Group Policy Central » Internet Explorer

Using Firefox in the Enterprise? Really! Have you heard of IE?

Alan Burchill — Sun, 26 Jun 2011 23:56:13 +0000

There has been a lot of talk in the news recently around how Mozilla have changed support gears are are now releasing a new browser version every few month. The affect of this is that a lot of enterprise customers (such as IBM) using Firefox aren’t even finished testing before the next version is released. While corporate customers using Firefox 3.6 are still supported, it would seem that this may not be for long due to the “cost benefit trade” for Mozilla to play in the Enterprise.

This has of course prompted Microsoft to starting pushing IE to the corporate customers say “’We’ve got a great solution for corporate customers with both IE8 and IE9”

So to illustrate this I have graphed the number of days that Microsoft supports Internet Explorer compared to Mozilla’s Firefox 4.

Note: I assume that IE9 will not have extended support lifecycle as it was NOT released as part of Windows 7.

Certainly having to support IE6 for over 9 years is a major commitment for Microsoft especially when there are so many security issues… But even while Microsoft encourages users to stop using IE6 http://www.theie6countdown.com/ they continue to support IE6 as promised for the long haul and are certainly not going to be “forcing” anyone to upgrade any time soon. For this reason, plus Internet Explorers excellent out of the box group policy support (for third party see Policy Pak), is why I think IE is hands down best browser for any corporate environment….

How to enable IE Quirks Mode with Group Policy

Alan Burchill — Thu, 26 May 2011 10:00:00 +0000

If you are looking at moving to Windows 7 or you are looking upgrading IE6 in your organisation you have probably discovered that a lot of your intranet web sites don’t work properly. Well apparently 80% of IE app compatibility issues are cause by website that do not have the header as the with IE8 (See below).

This problem is due to a bug in IE6 that it ignores the if it is not on the first row and then default back to rendering the page in Quirks mode. The problem is that newer browsers do read this tag if it is not on the first line and it then starts to renders the page in standards mode as requested. So to address this issue Microsoft have released a hotfix for IE8 and include in IE9 a feature that lets you force pages to render in Quicks Mode thus ignoring the line.

A webpage is not displayed correctly in Internet Explorer when any of the following is true:

You use Windows Internet Explorer 8 Standards mode to browse the webpage.

You enable Compatibility View in Internet Explorer 7 to browse the webpage.

Additionally, if you do not have the permissions to implement the Meta tag or the HTTP header for browser emulation, you cannot force the browser to work in QUIRKS mode from the client-side.

Microsoft KB A webpage is not displayed correctly when you browse the webpage by using Internet Explorer 8 Standards mode or Compatibility View in Internet Explorer 7

Once you have the hotfix deployed or you have installed IE9 on your computers you can then use the policy “Use Policy List of Quirks Mode sites” under Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\QuirksPolicyList to add specific sites to render as quirks mode.

This will now force your browser to render the page using IE5.5 (a.k.a. Quirks) mode so that the page now renders correctly.

TIP: If you are still having issues with your Intranet pages not working correctly one of the other big compatibility fixes you can try is to make sure that the page is properly placed in the “Intranet Zone”. For instructions on how to do this see my other post How to use Group Policy to configure Internet Explorer security zone sites .

Thanks to Chris Jackson “The App Compat Guy” for his TechEd 2011 video that had the details for me to write this article at http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/WCL315

9 reasons to install IE9 on your Servers

Alan Burchill — Tue, 15 Mar 2011 13:00:00 +0000

Microsoft have just released Internet Explorer 9 to the web and so Windows users around the world will now be truly able to enjoy the “Beauty of the Web”. While IE9’s hardware acceleration and new un-cluttered UI is really enjoyable for consumers this browser also has a number of new features that makes it very compelling to install on your servers. So below I have listed 9 reasons why you should also consider deploying IE9 to your servers in your organisation…

#1 Group Policy – Internet Explorer 9 is still the only browser that has comprehensive Group Policy Support with over 1500 setting. This allows you as an administrator to have the power to configure the browser on their servers to ensure they are correctly and securely configured.

#2 Memory Security Enhancements – As administrator we sometimes find our self having to use the internet on a server probably to look up an error message or to download some tool we need to install to complete out work. IE8 by default has ASLR (Address Space Layout Randomization) and DEP/NX (Data Execution Prevention / No eXecute) enabled by default which provided very good protection for the browser. However even with these two layers of protection Stephen Fewer at Pwn2Own 2011 was able to get around this security by using a combination of not 1, not 2 but 3 different vulnerabilities.

