining the IEAK profile associated with a particular package. The profile specifies the configuration settings for the package, and the Profile Manager lets you modify any aspect of that profile. Furthermore, if you didn't enable automatic configuration when you created the package with the Internet Explorer Customization Wizard, you can enable it later using the Profile Manager.

The Profile Manager works by allowing you to open a selected .INS file (an IEAK profile), make changes to it, and save the result. The Profile Manager also maintains the companion files to the .INS file, which are stored in the same folder as the .INS file for that package. Two basic types of settings can be configured using the Profile Manager:

• Wizard settings Administrators can modify any settings that were specified during Stages 2 through 5 of the Internet Explorer Cus-tomization Wizard.
• Policies and restrictions These settings refer to users' desktop, shell, and security settings (system policy settings), which were specified in the System Policies And Restrictions screen of the Internet Explorer Customization Wizard (step 5 under "Stage 5: Customizing Components" earlier in this chapter.

Using Profile Manager

To start the IEAK Profile Manager on the build computer, click Start, point to Programs, point to Microsoft IEAK, and choose IEAK Profile Manager. This opens the IEAK Profile Manager main window. You can either import an existing .INS file or create a new one. Figure 30-7 shows a file that has been imported from a package located on the build computer.

Figure 30-7. The IEAK Profile Manager.

The IEAK Profile Manager window cannot be resized and should be displayed on screens with a resolution of 800 by 600 or higher.

Using the Profile Manager is straightforward: Simply select the type of wizard or policy settings you want to modify in the left pane of the window and make the appropriate modifications in the right pane. Save the results when finished (or use Save As to keep the existing .INS file while creating a new one with the new settings). Be sure to test the new configuration on a test machine before deploying it on the production site, where users' machines can be updated using autoconfiguration.