Group Policy Center

A new hotfix (KB2171141) is out from Microsoft that resolves an issues with the IE8 search provider when applying the “Prevent Internet Explore Search box from displaying” is enabled (see image below).

This policy will remove remove the search box from Internet Explorer (see image below).

But then when a user logs on to the computer for the first time they are prompted to setup their default IE setting and then they will get this error message (see image below).

It also looks like this hotfix is also probably not going to be in Windows 7 Service Pack 1 as it is not listed in the complete list of hotfixes.

To download the hotfix and to get more info visit Internet Explorer 8 restores the search provider settings when the “Prevent Internet Explorer Search box from displaying” Group Policy setting is enabled

This is another article I have written that address’s the commonly asked question on the Group Policy forum as to how you can use group policy to block or allow users to specific web site URL’s. It goes without saying that the most effective way to implement content filtering for the internet is to maintain list of sites on your proxy server/firewall in your organisation. However you might not have any proxy or firewall that can do this and this method is also not affective when a user is connected to the internet outside the corporate network.

Luckily there is an option in the Internet Explorer Maintenance group policy section that allows you to configured an allow/never list of URL’s for your users. If you are configuring this option I also suggest your also check out one of my other article How to configure AppLocker Group Policy in Windows 7 to block third-party browsers to prevent users from running non-IE browsers to get around this restriction as this is an IE only policy setting.

How to configure Internet Explorer to Allow and Block URL’s

Step 1. Edit a Group Policy Object (GPO) that applies to the users you want to configure URL blocking.

Step 2. Navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Security and then click on the “Security Zones and Content Ratings”

Step 3. Select “Import the current Content Ratings settings” and then click on the “Modify Settings” button

Step 4. Click on the “Approved Sites” tab

Step 5a (Black List). Type the name of the URL that you want to block in the “Allow this website” text field and then click “Never” then “OK”

Step 5b (White List). However if you are trying to maintain a white list of URL’s then type the name of the site you want to allow it the “Allow this website” text field and then click “Always” then “OK”

Note: You will probably want to add the internal domain name of your companies AD to the Allow list of as well to ensure users can access the intranet web sites. Also note that while wildcards are supported in the URL’s, but adding just the URL “*” does not work. While this would be very handy to configure a white list I will show you how to get around this restriction in further steps below.

Now we have to create a supervisor password that will be used for making any subsequent changes to the Allow/Never URL list. This password can also be used by the user (if they know it) to work around these URL restrictions. However as this password is applied by policy it will be the same password for all users so think about chancing the password often.

Step 6. Type the same password in both the “Password” and “Confirm Password” fields and type at hint in the “hint” field. You could also type something like “To get this password please contact the help desk on 5555-5555”.

By default when you enable the content advisor it will automatically block any web site that does not have a rating configured.  Therefore you will want to turn this blanket restriction off in step 8 if you all you are trying to do is block specific URL’s in a black list configuration.

Step 8 (Black List). Tick “User can see websites that have no rating” then click “OK”

Note: For white list configuration leave the “User can see websites that have no rating” un-ticked so that all web sites will be blocked.

Step 9. Click OK

Done.

If you configured a black list then a user will be allowed to go to all web sites except the URL that you specifically blocked. When the user does hit a web site that is blocked they will be presented with dialogue box explaining why they are not able to visit the web site and an option to visit the site only if they know the supervisor password.

If they click Cancel nothing will happen and if they press OK they will get presented with this dialogue box.

Below is another example message that is presented when visiting a site without a rating and you have configured the policy not load sites that do not have a rating which you will see if you have configured this as a white list.

If you are using a white list configured and a users will still be able to visiting as site so long as it is ICRA3 rated and it does not report as having content that falls into any of the rating categories. Therefore this method is not 100% affective for a white list strategy but you do find your users visiting a site that is not specifically allowed then you can simply added it as a blocked URL.

Related Resources:

If you have played with this setting and are looking for a way to remove this setting from the group policy then see my posting How to remove imported Internet Explorer Group Policy Settings

You will also find that the computer you have made these URL restrictions on will now have the supervisor password set (I assume its something about how IEM GPMC interacts with the local computer) so to Remove IE Supervisor Password just delete the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies\Ratings key and it will reset the Content Advisor settings back to defaults.

I know a lot of people have asked for this third an final instalment on how to use Group Policy to manage home page settings and so I have finally been able to find some time to finish this series of posts.

Just to recap in Part 1 I showed you how to configure home page setting using the administrative templates native policy and in Part 2 I showed you how to do this using Group Policy Preferences.

In this post I will show you how to configured Internet Explorer home page settings using the Internet Explore Maintenance (IEM) group policy setting option. The IEM policy setting has been in Group Policy since the very beginning and is now a depracated setting as you can tell by the now various other methods of configuration home pages as outlined in Part 1 and Part 2. So if you are configuring this as a new setting definitely look at using the native Administrative Template or Group Policy Preferences first.

However the one advantage of using IEM is “Preferences Mode”…… Huh… I hear you… Well this is the OTHER Group Policy Preference (see below) and this option only applies to Internet Explorer Maintenance settings. The advantage of the Preferences Mode settings is that once the home page is configured the user will be able to change the home page to their own “Preference”.

(Now this might seem alright, however you need to wait till the end to find out why this is really cool…)

To configured the home page edit a Group Policy Object (GPO) that is targeted to the users you want to configured. Then navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > URLs and double click on “Important URL”.