But Microsoft then quickly tweeted out that the same attack would not work on IE9 RC. While there are no details as to why the IE9 RC browser was not vulnerable to the same attack certainly the additional protection of having been compiled with SafeSEH (Safe Structured Exception Handling) would have helped.

“(SafeSEH) helps ensure that structured exception handling cannot be used as an exploit vector”

More info see http://blogs.msdn.com/b/ie/archive/2011/03/07/internet-explorer-9-security-part-1-enhanced-memory-protections.aspx

#3 Tab Isolation – Tab Isolation or hang recovery is another feature of IE9 that allows you to keep using your browser when a particular web pages causes IE to crash. While this is generally just an inconvenience for users on workstations this can be a life saver if you are on a server as your browser will now more likely to only lose your work in your current tab rather than the 11 other things you were doing in the browser at the same time.

#4 Simpler UI – Using a browser on a server is a lot different experience than on a workstation. You really don’t need fancy tool bars in your browsers to do your job and some times you have limited screen resolution as you might be working on the server via a console with only a 1024×768 screen resolution due to not having the proper video card drives loaded. Therefore the new simpler, cleaner and smaller UI makes give you more real-estate on screen for you web pages and a lot less clutter getting in the way than any other browser.

However if you are a fan of the clutter however you can still enable your toolbars and menu bars.

For more info see http://blogs.msdn.com/b/ie/archive/2011/02/15/user-experiences-listen-learn-refine.aspx

#5 ActiveX Filtering – Browser add-on’s and ActiveX control are just a bad idea on servers. Weather it is slow performance due to the bloat of running so many add-on products or its the multiple security vulnerabilities that make add-on the new security attack vector. Therefore the new ActiveX Filtering that allows you run ActiveX controls in an opt-in mode meaning you only explicitly run the controls you trust. This setting is not on by default but you can enabled using the “Turn on ActiveX Filtering” group policy (see image below and point #1).

#6 Web Tracking Protection – Almost all sites on the Internet (this site included) have some sort of embedded web tracking to allow site owners monitor the activity of their visitors. However if you are using your browser on a server it is not desirable that you activities are tracked. To help with this problem IE9 has introduced a feature called Web Tracking Protection that allow users to block certain third party web sites. Therefore an administrator can subscribe to a third party tracking lists or even create their own to prevent their browser from contacting any undesirable web sites from the client.

#7 Add On Performance Monitor – I know that in #5 I said that installing browser add-on’s on a server is a bad idea however sometimes this is just a necessary evil. In this case IE9 will monitor your add-on performance and give you a warning when any of them are running slow and then let you selectively disable them (see below).

#8 Automatic Update – It holds true that all web browsers will need updating on a regular basis as they are the most exposed attack surface on your computer. However Internet Explorer is the only one that is integrated with Windows Update, allowing you to use the same standard update and reporting process. This means that that reporting tools such as WSUS or SCCM can give you a status reports as to see what computers still have out of date software and thus make sure all your software is up to date without any slipping through the gate. This helps avoids a scenario that I am sure that many IT admins can relate to of logging on to a server only to see that a grossly out of date versions of Adobe Read installed because no one ever new it was installed and had to be updated…

#9 Install Updates without reboot – and saving the best for last, this reasons is the BIG ONE!!!! Also continuing on from #8 and as I previously mentioned you no longer to you need to reboot your server to install updates to your browsers (see image below). Gone are the mandatory reboots of the server you have had to endure every month after patch Tuesday which will make your life SO MUCH EASIER!!!

Note: You will need to be running Windows 2008 R2 service pack 1 to be able to do this so it is not going to help if you are still running Server 2008 (sorry).

As I mentioned before there is of course many other reasons why IE9 is such a great product for consumers that I have not talked about (hardware acceleration, video tag support, Aero Snap and Pinned sites) however as you can see this is still a compelling for your server as well…

Did I mention no reboots to install updates!!!

Internet Explorer 9 Group Policy Settings

Alan Burchill — Tue, 15 Mar 2011 10:51:57 +0000

Well the wait is over and Microsoft today released the final version of Internet Explorer 9 to the web at http://windows.microsoft.com/ie/ . Since the release of the IE9 Release Candidate there have been a few more Group Policy added (see Internet Explorer 9 (RC) Group Policy Settings) so below is an updated list of each IE9 Group Policy settings with a related screenshots.

