Internet Explorer Administration Kit and Group Policy in IE7

I am a program manager on the Internet Explorer team and in this post I would like to share what we are doing in the manageability, customization and deployment space. The two key features are IEAK 7 – The Internet Explorer Administration Kit, and GP – Group Policy in Internet Explorer 7.

Before going on to IEAK & GP, I want to briefly talk about some terms I have used ahead –

Deployment – The process of distributing and installing a software program on a number of machines. This becomes important as administrators move up to hundreds, thousands, or even hundreds of thousands of computers.

Customization – The process of specifying the defaults, like default home page, favorites, or security settings.

Preferences – are defaults for various settings that administrators might want to provide as a one time thing. Users always have the option to change these as desired by them. E.g. administrator specifying the home page as a preference and user having the ability to change it by going to tools, internet options and general tab in Internet Explorer.

Policies – are restrictions on settings that administrators would want to enforce to respect a company policy, as opposed to allowing the users to configure the application as per their preference. Policies can be applied to any logical groups E.g. when Group Policy is set at the local computer level, everyone who logs on to the local machine is affected by the policy settings (Local Group Policy).

Manageability – ability to manage or lock down the settings in an application using policies. It is required for enforcing company policies and most importantly, to avoid misuse of the applications and safeguard interests of corporations by enforcing (policies) security settings. E.g. an administrator might want to turn on anti-phishing and avoid the users from turning it off in his organization. He can do so by setting a policy to “Turn off managing the phishing filter”.

Thus in an end to end scenario, a corporate administrator might want to install (deploy) internet explorer on a number of machines in his corporation. He may want to customize it by specifying the default home page, favorites etc. He may also want to manage internet explorer by pre-specifying certain security settings and locking them down so that users can’t modify them.

Active Directory – This is a part of the Windows Server environment and is used by companies with domains and organizational units (OUs). An organizational unit is a logical container into which users, groups, computers, and other organizational units are placed and to which a Group Policy object can be linked and policy be applied. Active Directory provides essential directory services for the domain and provides features that enable advanced controls through Group Policy.

IEAK vs. Group Policy

In an Active Directory environment, the administrator can deploy and manage Internet Explorer using the Active Directory infrastructure. He has the ability to lock down Internet Explorer settings using Group Policy. This is the best way for managing Internet Explorer settings and is consistent with how other Windows settings can be managed. Also in an Active Directory environment, a client side extension ensures that policies are applied all the time. If policies are changed, they can be refreshed immediately rather than relying on a logon or startup script of the user machine for policies to get applied.

Consider a non Active Directory environment where a corporate administrator wants to deploy, customize and manage Internet Explorer. In such a scenario, the admin can use the IEAK to perform all three.  Administrators can deploy Internet Explorer using IEAK in a variety of ways, including creating a CD or hosting on an internal server or creating flat files (all files in one directory). If you build your packages on a local area network you can select the flat file option to place all the necessary files in one folder under the target destination

For those of you who can’t use Group Policy and wish to customize Internet Explorer 7 by setting preferences, IEAK 7 is the way to go.

Target scenarios for IEAK 7

  • A corporate system admin wants to deploy IE7 and have it immediately configured according to specifications.
  • A corporate system admin wants to give IE7 to users but wants to add additional updates for internal apps in the same deployment.
  • An ISP wants to provide a customized IE7 to its users.
  • An ISV/ICP wants to include a customized IE7 with its application.
  • An OEM wants to deploy a custom IE7 package on its machine.

What is new in Internet Explorer Group Policy – We have made most existing IEM (Internet Explorer Maintenance – snap in to the Group Policy Editor) settings, including IEM preference mode settings, available outside of Preference Mode as true policies. This will provide corporate administrators greater control in locking down some of the legacy Internet Explorer settings. We have also provided policies for all new IE7 features and made the Internet Control Panel Group Policy aware.

