IE8 Group Policy


Hi. In previous posts I talked about the IE8 IEAK and new event logging for IE8 in the Application Compatibility Toolkit. Today, I’m going to discuss the improvements we made to Group Policy support for Internet Explorer 8.

Background

For those of you who might be new to Group Policy, here is a quick background. Let’s first assume you use an Active Directory environment to administer the computers in your corporate network. If that is the case, Group Policy provides a wide set of policy settings to manage IE8 after you have deployed it to your users’ computers. These settings are locked down and cannot be changed by users, as they are always written to a secure tree in the registry.

The IE Group Policy node in GPEdit.msc (GPEdit.msc is one of the tools used to configure Group Policies):

The IE Group Policy node in GPEdit.msc

Group Policy allows you to create IE (and other software) configurations as a part of Group Policy objects (GPOs). The GPOs are linked to hierarchical Active Directory containers such as sites, domains, or organizational units. A client-side extension ensures that your policies are applied and refreshed regularly.

Tools

You might be wondering how to configure Group Policy? All the tools to configure create, manage, view, and troubleshoot GPOs are provided in your Windows operating system. Please check the Windows Server Group Policy site to find a list of the tools that are built into your OS.

The IE8 Deployment Guide, a very important resource itself, is now updated to include content for IE8 Beta 2. For instance, as there are more than a thousand IE GPs, configuring these policies for the first time may seem like a daunting task for a new IT Professional. For this very reason, the Group Policy section of the Deployment Guide has been updated to include recommended Group Policy settings for security, performance and compatibility with IE6 and IE7.

Group Policy support in IE8

In IE8, we have added more than 100 new Group Policies, bringing the total Group Policies supported in IE8 to 1300! Virtually all new IE8 features have Group Policy support, whether it is Compatibility View, Accelerators, or InPrivate Browsing Mode. These policies allow administrators to fully control IE8 features: hide the feature completely, preset the default, lock the user to only use the defaults, etc. For example, an administrator could turn off InPrivate Browsing by enabling the Turn off InPrivate Group Policy.

We understand that organizations have different needs. We provided extra granularity in the form of additional policies, so that features can easily be configured to best suit your needs. For instance, Compatibility View has five Group Policies:

  • Turn off Compatibility View
  • Turn off Compatibility View button
  • Turn on Internet Explorer 7 Standards Mode
  • Turn on Internet Explorer Standards Mode for Local Intranet
  • Use Policy List of Internet Explorer 7 sites

As an example, if you are confident all your internal line of business applications and web sites work best with IE8, you can enable Turn on Internet Explorer Standards Mode for Local Intranet Group Policy. This will overwrite the intranet standards mode to be IE8. As usual, each policy comes with descriptive explain text that allows you to fully understand what the policy has been designed to do.

The Explain Text for Turn on Internet Explorer Standards Mode for Local Intranet Group Policy:

The Explain Text to Turn on Internet Explorer Standards Mode for Local Intranet

IE8 plays an important role in helping protect users against a range of attacks by offering new security features like the SmartScreen Filter, Data URI and Encryption support.  All of these security features are GP enabled so the administrator can ensure their users are safe and secure in corporate environments.

Based on the feedback we received from customers, we have Group Policy enabled some of the legacy settings like secondary home pages, something that wasn’t available in IE7. We’ve also given extensive Group Policy support for the Favorites Bar and Command Bar; an administrator now has firm control over how the IE UI will look.

We have refined our Group Policy support in this release and look forward to your feedback once you’ve had a chance to try it out.

Thanks,

Jatinder Mann
Program Manager

Comments (28)

  1. Interesting! Thanks for this wonderful blog, Microsoft! :o)

  2. so glad says:

    So glad that I will never work in an environment that locks down PCs with crud like this.

    So glad!

    I can and will install any browser I want, thus get the best browsing experience.

    Install whatever text editor I want, email client, RSS feed agregator, etc.

    Most offices these days that do have an IT Admin have the option to "sign out" of this kind of mess.

  3. Eden says:

    @glad

    Maybe you are so smart… Or maybe you haven’t worked at any big companies, where there are people other than developers.

  4. so glad says:

    @Eden: I’ve worked at companies big and small, as a developer, and as many other roles.

    If my PC is ever locked down, I will serve my 2 weeks notice that day.

  5. John says:

    For God’s sake, make the Ctrl+S shortcut work again, like in every sane applications out there!