Internet Explorer 9 Administrative Templates

Interesting enough according to the page TechNet: Group Policy Settings the “Configure Tracking Protection Lists”, “Go to an intranet site for a single word entry in the Address bar” and “Enable alternative codecs in HTML5 media elements” setting should exist however there are no were to be found…

Prevent users from bypassing SmartScreen Filter’s applications reputation warnings about files that are not commonly downloaded from the Internet

Prevent Deleting Download History

Disable add-on performance notifications

Allow Internet Explorer 8 Shutdown Behavior

Install binaries signed by MD2 and MD4 signing technologies

Automatically enable newly installed add-ons

Turn off Managing SmartScreen Filter

Prevent configuration of search from the Address bar

Turn on ActiveX filtering

Enable alternate codecs in HTML5 media elements

Prevent Deleting ActiveX Filtering and Tracking Protection data

Tracking Protection threshold

Turn off Tracking Protection

Disable Browser Geolocation

Turn off ability to pin sites

Show tabs on a separate row

Internet Explorer 9 Maintenance Settings

Once you install IE9 on the computer you manage your group policy on you will also find your IE9 Maintenance settings have been updated to reflect the newer settings.

Note: The “Manage add-ons” buttons here is currently the only way you can configured “Tracking Protection” lists (see example below). However you first need to add the list to your browser Tracking Protection list before you press the “Manage add-on” button.

Updated: Internet Explorer 9 Group Policy Preferences

Currently there is no native (supported) way to use Group Policy Preferences with IE9 however you can you can easily work around this restriction. See my post at How to enable Group Policy Preferences support for IE9 .

For a complete listing of all the IE9 Group Policy setting, where they can be found and how you install them to Active Directory go to TechNet: Group Policy Settings

Installing IE9 on Windows 7 Service Pack 1 doesn’t require a reboot

Alan Burchill — Fri, 18 Feb 2011 11:25:27 +0000

Update: Now that I have installed the final version of IE9 on 6 computers 2 of them needed to rebook so it would seem that it may or may not require a reboot. This seems to be dependent on what application you are running at the time. Therefore it would still be prudent to plan for a reboot but not always expect it to happen.

I have just install IE9 on a Windows 7 and a Windows Server 2008 R2 computer running Service Pack 1 and I was very pleased to see that in both cases it does not required a reboot to install. Previously I have installed IE9 on 3 Windows 7 computers that were not running service pack 1 however they all required a reboot to install IE9. Therefore it seems that with Windows 7 / 2008 R2 Service Pack 1 installed it is now possible to install IE9 without a reboot. (see images below).

Disclaimer: ~~I have only seem this behaviour on one computer so far but I am testing it one more really soon.~~ I have now repeated this process on a Windows Server 2008 R2 SP1 and Windows 7 SP1. It looks more likely that this option to install IE9 without a reboot is a new feature of Service Pack 1.

One of the dialogue boxes (see below) on Windows Server 2008 R2 Service Pack 1 during the IE9 install asks if you want to the installer to close your running programs to install it without a reboot. So if you select the “Close programs for me (I already save my work)” opting the browser will be installed without a reboot.\

( FYI: The screenshots below are from a computer running Windows Server 2008 R2 Service Pack 1 with the Domain Controller role installed and running. )

The next screen is the dialogue box during install of IE9. As you can see IE8 and the Explorer shell has been closed during the install but the OS has NOT rebooted.

After IE9 is installed the Explorer Shell is launched again still without interruption to the OS.

This is a huge deal as it means that it is likely that updates to the browser will be able to be installed without having to require a reboot of the OS. Now this may be a nice have for end users however this is a much bigger deal for Windows Servers as IT administrators as they can now patch what is the most vulnerable part of the server OS (the browser) without any down time. This should hopefully mean that IT administrators will not need to revert to installed “Server Core” versions of the server OS’s just to ensure that they don’t have to reboot them every patch Tuesday to keep them secure.

I know this is not specifically a Group Policy topic however this is a really super cool find that I just had to share with everyone…

New Group Policy Hotfix’s

Alan Burchill — Tue, 19 Oct 2010 08:00:00 +0000

The guys at the Ask the Directory Services Team blog have just published the list of latest Directory Services related hotfixes ( see http://blogs.technet.com/b/askds/archive/2010/10/18/new-directory-services-content-10-10-10-16.aspx ). For your convenience I have put in a direct link and a short description for the two Group Policy related hotfixes.

KB2379592 – "Object reference not set to an instance of an object" error message when you view the GPO backup settings in the Group Policy Management Console.

