InternetExplorerFeature Control Settings in Group Policy In Windows Server 2003

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion InternetExplorerFeature Control Settings in Group Policy In Windows Server 2003

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 3 months, 1 week ago.

  • Author
    Posts
  • #2197

    Webmaster
    Keymaster

    The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
    Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
    restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
    Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
    not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
    Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
    using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
    Pack 2.
    What does InternetExplorer Feature Control Settings in Group Policy do?
    Windows XP Service Pack 2 introduced new registry keys and values for InternetExplorer security features called Feature
    Controls.Thesesecurity features have been incorporated in Windows Server 2003 Service Pack 1.Thespecific behavior of the
    featurecontrol registry settings is discussed with each security featurethroughout this section.
    A modified Inetres.adm filecontains thefeaturecontrol settings as policies. Administrators can managethefeaturecontrol
    policies by using Group Policy objects (GPOs).When InternetExplorer is installed, the default preferences settings for these
    featurecontrols areregistered on thecomputer in HKEY_LOCAL_MACHINE. In Group Policy, the Administrator can set them in
    either HKEY_LOCAL_MACHINE (Computer Configuration) or HKEY_CURRENT_USER (User Configuration).
    Who does this feature apply to?
    Group Policy administrators can uniformly configuretheInternetExplorer Feature Control settings for thecomputers and
    users that they manage.
    What existing functionality is changing in Windows Server 2003 Service Pack 1?
    Group Policy InternetExplorer settings
    Detailed description
    The new featurecontrol policies are:
    Binary Behavior Security Restriction
    MK Protocol Security Restriction
    Local Machine ZoneLockdown Security
    Consistent MIME Handling
    MIMESniffing Safety Feature
    Object Caching Protection
    Scripted Window Security Restrictions
    Protection from ZoneElevation
    Information Bar
    Restrict ActiveX Install
    RestrictFile Download
    Add-on Management
    Network Protocol Lockdown
    In the Group Policy Management Console, thelocal computer policies for Feature Controls arein \Computer
    Configuration\Administrative Templates\Windows Components\InternetExplorer\Security Features.
    Thecurrent user policies for Feature Controls arein \User Configuration\Administrative Templates\Windows
    Components\InternetExplorer\Security Features.
    The policy for thefeature needs to beenabled for the process — for example, IExplore.exe — beforethezones’ individual
    security setting policies or preferences will beapplied.For moreabout the behavior of Feature Controls keys and setting them
    for a process, seethesection on each featureand thesection InternetExplorer Using Feature Control Registry Settings with
    Security ZoneSettings.For moreinformation about specific security settings by zone, seeInternetExplorer URL Action and
    Advanced Security Settings in Group Policy.
    Administrators of Group Policy can managethese new policies in the AdministrativeTemplates extension to the Group Policy
    Management Console.When configuring these policies, theadministrator can enable or disablethesecurity featurefor
    explorer processes (InternetExplorer and Windows Explorer), for executable processes that they defined, or for all processes
    that host the WebOC.
    Users cannot seethefeaturecontrol policies or preferencesettings through theInternetExplorer user interface,except for
    Local Machine ZoneLockdown Security.Featurecontrol policies can only beset using the Group Policy Management Console,
    and featurecontrol preferencesettings can only bechanged programmatically or by editing theregistry.
    Configuring policies and preferences
    Group Policy is therecommended tool for managing InternetExplorer for client computers on a corporate network. Internet
    Explorer supports Group Policy management for theIE featurecontrols included in Windows XP Service Pack 2 and Windows
    Server 2003 Service Pack 1 as well as for Security pagesettings or URL actions. Administrators of Group Policy can manage
    these policy settings in the AdministrativeTemplates extension of the Group Policy Management Console.
