- Use Azure Bastion as a jump host for RDP and SSH - Tue, Apr 18 2023
- Azure Virtual Desktop: Getting started - Fri, Apr 14 2023
- Understanding Azure service accounts - Fri, Mar 31 2023
Before we begin, please have a look at the previous articles in this series so you have a firm background of what we are trying to accomplish.
In this blog post we assume that you used the Internet Explorer Administration Kit (IEAK) and Active Directory Group Policy to deploy a custom build of Internet Explorer 9. Today we will pick up with the questions:
- How can I maintain an already deployed build of IE9?
- How can I lock down browser preferences?
Well, let’s get to work at answering those questions.
IEAK Configuration-Only Packages
Recall that the Media Selection screen of the Internet Explorer Customization Wizard enables us to create a configuration-only package. In constrast to the CD-ROM and File options, which give you a full-fledged Windows Installer (.MSI) build of IE9, the configuration-only package option has two chief deliverables: the .INS file that stores your custom build settings; one or more component information (.CIF) files that contain metadata concerning custom IE9 components; and optionally a Microsoft Cabinet (.CAB) file that contains compressed installation files as well as additional build metadata.
Building a configuration-only package in IEAK
Contents of a configuration-only package
What can you do with a configuration-only package? Perhaps the best action is to configure your users for Automatic Browser Configuration and point them to a network share that contains your .INS file. (We will discuss Automatic Browser Configuration in more detail in a moment.)
Editing Existing IEAK Packages
We use the IEAK 9 Profile Manager to modify IEAK packages, regardless of whether you use the CD-ROM, File, or Configuration-Only Package option. Simply start Profile Manager, click File > Open, and browse to the location of the .INS file that you want to modify.
IEAK 9 Profile Manager
The Profile Manager interface is fairly self-explanatory if you already have experience with using the Internet Explorer Customization Wizard. Profile Manager simply gives you access to all the Customization Wizard options in a single, Windows Explorer-ish navigation tree.
When you save your changes, you may see the Save .INS file and .CAB files dialog box. This screen gives you another opportunity to configure Automatic Browser Configuration (Microsoft seems to be pretty insistent that we use it in our networks!).
Saving changes in IEAK Profile Manager
Enabling Automatic Browser Configuration
Alrighty then! Now that we’ve mentioned the mysterious “Automatic Browser Configuration” technology several times, why don’t we at last define what it means and how to set it up.
Basically, Automatic Browser Configuration (ABC) points your users’ IE9 browsers to a central location to fetch their browser settings. Once ABC is enabled, the client IE9 process will periodically check the centrally located .INS file to see if any changes have been made. If so (and regardless of whether the browser preference change has been made by the administrator to the .INS file or the user on his or her own workstation), ABC will re-apply the .INS settings to the user’s system.
Again, best practice is to specify your ABC settings during initial deployment package creation in the Internet Explorer Customization Wizard:
Specifying Automatic Browser Configuration in IEAK
Here we perform three primary actions:
- Enable Automatic Configuration
- Set a time interval for the client to check the server for changes
- Specify a URL that points to your .INS file. The syntax is http://server_name/share_name/insfile. That is, you don’t have to publish the .INS using IIS; storing the file(s) in a shared folder is sufficient
Another place to specify ABC in IEAK is through Profile Manager. As you can see in Figure 3 in this article, you’ll find the ABC option beneath the Wizard Settings heading.
Third, we can specify ABC in a Internet Explorer Maintenance portion of a Group Policy Object. Open your desired GPO and navigate to User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Connection, and open the Automatic Browser Configuration policy.
Automatic Browser Configuration in Group Policy
I suppose the final way to go about enabling ABC on your users’ systems is to hard-code the ABC options in their IE9 browsers. This certainly isn’t a recommended option, but I suppose it would work okay for small networks.
To do this, open the Internet Options Control Panel, navigation to the Connections tab, and click LAN Settings. Enable the options Automatically detect settings and Use automatic configuration script. For the latter option, type your URL path to the central .INS file.
Specifying Automatic Browser Configuration on the client
Locking Down IE9
Recall that the purpose of IEAK is to deploy IE9 and/or set initial default preferences for your users. There is no “lockdown” inherent in the IEAK schema. If we have IT security policies that require that we disable certain functionality in IE9, then we must turn to Group Policy to accomplish this goal.
Recall, also, that IE9 does not ship with either Windows Server 2008 R2 or Windows 7. Therefore, the question arises as to how we can control IE9-specific features by using Group Policy.
The good news is that Microsoft provides us with the IE9 Group Policy template files upon initial installation of IE9 on our systems—isn’t that convenient? The Group Policy template in particular is named inetres.admx, and is located in the path %WINDIR%\PolicyDefinitions.
In order to make this Group Policy template available in the Group Policy Editor in Windows Server 2008 R2, we must first copy the appropriate files from %WINDIR%\PolicyDefinitions to our Group Policy Central Store. The Central Store is located under %SYSVOL% on your Windows Server 2008 R2 domain controllers. You can see an example of the copy operation in Figure 8.
Adding the IE9 Group Policy templates to the Central Store in AD
Once you’ve transferred the IE9 template files to the Central Store and refreshed Group Policy/propagated Active Directory replication, you can open up your desired Group Policy Object (GPO) and navigate to Computer Configuration\Policies\Administrative Templates\Internet Explorer. You will see plenty of IE9-specify policies.
Controlling IE through Group Policy
Note that while the preference customization scope in IEAK is significant, you will find that you can control far more IE9 features by using Group Policy directly.
If you worked through every entry in this series, then I am entirely confident that you can now deploy and manage Internet Explorer 9 for your organization. Thanks a lot for reading, and I look forward to receiving your feedback in the comments. Take care!
Want to write for 4sysops? We are looking for new authors.