Description

Resolves an “Object reference not set to an instance of an object.” when you select the “View Settings” of a GPO that has an advanced audit policy setting configured that you have also backed up.

KB970840 – Some settings in Group Policy Preferences for Internet Explorer do not deploy correctly to computers that are running Windows Server 2008, Windows Vista, Windows 7 or Windows Server 2008 R2

Description

Resolves the following IE8 preference settings from not working:

Check boxes under Accessibility
- "Reset text size to medium while zooming"
- "Reset Zoom level to 100% for new windows and tabs"
Check boxes under Security
- "Allow active content to run in files"
- "Allow software to run or install even…"
Check boxes under International
- "Send IDN Server Names"
- "Send UTF -8 URL"
- "Show information bar for encoded address"

It also resolves a freeze/crash in the Group Policy Object Editor when you are editing an Internet Explorer Group Policy Preferences setting.

Hotfix: IE 8 restores the search provider settings when the "Prevent Internet Explorer Search box from displaying" Group Policy setting is enabled

Alan Burchill — Thu, 29 Jul 2010 01:39:50 +0000

A new hotfix (KB2171141) is out from Microsoft that resolves an issues with the IE8 search provider when applying the “Prevent Internet Explore Search box from displaying” is enabled (see image below).

This policy will remove remove the search box from Internet Explorer (see image below).

But then when a user logs on to the computer for the first time they are prompted to setup their default IE setting and then they will get this error message (see image below).

It also looks like this hotfix is also probably not going to be in Windows 7 Service Pack 1 as it is not listed in the complete list of hotfixes.

To download the hotfix and to get more info visit Internet Explorer 8 restores the search provider settings when the “Prevent Internet Explorer Search box from displaying” Group Policy setting is enabled

How to use Group Policy to Allow or Block URL’s

Alan Burchill — Thu, 08 Jul 2010 11:00:00 +0000

This is another article I have written that address’s the commonly asked question on the Group Policy forum as to how you can use group policy to block or allow users to specific web site URL’s. It goes without saying that the most effective way to implement content filtering for the internet is to maintain list of sites on your proxy server/firewall in your organisation. However you might not have any proxy or firewall that can do this and this method is also not affective when a user is connected to the internet outside the corporate network.

Luckily there is an option in the Internet Explorer Maintenance group policy section that allows you to configured an allow/never list of URL’s for your users. If you are configuring this option I also suggest your also check out one of my other article How to configure AppLocker Group Policy in Windows 7 to block third-party browsers to prevent users from running non-IE browsers to get around this restriction as this is an IE only policy setting.

How to configure Internet Explorer to Allow and Block URL’s

Step 1. Edit a Group Policy Object (GPO) that applies to the users you want to configure URL blocking.

Step 2. Navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Security and then click on the “Security Zones and Content Ratings”

Step 3. Select “Import the current Content Ratings settings” and then click on the “Modify Settings” button

Step 4. Click on the “Approved Sites” tab

Step 5a (Black List). Type the name of the URL that you want to block in the “Allow this website” text field and then click “Never” then “OK”

Step 5b (White List). However if you are trying to maintain a white list of URL’s then type the name of the site you want to allow it the “Allow this website” text field and then click “Always” then “OK”

Note: You will probably want to add the internal domain name of your companies AD to the Allow list of as well to ensure users can access the intranet web sites. Also note that while wildcards are supported in the URL’s, but adding just the URL “*” does not work. While this would be very handy to configure a white list I will show you how to get around this restriction in further steps below.

Now we have to create a supervisor password that will be used for making any subsequent changes to the Allow/Never URL list. This password can also be used by the user (if they know it) to work around these URL restrictions. However as this password is applied by policy it will be the same password for all users so think about chancing the password often.

Step 6. Type the same password in both the “Password” and “Confirm Password” fields and type at hint in the “hint” field. You could also type something like “To get this password please contact the help desk on 5555-5555”.

By default when you enable the content advisor it will automatically block any web site that does not have a rating configured. Therefore you will want to turn this blanket restriction off in step 8 if you all you are trying to do is block specific URL’s in a black list configuration.

Step 8 (Black List). Tick “User can see websites that have no rating” then click “OK”

Note: For white list configuration leave the “User can see websites that have no rating” un-ticked so that all web sites will be blocked.

Step 9. Click OK

Done.

If you configured a black list then a user will be allowed to go to all web sites except the URL that you specifically blocked. When the user does hit a web site that is blocked they will be presented with dialogue box explaining why they are not able to visit the web site and an option to visit the site only if they know the supervisor password.