What is new in IEAK 7? – As I described above, IEAK 7 allows deployment, customization & management of Internet Explorer for corporations, Internet Service Providers (ISPs), Original Equipment Manufacturers (OEMs), Independent Software Vendors (ISVs) and Internet Content Providers (ICPs). IEAK 7 makes this available for IE 7, providing customization abilities for all new features in IE7. Here’s a sneak preview of some of them –

Customization of Feeds –

Customize Feeds

Ability to Add Search Providers and set Default Search Providers

Ability to customize multiple Home Pages for various tabs –

Customize Multiple Home Pages

Additional improvements in IEAK 7 include –

  • Improved user experience through a better layout and structure of the wizard aimed at exposing key features in a user-friendly manner.
  • Components that shipped with previous Internet Explorer versions but are not shipping with Internet Explorer 7, such as Outlook Express and Windows Media Player, will no longer be configurable in IEAK7
  • Ability to create small branding packages that can customize existing installations of Internet Explorer 7 without requiring Internet Explorer to be downloaded on the client machine.

Thus if you have large number of machines and a number of Organizational Units (OUs) to manage, we strongly recommend Group Policy as the best way to do it. If you can’t, there are a number of changes in IEAK7 that will make your life easier. You can check out IEAK by downloading and trying the following – IEAK7 B2P or IEAK6 SP1. You can read more about IEAK at Technet.

Have a feature suggestion? Love to hear from you…

 – Puneet

Comments (28)

  1. mike says:

    > Ability to customize multiple Home Pages for various tabs

    Sounds great. But just to make sure I understand correctly, your saying that IE will have multiple tabs already open upon launch of the application?

    If so, is it possible to have IE do this without the IEAK?

  2. game kid says:

    "Sounds great. But just to make sure I understand correctly, your saying that IE will have multiple tabs already open upon launch of the application?

    If so, is it possible to have IE do this without the IEAK? "

    I’ve done this all the time.  Have your desired home pages open, then click the arrow next to the Home icon, then "Change Home Page", then "Use the current tab set…".

    Or Tools->Internet Options, and type each tab address in a separate line.

  3. Fiery Kitsune says:

    How does the new IEAK7 compare to the Firefox 1.5 CCK (Client Customization Kit)?

  4. > How does the new IEAK7 compare to the Firefox 1.5 CCK (Client Customization Kit)?

    Like Saab 9-5 Aero to Open Ascona 🙂

  5. Jonathan Jesse says:

    I’m confused a little by this post.  Right now for my IE 6 users there home page is set by group policy and they cannot change this.  However in IE& Beta 2, I can change the home page by selecting the drop down from the Home icon and select change home page.  Will this be fixed differently or do I now need the IEAK?

  6. GD says:

    What about deploying a customized version of IE using the IEAK, and then managing that IE installation with GPOs?  Is this possible, and are there any drawbacks to managing IE this way?

  7. Jacob says:

    I work at a college, and I need to lock the IE home page down, to avoid punk kids from setting "porn site…" or "warez site…" or "funny videos, but not appropriate for a school site…" as the home page.

    Is this still possible? Not just on roll-out, but as a system policy?

  8. jacob says:

    Oh, almost forgot.

     We want to rollout mass extensions too.  E.g. As soon as the Firefox "AdBlock" equivelent is available for IE, we will want this on all PC’s.  Will the new extension developers be able to develop to work within the IEAK? or will we need to spawn a task to install this seperately on each PC?

    Thank you

  9. Mark Kenny says:

    I know it’s horrifyingly rude to ask questions off-topic, so please ignore if you see fit, but…

    Will IE7 be installed automatically with Windows Update, or will users be required to download and install it manually?

  10. Jon Doe says:

    When I try and download the new iTunes from Apple (dam them) then there is a mixed content page, i.e. secure and non-secure items. IE7 has displays a bar at the top as a warning but when you say "allow blocked content" then it tries to resend the info and the apple website doesn’t handle it.

    While this is because Apple is stupid, it’s annoying that I have to open up firefox to download the software and would be nice if it was fixed up.