Now simply tick “Customize Home page URL” and type the URL you want configured as the home page in the “Home page URL:” text box.

Now the users home page will be configured to the URL you configured above.

Now this is the SUPER COOL thing about setting… If you have enabled Preferences Mode and you configured the “Disabled changing Secondary Home Pages setting” that I talked about in Part 1 your users will be able to make a change the Primary Home but you can still force the URL of any of the secondary home page tabs (see image below where the users has change the Primary home page to Yahoo but the Google Secondary page remains). AWESOME!

Note: If you already have a setting configured in IEM then you will first need to “Reset Browser Settings” before you can enabled “Preferences Mode” which you can do by following these instructions How to remove imported Internet Explorer Group Policy Settings

For more information on Preference Mode see http://support.microsoft.com/kb/274846

For more information on Internet Explorer Maintenance setting see  http://technet.microsoft.com/en-us/library/cc728150(WS.10).aspx

There is currently a Cross Site Scripting issue with SharePoint 3.0 and 2007 which could allow someone to maliciously run an arbitrary script that could allow elevation of privilege in the SharePoint site. There is currently no hotfix out for this issues  however you can mitigate this issue by enabling the XSS Filter in Internet Explorer 8. Unfortunately this is not turned on by default for the Intranet Zone which is how the majority of SharePoint sites are accessed. So if you are an IT administrator and you want to protect against this issue before Microsoft releases a hotfix then below are the instruction showing how to enable this via Group Policy.

Step 1. Edit the Group Policy object that applies to all the user accounts you want to migrate this issue.

Note: If you want complete coverage of all users in your organisation then make this change the the default domain policy or another policy link to the top of the domain.

Step 2. Navigate to User Configuration > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone and enabled the “Turn on Cross-Site Scripting (XSS) Filter” then ensure you set the drop down menu to “Enabled” then press OK.

To confirm the setting is applied you should now see that the “Enable XSS filter” option is configured to “Enabled” and it is greyed out as the setting has now been configured by group policy.

Unfortunately this setting cannot be enabled via Group Policy Preferences as you can see if does not have the XSS filter option.

To keep up to date with this issue and for more information on this issues see http://blogs.technet.com/msrc/archive/2010/04/29/security-advisory-983438-released.aspx and http://www.microsoft.com/technet/security/advisory/983438.mspx

If you have ever configured you Internet Explorer setting via the “Internet Explorer Maintenance” group policy setting you might be wondering however to remove these setting now you found a few easier ways to do the same thing. Well its not all that  obvious but if you go to User Configuration > Policies > Windows Settings  you can then right click on "Internet Explorer Maintenance" and click "Reset Browser Settings" you are done…

There is currently a security advisory out about a Zero Day vulnerability in Internet Explore 6 & 7 on Windows XP and Vista. While there is no patch out for this issues so far you can mitigate the security a number ways using Group Policy. Below I have listed two ways to implement the workaround as listed by Microsoft using Group Policy.

Method 1. Modify the Access Control List (ACL) on iepeers.dll

Step 1. Edit a Group Policy Object (GPO) that is targeted to the computer accounts you want to apply this setting. Then navigate to Computer Configurations > Windows Settings > Security Settings > File System.

Step 2. Click on “Action” in the menu and then “Add File…”

Step 3. Type “%WINDIR%\System32\iepeers.DLL” into the Folder: field then click “OK”

Step 4. Click “Add”and then add the “Everyone” group and click “OK”

Step 5. Tick the Full Control “Deny” tick box. This will then tick all the Deny tick boxes.

Step 6.  Click “Yes” to the Deny warning.

Step 7. Click “OK” to the permissions option.

Note: If you want to apply this to x64 version of Windows as well repeat step 2 thought 7 but type “%WINDIR%\SYSWOW64\iepeers.DLL” instead in the Folder: field.

You have now denied permissions to the file that has the issues.

Once you have applied the patch to fix this vulnerability be sure to go into each of file security settings and remove the “Everyone” deny permission from the setting.

Method 2: Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

Step 1. Edit a GPO that is targeted to the users accounts you want to apply security setting. Then Enabled both the “Allow active scripting” under User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Security Page > Internet Zone and the Intranet Zone. Then configure the Options to either “Prompt” or “Disable”.

Once you have performed the above configuration changes be sure to add *.windowsupdate.microsoft.com, *.update.microsoft.com and any other site you require to run Active Scripting on to the trusted sites zone list. Instructions on how to do this can be found here How to use Group Policy to configure Internet Explorer security zone sites

Disclaimer: I do not guarantee that this information will work. All the above information is to be used at your own risk.

For more details on the security vulnerability and other ways to mitigate this issue see Microsoft Security Advisory (981374)

Microsoft have just released a hotfix (KB980959) to fix the problem with the “Configured new tab page default behaviour” group policy setting not working for Internet Explorer 8. Apparently the Intetres.admx had the wrong path configured path is configured to “Software\Policies\Microsoft\Internet Explorer\Main” where it should be configured to “Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabbedPageShow”. If you want to see the setting for your self just look for the text “NewTabAction” in the Inetres.admx file.

For details on getting the hot fix and to see the full article “The “Configure new tab page default behavior” Group Policy setting does not work on a computer that is running Windows 7 or Windows Server 2008 R2 and that has Internet Explorer 8 installed” here http://support.microsoft.com/?kbid=980959