If they click Cancel nothing will happen and if they press OK they will get presented with this dialogue box.

Below is another example message that is presented when visiting a site without a rating and you have configured the policy not load sites that do not have a rating which you will see if you have configured this as a white list.

If you are using a white list configured and a users will still be able to visiting as site so long as it is ICRA3 rated and it does not report as having content that falls into any of the rating categories. Therefore this method is not 100% affective for a white list strategy but you do find your users visiting a site that is not specifically allowed then you can simply added it as a blocked URL.

Related Resources:

If you have played with this setting and are looking for a way to remove this setting from the group policy then see my posting How to remove imported Internet Explorer Group Policy Settings

You will also find that the computer you have made these URL restrictions on will now have the supervisor password set (I assume its something about how IEM GPMC interacts with the local computer) so to Remove IE Supervisor Password just delete the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies\Ratings key and it will reset the Content Advisor settings back to defaults.

Best Practice: How to use Group Policy to configure home page settings – Part 3

Alan Burchill — Wed, 05 May 2010 18:00:00 +0000

I know a lot of people have asked for this third an final instalment on how to use Group Policy to manage home page settings and so I have finally been able to find some time to finish this series of posts.

Just to recap in Part 1 I showed you how to configure home page setting using the administrative templates native policy and in Part 2 I showed you how to do this using Group Policy Preferences.

In this post I will show you how to configured Internet Explorer home page settings using the Internet Explore Maintenance (IEM) group policy setting option. The IEM policy setting has been in Group Policy since the very beginning and is now a depracated setting as you can tell by the now various other methods of configuration home pages as outlined in Part 1 and Part 2. So if you are configuring this as a new setting definitely look at using the native Administrative Template or Group Policy Preferences first.

However the one advantage of using IEM is “Preferences Mode”…… Huh… I hear you… Well this is the OTHER Group Policy Preference (see below) and this option only applies to Internet Explorer Maintenance settings. The advantage of the Preferences Mode settings is that once the home page is configured the user will be able to change the home page to their own “Preference”.

(Now this might seem alright, however you need to wait till the end to find out why this is really cool…)

To configured the home page edit a Group Policy Object (GPO) that is targeted to the users you want to configured. Then navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > URLs and double click on “Important URL”.

Now simply tick “Customize Home page URL” and type the URL you want configured as the home page in the “Home page URL:” text box.

Now the users home page will be configured to the URL you configured above.

Now this is the SUPER COOL thing about setting… If you have enabled Preferences Mode and you configured the “Disabled changing Secondary Home Pages setting” that I talked about in Part 1 your users will be able to make a change the Primary Home but you can still force the URL of any of the secondary home page tabs (see image below where the users has change the Primary home page to Yahoo but the Google Secondary page remains). AWESOME!

Note: If you already have a setting configured in IEM then you will first need to “Reset Browser Settings” before you can enabled “Preferences Mode” which you can do by following these instructions How to remove imported Internet Explorer Group Policy Settings

For more information on Preference Mode see http://support.microsoft.com/kb/274846

For more information on Internet Explorer Maintenance setting see http://technet.microsoft.com/en-us/library/cc728150(WS.10).aspx

How to mitigate the SharePoint XSS security issue with Group Policy – KB983438

Alan Burchill — Fri, 30 Apr 2010 05:11:13 +0000

There is currently a Cross Site Scripting issue with SharePoint 3.0 and 2007 which could allow someone to maliciously run an arbitrary script that could allow elevation of privilege in the SharePoint site. There is currently no hotfix out for this issues however you can mitigate this issue by enabling the XSS Filter in Internet Explorer 8. Unfortunately this is not turned on by default for the Intranet Zone which is how the majority of SharePoint sites are accessed. So if you are an IT administrator and you want to protect against this issue before Microsoft releases a hotfix then below are the instruction showing how to enable this via Group Policy.

Step 1. Edit the Group Policy object that applies to all the user accounts you want to migrate this issue.

Note: If you want complete coverage of all users in your organisation then make this change the the default domain policy or another policy link to the top of the domain.

Step 2. Navigate to User Configuration > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone and enabled the “Turn on Cross-Site Scripting (XSS) Filter” then ensure you set the drop down menu to “Enabled” then press OK.

To confirm the setting is applied you should now see that the “Enable XSS filter” option is configured to “Enabled” and it is greyed out as the setting has now been configured by group policy.

Unfortunately this setting cannot be enabled via Group Policy Preferences as you can see if does not have the XSS filter option.