    Here’s the URL to try for yourself:

  11. Puneet [MSFT] says:

    Hi Jonathan and Jacob,

    Yes the Home page can still be locked down using Group Policy as before and you dont need IEAK for this.

    The issue you pointed out about the Home icon for Beta 2 Preview is a known issue and will be fixed.



  12. Jonathan says:

    I would like to be able to customise the Popup Blocker via group policy. We have a web based application that we use and this has popups which are then blocked by IE6 and we have to manually go through with the user setting up an exemption

    Also to do with popups, I would like to be able to disable specific add-ons via group policy. After we go through the above with allowing popups they then still report a problem because Google or Yahoo toolbars are separately blocking them.


  13. Jonathan Jesse says:


    Thanks for the response, is this the best place to report issues like this?  Or the Channel9 wiki or some other location?

  14. ieblog says:


    Please see the blog post at on how to report issues.

    – Al Billings [MSFT]

  15. Mike Mendley says:

    It sounds as if for public use (e.g., college)deployment, you’d want a configuration that, while not necessarily locked down, always launched "clean" (as configured), with nothing (bookmarks, cookies, cache, settings) persisting once the browser is closed.

  16. Puneet [MSFT] says:

    Hi Jacob,

    From what i understand, you are looking at the following scenario –

    You have Internet Explorer installed on machines. And now there is this new utility that you want to roll out (using IEAK) on the machines which already have Internet Explorer installed.

    IEAK allows you to add additional components for installation, with the IE package that you create. However to configure machines which already have Internet Explorer installed, you will have to create a "configuration only" package using IEAK. The current versions of IEAK (inluding IEAK 6 sp1 and IEAK 7 Beta 2 Preview) dont support adding additional components in the "configuration only" package.

    However we will evaluate this scenario further and try to consider this for IEAK 7.



  17. Puneet [MSFT] says:

    Hi Jonathan,

    We have the following policies for Pop-Ups and Add-ons. You can use these to lock down pop-up management and specify your pop-up exemption list through policy –

    Turn off Managing Pop blocker exception list – You can allow Pop-ups from specific websites by adding those sites to the exceptions list. If you enable this policy, users will not be able to add or remove websites to the exception list.

    Specify Pop-Up Allow List – This policy setting allows you to manage a list of web sites that will be allowed to open pop-up windows regardless of the Internet Explorer’s Pop-Up Blocker settings. If you enable this policy setting, you can enter a list of sites which will be allowed to open pop-up windows regardless of user settings. Users will not be able to view or edit this list of sites.

    Turn off managing Pop-up filter level – You can block or allow pop-ups based on three filter levels: High – Block All Pop-ups, Medium – Block most Automatic pop-ups, Low – Allow pop-ups from secure sites. If you enable this policy, users will not be able to change the filter levels.

    We also have the following policy for Add-ons –

    Deny all add-ons, unless specifically allowed in the Add-on List

    However if you are allowing users to install some add-ons which are enforcing pop-up blocking behavior, then I see this as a matter of informing the users not to block pop ups using those add on.



  18. Robert Spivack says:

    In Re: Feeds

    I just moved to another computer and reloaded my "Feeds" for IE7 that I had exported from my other computer and stored in my private sharepoint files area (a great way to move things across the net and thru firewalls, etc.)

    When I opened IE7 it proceeded to mark every feed as "new /unread".

    Not sure if possible, but with hundreds of feeds it would be nice if the export/import functions would save the state indicating the date/time of last refresh so when importing feeds they don’t all default to "unread".

    Would also like to see a single "Save state" command instead of having to use both "File export bookmarks" and "file export feeds" to move the whole "personality" of IE7 on one machine to another.

  19. IEBlog says:

    Hello, we are Durga and Bala, from the IE IDC team. We would like to describe to you, a new feature in…

  20. IEBlog says:

    Hello everyone, I blogged earlier about the work we have done in IE7 for IT Pros. For those of you who