InternetExplorerFeature Control Settings in Group Policy In Windows Server 2003

The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
Pack 2.
What does InternetExplorer Feature Control Settings in Group Policy do?
Windows XP Service Pack 2 introduced new registry keys and values for InternetExplorer security features called Feature
Controls.Thesesecurity features have been incorporated in Windows Server 2003 Service Pack 1.Thespecific behavior of the
featurecontrol registry settings is discussed with each security featurethroughout this section.
A modified Inetres.adm filecontains thefeaturecontrol settings as policies. Administrators can managethefeaturecontrol
policies by using Group Policy objects (GPOs).When InternetExplorer is installed, the default preferences settings for these
featurecontrols areregistered on thecomputer in HKEY_LOCAL_MACHINE. In Group Policy, the Administrator can set them in
either HKEY_LOCAL_MACHINE (Computer Configuration) or HKEY_CURRENT_USER (User Configuration).
Who does this feature apply to?
Group Policy administrators can uniformly configuretheInternetExplorer Feature Control settings for thecomputers and
users that they manage.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Group Policy InternetExplorer settings
Detailed description
The new featurecontrol policies are:
Binary Behavior Security Restriction
MK Protocol Security Restriction
Local Machine ZoneLockdown Security
Consistent MIME Handling
MIMESniffing Safety Feature
Object Caching Protection
Scripted Window Security Restrictions
Protection from ZoneElevation
Information Bar
Restrict ActiveX Install
RestrictFile Download
Add-on Management
Network Protocol Lockdown
In the Group Policy Management Console, thelocal computer policies for Feature Controls arein \Computer
Configuration\Administrative Templates\Windows Components\InternetExplorer\Security Features.
Thecurrent user policies for Feature Controls arein \User Configuration\Administrative Templates\Windows
Components\InternetExplorer\Security Features.
The policy for thefeature needs to beenabled for the process — for example, IExplore.exe — beforethezones’ individual
security setting policies or preferences will beapplied.For moreabout the behavior of Feature Controls keys and setting them
for a process, seethesection on each featureand thesection InternetExplorer Using Feature Control Registry Settings with
Security ZoneSettings.For moreinformation about specific security settings by zone, seeInternetExplorer URL Action and
Advanced Security Settings in Group Policy.
Administrators of Group Policy can managethese new policies in the AdministrativeTemplates extension to the Group Policy
Management Console.When configuring these policies, theadministrator can enable or disablethesecurity featurefor
explorer processes (InternetExplorer and Windows Explorer), for executable processes that they defined, or for all processes
that host the WebOC.
Users cannot seethefeaturecontrol policies or preferencesettings through theInternetExplorer user interface,except for
Local Machine ZoneLockdown Security.Featurecontrol policies can only beset using the Group Policy Management Console,
and featurecontrol preferencesettings can only bechanged programmatically or by editing theregistry.
Configuring policies and preferences
Group Policy is therecommended tool for managing InternetExplorer for client computers on a corporate network. Internet
Explorer supports Group Policy management for theIE featurecontrols included in Windows XP Service Pack 2 and Windows
Server 2003 Service Pack 1 as well as for Security pagesettings or URL actions. Administrators of Group Policy can manage
these policy settings in the AdministrativeTemplates extension of the Group Policy Management Console.
When implementing policy settings, it is recommended to configuretemplate policy settings in one Group Policy object (GPO)
and configureany related individual policy settings in a separate GPO. You can then use Group Policy management features
(for example, precedence, inheritance, or enforce) to apply individual settings to specific client computers.
Policies can beread by users but can only bechanged by Group Policy management or by an administrator. Preference
settings can bechanged programmatically, by editing theregistry, or in thecase of URL actions and Local Machine Zone
Lockdown Security, by using InternetExplorer. Notethat settings thatareassociated with policies will take precedence over
settings specified using InternetExplorer preferences.
IEAK/IEM
For operating systems prior to Windows XP SP2 and Windows Server 2003 SP1 and previous InternetExplorer versions,
InternetExplorer Administration Kit (IEAK) 6 Service Pack 1 remains therecommended tool for solution providers and
application developers to customizeInternetExplorer for their end users. IEAK supportand theIEAK/IEM process does not
changefor InternetExplorer versions prior to Windows XP Service Pack 2.The process also has not changed for using
IEAK/IEM to set user setting preferences in InternetExplorer versions prior to and including Windows Server 2003 SP1.This
includes the new InternetExplorer 6 in Windows XP Service Pack 2 and Windows Server 2003 SP1 preferencesettings.
However, thetrue policy settings incorporated by this featurecan only be managed within Group Policy.For moreinformation
about IEAK, see”Microsoft InternetExplorer 6 Administration KitService Pack 1″ on the Microsoft Web siteat
http://go.microsoft.com/fwlink/?LinkId=26002.
In summary, theIEAK can still be used as beforefor all InternetExplorer versions prior to Windows XP Service Pack 2,and is
still thetool to usefor branding in Windows XP Service Pack 2 and Windows Server 2003 SP1. IEM/IEAK can bestill be used to
set user preferencesettings, but true policies should beset using the Group Policy Management Console.
Frequently asked questions for existing users of the IEAK
Question Answer
I currently usetheIEAK with a corporate
licenseto configureInternetExplorer on
desktop computers and I don’t have Active
Directory in my organization. How can I
configureInternetExplorer if theIEAK doesn’t
work with Windows XP SP2 or Windows
Server 2003 SP1?
You can still use Group Policy to configuresettings even if you don’t use Active
Directory. You can use Group Policy to createa local Group Policy object (GPO)
with your settings and then deploy that GPO. After you haveconfigured your
GPO for InternetExplorer,you can deploy it using your standard deployment
methods.For example,you might usestartup or logon scripts,Systems
ManagementServer scripts, or you might send links to users in e-mail.
I currently usetheIEAK with a corporate
licenseto configureInternetExplorer on
desktops and I don’t have Active Directory in
my organization.What happens if Ikeep
running my IEAK 6 SP1 packages against
Windows XP SP2 or Windows Server 2003
SP1?
If you install an IEAK 6 SP1 package on a computer running either Windows XP
SP2 or Windows Server 2003 SP1, thesettings from InternetExplorer 6 SP1
will be updated, but thesecurity settings will not beconfigurable, sinceIEAK 6
SP1 wasn’t designed to deploy thosesettings.
I currently usetheIEAK with an Internet
service provider (ISP) licenseto brand Internet
Explorer bits and setup connections for my ISP
customers.Will my IEAK 6 SP1 packages still
beableto apply settings on Windows XP SP2
and Windows Server 2003 SP1?
The branding settings in your ISP licenseIEAK 6 SP1 packageshould beapplied
correctly.
Why is this change important?
By adding theInternetExplorer Feature Controls policies to Group Policy,administrators can managethesetrue policies to
establish standard security settings for all thecomputers that they configure.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
InternetExplorer in Windows Server 2003 SP1 adds policies to Group Policy but does not change how policies are managed.
Developers need to beaware of how each featurecontrol setting affects security-related behavior for their applications.The
effects of the different security-related behaviors on application developmentare discussed within this document in the
specific sections for each feature.