To keep up to date with this issue and for more information on this issues see http://blogs.technet.com/msrc/archive/2010/04/29/security-advisory-983438-released.aspx and http://www.microsoft.com/technet/security/advisory/983438.mspx

How to remove imported Internet Explorer Group Policy Settings

Alan Burchill — Wed, 07 Apr 2010 18:00:00 +0000

If you have ever configured you Internet Explorer setting via the “Internet Explorer Maintenance” group policy setting you might be wondering however to remove these setting now you found a few easier ways to do the same thing. Well its not all that obvious but if you go to User Configuration > Policies > Windows Settings you can then right click on "Internet Explorer Maintenance" and click "Reset Browser Settings" you are done…

How to use Group Policy to mitigate security issue KB981374

Alan Burchill — Mon, 22 Mar 2010 20:20:05 +0000

There is currently a security advisory out about a Zero Day vulnerability in Internet Explore 6 & 7 on Windows XP and Vista. While there is no patch out for this issues so far you can mitigate the security a number ways using Group Policy. Below I have listed two ways to implement the workaround as listed by Microsoft using Group Policy.

Method 1. Modify the Access Control List (ACL) on iepeers.dll

Step 1. Edit a Group Policy Object (GPO) that is targeted to the computer accounts you want to apply this setting. Then navigate to Computer Configurations > Windows Settings > Security Settings > File System.

Step 2. Click on “Action” in the menu and then “Add File…”

Step 3. Type “%WINDIR%\System32\iepeers.DLL” into the Folder: field then click “OK”

Step 4. Click “Add”and then add the “Everyone” group and click “OK”

Step 5. Tick the Full Control “Deny” tick box. This will then tick all the Deny tick boxes.

Step 6. Click “Yes” to the Deny warning.

Step 7. Click “OK” to the permissions option.

Note: If you want to apply this to x64 version of Windows as well repeat step 2 thought 7 but type “%WINDIR%\SYSWOW64\iepeers.DLL” instead in the Folder: field.

You have now denied permissions to the file that has the issues.

Once you have applied the patch to fix this vulnerability be sure to go into each of file security settings and remove the “Everyone” deny permission from the setting.

Method 2: Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

Step 1. Edit a GPO that is targeted to the users accounts you want to apply security setting. Then Enabled both the “Allow active scripting” under User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Security Page > Internet Zone and the Intranet Zone. Then configure the Options to either “Prompt” or “Disable”.

Once you have performed the above configuration changes be sure to add *.windowsupdate.microsoft.com, *.update.microsoft.com and any other site you require to run Active Scripting on to the trusted sites zone list. Instructions on how to do this can be found here How to use Group Policy to configure Internet Explorer security zone sites

Disclaimer: I do not guarantee that this information will work. All the above information is to be used at your own risk.

For more details on the security vulnerability and other ways to mitigate this issue see Microsoft Security Advisory (981374)

Hotfix: “Configure new tab page default behavior” does not work

Alan Burchill — Fri, 19 Mar 2010 07:46:42 +0000

Microsoft have just released a hotfix (KB980959) to fix the problem with the “Configured new tab page default behaviour” group policy setting not working for Internet Explorer 8. Apparently the Intetres.admx had the wrong path configured path is configured to “Software\Policies\Microsoft\Internet Explorer\Main” where it should be configured to “Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabbedPageShow”. If you want to see the setting for your self just look for the text “NewTabAction” in the Inetres.admx file.

For details on getting the hot fix and to see the full article “The “Configure new tab page default behavior” Group Policy setting does not work on a computer that is running Windows 7 or Windows Server 2008 R2 and that has Internet Explorer 8 installed” here http://support.microsoft.com/?kbid=980959

Group Policy Setting of the Week 18 – Allow file download (Internet Explorer)

Alan Burchill — Tue, 16 Mar 2010 10:47:49 +0000

This weeks setting is one that you would use if you are in an environment that you want a very high level of security (e.g. Kiosk computers). The “Allow file download” option is used to prevent the downloading of files via Internet Explorer. This setting does not prevent the browser form downloading files such as images to display in the browser page but it does prevent users from downloading of files when a user click on a file download link. This could also be useful if you want to help limit the security attack vector of users being tricked into download and running malicious files on their computers from the internet which could help mitigate some Zero day attacks.

Note: This does not prevent users from running Firefox or Chrome to get around this restriction (although they would have difficulty in downloading it) therefore you may also want to consider deploying AppLocker or Software Restriction Policies to prevent the running of those apps.

