This weeks post is from Carl Luberti, a Senior Support Escalation Engineer with the Internet Explorer team.
To start, I wanted to address that Internet Explorer 8 has over 1300 Group Policy entries that can be configured, which is great for keeping your environment managed and safe. That can also create some challenges in wrapping your head around all of the possibilities, so I wanted to begin with a list of 10 entries that are usually the most asked-about control locations for IE8 from a support perspective. Hopefully, this will give a bit of a "jumping off" point to managing Internet Explorer with Group Policy. It's one of the most powerful features of using Internet Explorer 8 in an Active Directory domain, so I want to make this easier to use and understand.
1. Data Execution Prevention (DEP)
I'll start at the top, with Data Execution Prevention (DEP) configuration in Internet Explorer 8. Because browsers are the gateway to the internet, I think it wise to look at the Data Execution Prevention policy setting for Internet Explorer 8. By default, Internet Explorer 8 opts-in to DEP on platforms that support the SetProcessDEPPolicy API, which means Windows XP SP3 systems and Windows Vista SP1 / Server 2008 and higher systems. DEP is useful in that it helps to foil attacks by preventing code from running in memory that is marked non-executable, which helps mitigate against certain types of attacks that try to make use of placing executable code in areas of memory not marked as executable, like buffer overrun attacks.
This behavior can be configured in Group Policy, whether you want to make certain this is happening or if you want to disable DEP opt-in for IE8, and can be found as a policy item under Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\, called "Turn off Data Execution Prevention":
Note that if the Operating System that IE8 is running on is configured to opt-in to DEP for all processes, then this policy setting has no effect and DEP is enabled for IE unless it is configured here as an opted-out process:
3. SmartScreen Filter
Another area of security in Internet Explorer 8 that is configurable from Group Policy is the SmartScreen Filter, which is used to help prevent phishing attacks and block access to sites that are flagged as malware hosting sites. This setting is configured per zone, which means you can configure SmartScreen scanning to be enabled or disabled for each individual security zone. For example, you could have it enabled for the Internet Zone, but disabled for the Trusted Sites zone. By default, if the SmartScreen filter is not configured from Group Policy, the user has control over whether or not it is enabled, and also whether or not to visit a site anyway if SmartScreen determines a site is to be blocked. However, if this is configured from Group Policy, the user cannot visit a site listed as blocked, and cannot configure the SmartScreen Filter or bypass it’s settings. This setting can be found as a policy item in each named security zone folder under \Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page, called "Use SmartScreen Filter":
3. Site to Zone Assignment
The Site to Zone assignment list allows you to configure which security zones a particular site should render in, allowing you to configure how restrictive or relaxed security settings should be for a particular site based on the security zone settings the site renders in. This policy allows you to ensure that the security settings for the specified zone are applied to the site. Additionally, you can apply granular control over a site in a zone if desired, including control over whether a specific protocol is to be checked for a site, a specific site for that domain is to be specified, or if the entire domain should exist in a particular zone irrelevant of which protocol or site is specified in that domain. You can also use this to specify which sites will reside in the Restricted Sites zone, as part of a defense-in-depth strategy – sites that you do not trust can be placed in this most restrictive zone, which uses the “HIGH” security zone setting by default. This setting can be found as a policy item under \Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page, called "Site to Zone Assignment List":
Note that if you enable the Site to Zone Assignment List policy, users no longer have control over adding or removing sites from this list, and it becomes completely controlled by Group Policy. If you disable the policy, any list on the client is deleted and no specific site assignments are permitted.