  6. Yaroukh says:

    make the world a favour and drop this crappy browser

  7. I am not sure why people have to complain so much.

    Personally, I’m happy to see these *corporate* improvements for organizations. I work in an IT environment with thousands of computers, and it would be insane *not* to have such lockdown support. If people are picky, they should go back to selling lemonade from their driveway.

  8. Hi All, For those of you who might be new to Group Policy, here is a quick background. Let’s first assume

  9. ITAdmin says:

    "I can and will install any browser I want, thus get the best browsing experience.

    Install whatever text editor I want, email client, RSS feed agregator, etc."

    … and be responsible for security risks associated with that software? After all, it is you who introduced the software to your company’s network. I assume you would pay out of your own pocket for any incurred damages?

  10. Bram says:

    Microsoft, why do I need always so much ‘rights’ to do things… This starts with simply cutting and pasting text from/into IE7. That’s ridicoulus….

    ———————-

    Brought to you by <a href="http://www.nokian97.nl&quot; rel="dofollow">n97</a>

  11. Gotta fix this says:

    Browser is looking good so far, but you REALLY need to fix this one.

    When you first open IE, the compatibility mode button is missing for just a moment. What happens is when you go to click on the dropdown menu, just enough time has passed to cause that button to appear, and the address bar dropdown jumps over a little and the compatibility button takes it’s place. Because of the timing, you end up clicking on the compat-button and changing the page, which means you have to click it again to change it back before you can actually go where you need to go.

    Anyways, keep up the good work.

  12. dave says:

    @ITAdmin uh, yeah, sure… not.

    The way it works in most offices is that you do one of the following.

    1.) Ask to install application x/y.

    (e.g. users ask to install Firefox or Chrome to better their browsing power/experience)

    2.) Ask to get "admin" on your laptop/workstation. This usually requires sign off (physically) that you are taking on the "tech support" role by doing so, and/or that if you need tech support, you are at the bottom of the queue.

    I’ve got nothing against having some company policies in place… "e.g. no installing Bonzi Buddy, etc." but locking down a users system is usually more pain than it is worth.

    I worked at a place that locked out the "Task Manager"… so I couldn’t kill an application that hung. (read: abuse of IT administration)

    I asked for this to be unlocked or the ability to do this for a specific app (that would hang 2-3 times a week)

    IT administration turned down my request, I raised it to management, they sided with IT.

    I think they regretted it though. 5 people from a 6 person department walked off the job that day.

    dave

  13. x-bel says:

    Hi. Sorry for the offtop..

    My problem is, I cannot uninstall IE8 beta 1, cuz i’ve installed SP1 (on VIsta) after IE8, so it is not listed as an update anymore. Any advice please?, apart from waiting for an automatic update utility..

  14. @dave

    Sounds like a bad experience, and I really do feel for you. It doesn’t sound like a Microsoft problem, though… it sounds like a company problem. Microsoft provides the tools; companies use (or abuse) them.

  15. andrew says:

    Sounds like a bad experience 🙂

  16. bill says:

    After installing IE8 beta…my McAfee now has BLANK home screens and blank dialog box pop ups.  McAfee says its a known IE 8 issue.  How can I uninstall IE8beta…I dont see it in the control panel.

  17. pablo says:

    Woot! the bug hunt is on!

    Someone has found a Fish Bicycle bug in (all versions of) Internet Explorer!

    You can try to guess what it is over at Web Bug Track

    http://webbugtrack.blogspot.com/2008/10/internet-explorer-first-to-need-fish.html

    There’s no prize to be won if you guess/find it but if anyone can please do I’m dying to know what this bug is.

    pablo

    ASP.net developer

  18. Where to me to search rules? I do not see section

  19. Where to me to search rules? I do not see section

  20. nicewheni says:

    Howdy all! I’m the new kid on the block – how’s things going?

  21. This afternoon, Internet Explorer General Manager Dean Hachamovitch has announced the immediate availability

  22. We’re excited to make the IE8 Release Candidate available today for public download today in 25 languages

  23. We’re excited to make the IE8 Release Candidate available today for public download today in 25 languages

  24. IEBlog says:

    We’re excited to make the IE8 Release Candidate available today for public download today in 25 languages

  25. Internet Explorer 8 Release Candidate 1 was launched last Tuesday. IE8 is focused on how people really

  26. IEBlog says:

    Over the last year, we’ve published two posts about how the IE8 SmartScreen ® filter helps to prevent