To enable this restriction you need to first “Enable” the policy and then set the Allow file downloads option to “Disable” . This setting can be found under Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone. This setting can also be configured on the other zone’s under the Security Page section however the Internet Zone is what most web sites are classified as and therefore will have the largest affect.

When this policy is applied to a user and the user clicks on a hyperlink to a file to download they will then receive this dialogue box.

If you did enabled this setting and you wanted to let users download file from particular web sites you could add the site URL to the trusted sites zone list. I have previously blogged how to do here http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/

P.S. Sorry i am a day late with this one… have been a bit busy lately. But don’t worry i will make sure that i always have time to do a setting of the week post each week.

Best Practice: How to use Group Policy to configure Internet Explorer security zone sites

Alan Burchill — Sun, 14 Mar 2010 06:00:00 +0000

As you know Group Policy Preferences are these fantastic new settings that allow IT administrators perform any configuration they want on a users group using Group Policy… well almost.. In this tutorial I will show you how to configured one of the few settings that are not controlled by preferences but can be configured using a native Group Policy.

The Internet Explore site zone assignment is one of the few settings you specifically can’t configured using preferences, as you can see (image below) the User Interface to this options has been disabled.

There is a native Group Policy that allows you to control Internet Explorer site zone list is called “Site to Zone Assignment List” which I will go thought below how to use.

Step 1. Edit the Group Policy Object that is targeted to the users you whish this setting to be applied.

Step 2. Navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and double click on the “Site to Zone Assignment List” and check the “Enable” option then click on the “Show..” button.

Step 3. Now type the URL in the “Value name” field with the >* on the far left and then type the zone number (see table below) you want to assign to that zone.

Internet Explorer Group Policy Zone Number Mapping

Zone Number	Zone Name
1	Intranet Zone
2	Trusted Sites zone
3	Internet zone
4	Restricted Sites zone

As soon as you start typing the URL a new line will appear for the next URL.

Step 4. One you have finished assigning adding the URL’s and site zone number click OK

Tip: If you want to delete a row click on the button on the far left to select the row you want to delete (see image below) and then press the “Delete” key.

(sites in above list are example only)

Now the Internet Explorer Site zone list will now be populated with the zone you configured above and as you can see in the images below the Internet Explorer status bar now show the correct zone based on the that the URL’s in the address bar.

Best Practice: How to use Group Policy to configure home page settings – Part 2

Alan Burchill — Thu, 04 Mar 2010 09:00:00 +0000

In part 2 of how to use Group Policy to configure a users home page I will be show you how to use Group Policy Preferences to configure a users home page. There really isn’t a right way you can set the users home pages setting it is really up to your requirements and how much control you want to have.

The advantage of using Group Policy Preferences is that it allows you to specify a default home page but still allow users to change it if they want.

Now there are three dialogue Internet Explorer setting that can be used to configured home pages in Group Policy Preferences.

Internet Explorer 8	Internet Explorer 7	Internet Explorer 5 and 6

However as you can see the IE7 and IE8 screens are exactly the same so I will only go thought it using IE8 and the IE5/6 screenshots. If you do want to configure the IE8 setting remember that you will need to use the Internet Explorer 7 screen option instead however all the steps and affects are the same.

Internet Explorer 5 & 6

Internet Explorer 5 & 6 does not support tabbed browsing so this makes it a lot simpler to setup as all you can specify a default home page. Also remember that the Group Policy Preferences Client Side Extensions are are not installed on Windows XP by default so you will need to make sure they are installed before these settings will work.

Step 1. Edit a GPO that targets the users that you want to apply the home page setting.

Step 2. Navigate to User Configuration > Preferences > Control Panel Settings > Internet Settings

Step 3. Click on the “Action” menu and click on “New” and then click on “Internet Explore 5 and 6”

Step 4. Press “F6”

Explanation: Pressing “F6” enables the individual settings for configuration. Notice this changes the red dotted line to a solid green line which means that only the “Home:” settings is enabled to be applied as a policy.

Step 5. Now type your home page URL in the “Home” text box and click “OK”

Your done.

Now as this is a preference this will not prevent you users from changing the home page however it will be reset at the next group policy refresh.

Internet Explorer 7 & 8

Internet Explorer 7 & 8 supports multiple tabs so you need can either configure a single default home page or a default home page with multiple secondary home page.

Step 1. Edit a GPO that targets the users that you want to apply the home page setting.