4. Home Page Settings
Configuring the user’s home/start page has been a feature of policy since Internet Explorer 5, and to go along with the new ability to configure multiple secondary start pages with Internet Explorer 8 there is a policy to configure both the initial start page, as well as any secondary start pages that are desired. Each secondary start page is loaded in a separate tab from the initial home/start page when the browser is run, although it is worth noting that if you configure the initial start page or any secondary start pages in group policy the user can no longer set or modify any start pages from the Internet Explorer options. These setting can be found as policy items under \Administrative Templates\Windows Components\Internet Explorer, called "Disable changing home page settings" (configuring the default start page) and “Disable changing secondary home page settings”:
5. First Run Customize Settings
Internet Explorer 8 by default runs through the “First Run Customize” wizard when a user starts the new browser for the first time, and quite a few admins like to prevent this from running as they’ve already configured user settings, whether that be via Group Policy, the IEAK, logon scripts and registry values, etc. This can be configured in Group Policy so that the user does not see the First Run Customize wizard, but is instead shown their default home page (and any subsequent start pages on separate tabs), and can be found as a policy item under \Administrative Templates\Windows Components\Internet Explorer called “Prevent performance of First Run Customize settings”:
6. Suggested Sites
Suggested Sites is a new feature of Internet Explorer 8 that can recommend sites a user may wish to visit based on the user’s browsing activity, and an admin may wish to control this behavior in a domain environment due to the fact that the user’s site visit history is sent to Microsoft on a periodic basis when this feature is enabled (privacy information on this and other features can be found here). This setting can be found as a policy item under User Configuration\Administrative Templates\Windows Components\Internet Explorer called “Turn on Suggested Sites”:
7. New Tab Settings
Some administrators like to configure the new tab behavior of what Internet Explorer opens when a new tab is created, and with Internet Explorer 8 this is configurable via Group Policy. You can specify that when a user opens a new tab, that one of three things happens: the tab opens a blank page (about:blank), the “new tab page” page (which is the default behavior), or the tab opens their primary start page. This can be found as a policy item under \Administrative Templates\Windows Components\Internet Explorer called “Configure new tab page default behavior”:
8. InPrivate Browsing and InPrivate Filtering
InPrivate browsing is a feature in Internet Explorer 8 that allows a user to browse leaving virtually no traces of the web browsing actions performed in an InPrivate session, including preventing the browsing history, temporary internet files, cookies, usernames and passwords, etc. from being stored and retained locally by the browser. An administrator might not want users to be able to utilize InPrivate browsing, or they may wish to have some control over the defaults of InPrivate browsing, like whether or not toolbars or browser helper objects (BHOs) are loaded during an InPrivate session, or whether or not InPrivate Filtering is disabled or available for use. These policy items can be configured via a number of entries under \Administrative Templates\Windows Components\Internet Explorer\InPrivate and \Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History:
More detailed information about InPrivate browsing and filtering can be found here.
9. Compatibility View Settings
Compatibility View is a feature that allows the browser to display a web page that may not render correctly when viewed in the default Internet Explorer 8 Standards Mode in a mode that is more compatible with content that is not necessarily written to common Internet standards. This allows the browser to provide greater compatibility with these sites, although standards mode Web pages viewed under Compatibility View will render in Internet Explorer 7 Standards Mode rather than Internet Explorer 8 Standards Mode, and newer content written to common Internet standards may not display correctly in this mode.
This particular feature can be configured in Group Policy amongst a number of policy items that control whether or not this feature is enabled and forced for all sites that the user may visit, whether it is enabled for the Local Intranet zone (the default behavior) or whether the browser should use the latest Internet Explorer Standards Mode for the Local Intranet zone, a list of sites to be explicitly viewed under Compatibility View, etc:
10. Maximum Number of Connections per Server (for AJAX)
Internet Explorer uses a configured number of maximum persistent connections per server per session for both HTTP 1.0 and HTTP 1.1 connections, and in Internet Explorer 8 the control for this behavior has been modified so that it is configurable via Group Policy. By default, Internet Explorer 8 uses a maximum of 6 persistent connections for HTTP 1.1 and HTTP 1.0 server connections when over a high-speed or broadband connection, and a maximum of 2 persistent connections for HTTP 1.1 and 4 persistent connections for HTTP 1.0 server connections when over a low-speed or dial-up connection. It is worth noting that this is an increase from previous versions of Internet Explorer, which used 2 maximum persistent connections for HTTP 1.1 and 4 persistent connections for HTTP 1.0 server connections regardless of connection speed. These settings can be found as a set of policy items under \Administrative Templates\Windows Components\Internet Explorer\Security Features\AJAX:
More information about this change and why the decision was made to increase maximum persistent connections in Internet Explorer 8 can be found here.
If you want to learn more about Group Policy and Internet Explorer 8, or get a Group Policy Settings Reference that describes each and every policy item and its location in policy and the registry, the following links should be of assistance:
More...
