Overview of Internet Explorer Group Policies

Overview of Internet Explorer Group Policies

  • Comments 10
  • Likes

Today we're going to discuss IE Group Policies.  If you're unfamiliar with Group Policies, I highly recommend that you read our earlier post on the Basics of Group Policies.  When dealing with IE group policies, there are two types of settings to consider - IE Maintenance and IE Administrative templates.  Let's look at IE Maintenance policies first.

IE Maintenance policies are a collection of registry settings and files that can be used to configure either mandatory or default settings for IE.  The IE Maintenance Extension leverages the Internet Explorer Administration Kit (IEAK) management infrastructure to configure IE.  The settings for these policies are located in User Configuration\Windows Settings\Internet Explorer Maintenance.  The IE Maintenance Extension uses two sets of extensions, a snap-in extension to the GPO editor (ieaksie.dll) and a Client-Side Extension (iedkcs32.dll).  IE Maintenance settings can be set in two different modes, Policy mode or Preference mode.  The mode setting for IE Maintenance extension settings is exclusive within a GPO - policy and preference mode settings cannot coexist in the same GPO.

Policy mode sets mandatory IE settings and is used to enforce security, interface and other IE settings.  The settings are reapplied either when the GPO is forcefully reapplied, or when the policy changes.  Although a user may make some changes to the settings while they are in IE, the next time the policy is reapplied (for example at system startup), these changes will be reverted to the policy settings.

By contrast, Preference mode sets the default IE settings for user the first time that the GPO is applied to the machine.  Thus, the starting configuration for the users is the same at first, but they are able to personalize their configuration. 

image Preference Mode allows for one time branding. Even if an Administrator modifies the IE Maintenance Policy to make changes to the policy in Preference mode, they will not be applied unless the the browser options are reset.  Preference mode enables two additional groups of settings - Corporate and Internet as shown in the diagram. 

Corporate settings are used to configure temporary internet file settings, and download locations for ActiveX controls and Java code.  Internet settings are used to configure IE link and text colors, Autocomplete settings, how often IE checks for updates and other advanced settings.

When IE maintenance policies are configured, an install.ins file is created.  This file resides in the unique GUID subfolder for the policy in the SYSVOL folder of the domain controllers.  During user login this file is downloaded to the client when the IE Maintenance policies are applied.  The file resides in the Application Data\Microsoft\Internet Explorer\Custom Settings\Custom# folder.  If there are multiple IE maintenance policies being applied, then there will be multiple Custom# folders.  The install.ins file may also be applied from IEAK packages or from the Internet Connection Wizard.

image Now let's take a look at IE Administrative Template policies.  These policies are used to configure IE via registry based policies using .ADM files.  The standard IE settings are located in the GPO editor under (Computer or User)\Administrative Templates\Windows Components\Internet Explorer as shown in the diagram.  The client side extension that processes the .ADM files and registry settings is userenv.dll.  Similar to normal group policies, the user cannot override these settings.  When the policy is created, a REGISTRY.POL file will be placed in the unique GUID subfolder for the policy in the SYSVOL folder.  Depending on where the settings are configured within the policy, the file may be user or computer specific.

And that brings us to the end of our overview on IE Group policies.  In our next post on IE GPO's we'll take a look at troubleshooting IE Policy issues.

Until next time ...

Additional Resources:

- CC Hameed

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Thanks, CC.

    I've been here and done that, using multiple GP, the IEAK, login scripts, and default user settings to tweak the Internet Explorer settings (proxy settings/exceptions, zone security, membership in zones).

    Can you lay out for us what the order of operations is here?


  • The initial Internet Explorer configuration consists of a combination of copying a portion of the default user profile, as well as HKEY_LOCAL_MACHINE registry entrys (Installed Components and per-user stub paths).

    Computer policies, if configured, would be applied during bootup.

    During user profile load, user settings are applied via winlogon calls to the IE client-side extension, iedkcs32.dll.  Logon scripts would be executed at about the same time.

    If IEAK customization files exist (Program Files\Internet Explorer\Custom), these settings are ‘branded’ using the same IE client-side extension.

    To summarize, the sequence of events would be:

    1) Default user profile and HKEY_LOCAL_MACHINE registry entries

    2) GPO (install.ins and any configured policies in the form of .inf files)

    3) Logon scripts

    4) IEAK customizations (install.ins and any configured policies in the form of .inf files)

    It would be advisable to use Group Policy exclusively and remove IEAK customizations and logon scripts to reduce the number of machine/user 'touches', if at all possible.

  • Apparently there is a limit (259?) to the amount of characters you can enter when configuring an Exception List in a GPO for "IE Maintenance> Connection> Proxy Settings>"  in order to bypass the proxy.  As far as I can tell the actual data is stored in the GPT file "install.ins".  I need to increase this limit by at least 2000 characters.  How do I do this.  I am a Sys Admin and not a programmer.

    Dexter Mahadeo

    Trinidad and Tobago

  • When you populate the proxy exceptions list by using automatic configuration with the Internet Explorer Administration Kit (IEAK) Profile Manager (version 4.x or 5), the maximum number of characters that can be passed back by the .ins file is 259.

    209252 Maximum Number of Characters That Can Be Specified in the Proxy Exceptions List


  • Is there any 'bleed-over' between IE security policy enforcement related to Java (e.g., the "Java permissions" setting) and non-IE invocation of Java?  For example, the Tripp-Lite PowerAlert application's console executes on the JRE (Jave Runtime Environment).  I suspect that the IE Java settings are interfering with the execution of this non-IE application.

  • Does all explorers  use dcom??   I am having trouble with dcom, for some time now, and I basically tried every thing to fix it.which makes my computer restart randomly.  So I was wondering if there is another explorer that doesn't use dcom, so I could try it to see if my trouble with dcom stops.   thanks!!!!

  • Is the limit of 259 character valid for IE 7 and 8 too?

  • Windows Server 2003 and WinXP SP2 with IE7 installed it will support 2064 characters with spaces. Same for newer OS and Browser versions.

  • I am having trouble with the performance speed and with the ability to attach files to e-mails. I have just installed IE8. What is going on?

  • I am still having problems with speed and attachments