    When implementing policy settings, it is recommended to configuretemplate policy settings in one Group Policy object (GPO)
    and configureany related individual policy settings in a separate GPO. You can then use Group Policy management features
    (for example, precedence, inheritance, or enforce) to apply individual settings to specific client computers.
    Policies can beread by users but can only bechanged by Group Policy management or by an administrator. Preference
    settings can bechanged programmatically, by editing theregistry, or in thecase of URL actions and Local Machine Zone
    Lockdown Security, by using InternetExplorer. Notethat settings thatareassociated with policies will take precedence over
    settings specified using InternetExplorer preferences.
    IEAK/IEM
    For operating systems prior to Windows XP SP2 and Windows Server 2003 SP1 and previous InternetExplorer versions,
    InternetExplorer Administration Kit (IEAK) 6 Service Pack 1 remains therecommended tool for solution providers and
    application developers to customizeInternetExplorer for their end users. IEAK supportand theIEAK/IEM process does not
    changefor InternetExplorer versions prior to Windows XP Service Pack 2.The process also has not changed for using
    IEAK/IEM to set user setting preferences in InternetExplorer versions prior to and including Windows Server 2003 SP1.This
    includes the new InternetExplorer 6 in Windows XP Service Pack 2 and Windows Server 2003 SP1 preferencesettings.
    However, thetrue policy settings incorporated by this featurecan only be managed within Group Policy.For moreinformation
    about IEAK, see”Microsoft InternetExplorer 6 Administration KitService Pack 1″ on the Microsoft Web siteat
    http://go.microsoft.com/fwlink/?LinkId=26002.
    In summary, theIEAK can still be used as beforefor all InternetExplorer versions prior to Windows XP Service Pack 2,and is
    still thetool to usefor branding in Windows XP Service Pack 2 and Windows Server 2003 SP1. IEM/IEAK can bestill be used to
    set user preferencesettings, but true policies should beset using the Group Policy Management Console.
    Frequently asked questions for existing users of the IEAK
    Question Answer
    I currently usetheIEAK with a corporate
    licenseto configureInternetExplorer on
    desktop computers and I don’t have Active
    Directory in my organization. How can I
    configureInternetExplorer if theIEAK doesn’t
    work with Windows XP SP2 or Windows
    Server 2003 SP1?
    You can still use Group Policy to configuresettings even if you don’t use Active
    Directory. You can use Group Policy to createa local Group Policy object (GPO)
    with your settings and then deploy that GPO. After you haveconfigured your
    GPO for InternetExplorer,you can deploy it using your standard deployment
    methods.For example,you might usestartup or logon scripts,Systems
    ManagementServer scripts, or you might send links to users in e-mail.
    I currently usetheIEAK with a corporate
    licenseto configureInternetExplorer on
    desktops and I don’t have Active Directory in
    my organization.What happens if Ikeep
    running my IEAK 6 SP1 packages against
    Windows XP SP2 or Windows Server 2003
    SP1?
    If you install an IEAK 6 SP1 package on a computer running either Windows XP
    SP2 or Windows Server 2003 SP1, thesettings from InternetExplorer 6 SP1
    will be updated, but thesecurity settings will not beconfigurable, sinceIEAK 6
    SP1 wasn’t designed to deploy thosesettings.
    I currently usetheIEAK with an Internet
    service provider (ISP) licenseto brand Internet
    Explorer bits and setup connections for my ISP
    customers.Will my IEAK 6 SP1 packages still
    beableto apply settings on Windows XP SP2
    and Windows Server 2003 SP1?
    The branding settings in your ISP licenseIEAK 6 SP1 packageshould beapplied
    correctly.
    Why is this change important?
    By adding theInternetExplorer Feature Controls policies to Group Policy,administrators can managethesetrue policies to
    establish standard security settings for all thecomputers that they configure.
    Do I need to change my code to work with Windows Server 2003 Service Pack 1?
    InternetExplorer in Windows Server 2003 SP1 adds policies to Group Policy but does not change how policies are managed.
    Developers need to beaware of how each featurecontrol setting affects security-related behavior for their applications.The
    effects of the different security-related behaviors on application developmentare discussed within this document in the
    specific sections for each feature.

You must be logged in to reply to this topic.