To start, I wanted to address that Internet Explorer 8 has over 1300 Group Policy entries that can be configured, which is great for keeping your environment managed and safe. That can also create some challenges in wrapping your head around all of the possibilities, so I wanted to begin with a list of 10 entries that are usually the most asked-about control locations for IE8 from a support perspective. Hopefully, this will give a bit of a "jumping off" point to managing Internet Explorer with Group Policy. It's one of the most powerful features of using Internet Explorer 8 in an Active Directory domain, so I want to make this easier to use and understand.
1. Data Execution Prevention (DEP)
I'll start at the top, with Data Execution Prevention (DEP) configuration in Internet Explorer 8. Because browsers are the gateway to the internet, I think it wise to look at the Data Execution Prevention policy setting for Internet Explorer 8. By default, Internet Explorer 8 opts-in to DEP on platforms that support the SetProcessDEPPolicy API, which means Windows XP SP3 systems and Windows Vista SP1 / Server 2008 and higher systems. DEP is useful in that it helps to foil attacks by preventing code from running in memory that is marked non-executable, which helps mitigate against certain types of attacks that try to make use of placing executable code in areas of memory not marked as executable, like buffer overrun attacks.
This behavior can be configured in Group Policy, whether you want to make certain this is happening or if you want to disable DEP opt-in for IE8, and can be found as a policy item under Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\, called "Turn off Data Execution Prevention":
Note that if the Operating System that IE8 is running on is configured to opt-in to DEP for all processes, then this policy setting has no effect and DEP is enabled for IE unless it is configured here as an opted-out process:
3. SmartScreen Filter
Another area of security in Internet Explorer 8 that is configurable from Group Policy is the SmartScreen Filter, which is used to help prevent phishing attacks and block access to sites that are flagged as malware hosting sites. This setting is configured per zone, which means you can configure SmartScreen scanning to be enabled or disabled for each individual security zone. For example, you could have it enabled for the Internet Zone, but disabled for the Trusted Sites zone. By default, if the SmartScreen filter is not configured from Group Policy, the user has control over whether or not it is enabled, and also whether or not to visit a site anyway if SmartScreen determines a site is to be blocked. However, if this is configured from Group Policy, the user cannot visit a site listed as blocked, and cannot configure the SmartScreen Filter or bypass it’s settings. This setting can be found as a policy item in each named security zone folder under \Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page, called "Use SmartScreen Filter":
3. Site to Zone Assignment
The Site to Zone assignment list allows you to configure which security zones a particular site should render in, allowing you to configure how restrictive or relaxed security settings should be for a particular site based on the security zone settings the site renders in. This policy allows you to ensure that the security settings for the specified zone are applied to the site. Additionally, you can apply granular control over a site in a zone if desired, including control over whether a specific protocol is to be checked for a site, a specific site for that domain is to be specified, or if the entire domain should exist in a particular zone irrelevant of which protocol or site is specified in that domain. You can also use this to specify which sites will reside in the Restricted Sites zone, as part of a defense-in-depth strategy – sites that you do not trust can be placed in this most restrictive zone, which uses the “HIGH” security zone setting by default. This setting can be found as a policy item under \Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page, called "Site to Zone Assignment List":
Note that if you enable the Site to Zone Assignment List policy, users no longer have control over adding or removing sites from this list, and it becomes completely controlled by Group Policy. If you disable the policy, any list on the client is deleted and no specific site assignments are permitted.