Step 2. Navigate to User Configuration > Preferences > Control Panel Settings > Internet Settings

Step 3. Click on the “Action” menu and click on “New” and then click on “Internet Explore 8” (or “Internet Explorer 7”)

Step 4. Press “F6”

Step 5. Now add the URL (or URL’s) for the pages you want to be displayed and click “OK”.

Note: If you only specify one home page then the user will be able to change the home page however it will reset after the next policy refresh.

Again… your done.

As you can see below your browser is configured with two default home pages.

Note: Native Group Policies always take precedence over Group Policy Preferences so if you have you home pages configured using a native Group Policy (see Part 1) then this settings will be overridden.

Best Practice: How to use Group Policy to configure home page settings – Part 1

Alan Burchill — Thu, 25 Feb 2010 08:00:00 +0000

One of the most common setting that Group Policy is used for it so configure browser home pages settings. There are a number of ways that this can be done in Part 1 i am going to go thought the changing the Home Page setting using a native Group Policy.

In Part 2 I will explain how to configure home page setting using Group Policy Preferences and in Part 3 will explain how to configure home pages setting using the Windows Setting > Internet Explorer Maintenance option.

The advantage of using a native group policy setting is that they do not require the deployment of the Group Policy Preference client side extensions and the setting are enforced so the user cannot change the setting even temporarily.

Primary Home Page

This option allows the admin to configured a single home page for the user without the ability for the user to add any other secondary home pages if they are using IE7 or IE8. This setting will also work however if the users has IE5 and above installed.

Step 1. Edit a GPO that targets the users that you want to apply the home page setting.

Step 2. Navigate to User Configuration > Policies > Administrative Templates >Windows Components > Internet Explorer

Step 3. If you want to configure a single home for your users and/or you are using IE5 or IE6 edit the “Disable changing home page setting”

Step 4. Select “Enabled” and then type the URL you want as the home page in the “Home Page” text field.

Now the user browsers will be hardcoded to use only http://www.bing.com as the home page and the UI to make this change will be disabled.

Multiple Tabs

This option allows the admin to specify the users secondary home pages while still allowing them to configured the default home page.

Note 1: This policy setting will not work with IE7 that does support secondary home pages.

Note 2: This policy setting will not work if you have the “Disable changing home page settings” also enabled.

Step 1. Edit a GPO that targets the users that you want to apply the home page setting.

Step 2. Navigate to User Configuration > Policies > Administrative Templates >Windows Components > Internet Explorer

Step 3. If you want to configure a single home for your users and/or you are using IE5 or IE6 edit the “Disable changing secondary home page setting”

Step 4. Select “Enabled” and Click on “Show…”

Step 5. Click in the text field next the the * and type the URL that you want to add as a secondary home page. You can repeat this for as many secondary home pages that you want.

The user will now have http://www.yahoo.com and http://www.microsoft.com load as their secondary home pages and they will be able to change their default primary home page by using the”Add or Change Home Page…” option (see image below).

However They will not be able to add or change the secondary home pages which means that the “Add this webpage to your home page tabs” (see image below) option will NOT work.

This also means the UI under “Internet Option” for changing the “Home Page” will also be disabled.

I really like the secondary home page option as it allows users to customise their home pages setting why still ensuring they load the corporate home page each time they open their browser.

KB978207 (MS10-002) Internet Explorer “Google China” patch is out now

Alan Burchill — Thu, 21 Jan 2010 22:39:55 +0000

As I have previously mentioned there has been a lot of press lately where some hackers took advantage of some holes in IE and Adobe Reader to hack Google’s systems in China. As a result Microsoft have burnt the midnight oil and rushed out an Out of Cycle patch for Internet Explorer to resolve this issues even thought this issues seems to be fairly low spread.

Even so if you are still running Internet Explorer 6.0 on Windows XP (yes there are some corporations that do) it is STRONGLY recommended that you install this patch ASAP. Needless to say if you are still running IE6 on Windows XP then you also need to look at updated to IE7 or IE8. Besides the more compliant HTML rendering engine that the newer browsers offer they are also much more secure. If you happen to be running Vista (yeah for you!) then the risk is about 256 times less likely to affect you due to the extra protection the OS offers such as Protected Mode and Address Space Layout Randomisation (ASLR). Windows 7 users are even more secure as on top of Protected Mode and ASLR as Internet Explorer also has Data Execution Protection enabled by default.

So while your making yourself more secure installing this patch be sure to also check out my other article showing how to turn off JavaScript for Adobe Reader one of the other reported attack vectors for the Google Hack.

For more information about the http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx

Update: This security issues was orignal posted as KB979352