4. Home Page Settings
Configuring the user’s home/start page has been a feature of policy since Internet Explorer 5, and to go along with the new ability to configure multiple secondary start pages with Internet Explorer 8 there is a policy to configure both the initial start page, as well as any secondary start pages that are desired. Each secondary start page is loaded in a separate tab from the initial home/start page when the browser is run, although it is worth noting that if you configure the initial start page or any secondary start pages in group policy the user can no longer set or modify any start pages from the Internet Explorer options. These setting can be found as policy items under \Administrative Templates\Windows Components\Internet Explorer, called "Disable changing home page settings" (configuring the default start page) and “Disable changing secondary home page settings”:
5. First Run Customize Settings
Internet Explorer 8 by default runs through the “First Run Customize” wizard when a user starts the new browser for the first time, and quite a few admins like to prevent this from running as they’ve already configured user settings, whether that be via Group Policy, the IEAK, logon scripts and registry values, etc. This can be configured in Group Policy so that the user does not see the First Run Customize wizard, but is instead shown their default home page (and any subsequent start pages on separate tabs), and can be found as a policy item under \Administrative Templates\Windows Components\Internet Explorer called “Prevent performance of First Run Customize settings”:
6. Suggested Sites
Suggested Sites is a new feature of Internet Explorer 8 that can recommend sites a user may wish to visit based on the user’s browsing activity, and an admin may wish to control this behavior in a domain environment due to the fact that the user’s site visit history is sent to Microsoft on a periodic basis when this feature is enabled (privacy information on this and other features can be found here). This setting can be found as a policy item under User Configuration\Administrative Templates\Windows Components\Internet Explorer called “Turn on Suggested Sites”:
7. New Tab Settings
Some administrators like to configure the new tab behavior of what Internet Explorer opens when a new tab is created, and with Internet Explorer 8 this is configurable via Group Policy. You can specify that when a user opens a new tab, that one of three things happens: the tab opens a blank page (about:blank), the “new tab page” page (which is the default behavior), or the tab opens their primary start page. This can be found as a policy item under \Administrative Templates\Windows Components\Internet Explorer called “Configure new tab page default behavior”:
8. InPrivate Browsing and InPrivate Filtering
InPrivate browsing is a feature in Internet Explorer 8 that allows a user to browse leaving virtually no traces of the web browsing actions performed in an InPrivate session, including preventing the browsing history, temporary internet files, cookies, usernames and passwords, etc. from being stored and retained locally by the browser. An administrator might not want users to be able to utilize InPrivate browsing, or they may wish to have some control over the defaults of InPrivate browsing, like whether or not toolbars or browser helper objects (BHOs) are loaded during an InPrivate session, or whether or not InPrivate Filtering is disabled or available for use. These policy items can be configured via a number of entries under \Administrative Templates\Windows Components\Internet Explorer\InPrivate and \Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History:
More detailed information about InPrivate browsing and filtering can be found here.
9. Compatibility View Settings
Compatibility View is a feature that allows the browser to display a web page that may not render correctly when viewed in the default Internet Explorer 8 Standards Mode in a mode that is more compatible with content that is not necessarily written to common Internet standards. This allows the browser to provide greater compatibility with these sites, although standards mode Web pages viewed under Compatibility View will render in Internet Explorer 7 Standards Mode rather than Internet Explorer 8 Standards Mode, and newer content written to common Internet standards may not display correctly in this mode.
This particular feature can be configured in Group Policy amongst a number of policy items that control whether or not this feature is enabled and forced for all sites that the user may visit, whether it is enabled for the Local Intranet zone (the default behavior) or whether the browser should use the latest Internet Explorer Standards Mode for the Local Intranet zone, a list of sites to be explicitly viewed under Compatibility View, etc:
10. Maximum Number of Connections per Server (for AJAX)
Internet Explorer uses a configured number of maximum persistent connections per server per session for both HTTP 1.0 and HTTP 1.1 connections, and in Internet Explorer 8 the control for this behavior has been modified so that it is configurable via Group Policy. By default, Internet Explorer 8 uses a maximum of 6 persistent connections for HTTP 1.1 and HTTP 1.0 server connections when over a high-speed or broadband connection, and a maximum of 2 persistent connections for HTTP 1.1 and 4 persistent connections for HTTP 1.0 server connections when over a low-speed or dial-up connection. It is worth noting that this is an increase from previous versions of Internet Explorer, which used 2 maximum persistent connections for HTTP 1.1 and 4 persistent connections for HTTP 1.0 server connections regardless of connection speed. These settings can be found as a set of policy items under \Administrative Templates\Windows Components\Internet Explorer\Security Features\AJAX:
More information about this change and why the decision was made to increase maximum persistent connections in Internet Explorer 8 can be found here.
If you want to learn more about Group Policy and Internet Explorer 8, or get a Group Policy Settings Reference that describes each and every policy item and its location in policy and the registry, the following links should be of assistance:
- Group Policy and Internet Explorer 8
- Internet Explorer 8 Deployment Guide
- Group Policy Settings Reference for Windows Internet Explorer 8
- Internet Explorer 8 Readiness Toolkit
More...