How Internet Explorer Maintenance Extension Works
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
How Internet Explorer Maintenance Extension Works
In this section
Internet Explorer Maintenance Extension Architecture
Internet Explorer Maintenance Extension Physical Structure
Internet Explorer Maintenance Extension Processes and Interactions
Related Information
The Internet Explorer Maintenance Extension of the Group Policy Object Editor enables administrators to define an Internet Explorer configuration as part of a Group Policy Object (GPO). The GPO is linked to Active Directory containers such as sites, domains, or organizational units (OUs), and enables management of the Internet Explorer configuration for multiple users on any computer joined to the domain that is capable of using Group Policy.
Deployment of Internet Explorer Maintenance Extension settings requires Group Policy in a Windows 2000 or Windows 2003 Active Directory environment, and Windows 2000 Professional or Windows XP clients.
Internet Explorer Maintenance Extension Architecture
The following figure illustrates the components important to the Internet Explorer Maintenance Extension.
Internet Explorer Maintenance Extension Architecture
.gif "IE Maintenance Extension Architecture")
These components are described in the following table. Components not seen in the figure, but important to the process, are also described.
Internet Explorer Maintenance Extension Logical Architecture Components
| Component | Description |
|---|---|
Group Policy engine |
This component is the framework that manages and implements the Group Policy settings and configurations, made by the admin, across all client-side extensions (CSE). Userenv.dll is the Group Policy engine module. |
Internet Explorer Maintenance Client-Side extension (CSE) |
The Internet Explorer Maintenance CSE is the component that is called by the Group Policy engine, and that applies the Internet Explorer Maintenance settings. The Internet Explorer Maintenance CSE writes the relevant information into the registry. |
WinLogon |
WinLogon is the service that contains the Group Policy engine. |
Resultant Set of Policy (RSoP) snap-in |
This component displays the results of Group Policy, including what Group Policy settings have been applied and when they were last applied. For more information about RSoP, see “What Is Resultant Set of Policy?.” |
Local GPO |
Contains Group Policy settings for the local computer, including potential Internet Explorer Maintenance policies. |
The CSE registration information is written at setup to the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ GPExtensions registry key. This registry key structure exists on both the target and domain controller systems.
Internet Explorer Maintenance Extension Physical Structure
Understanding where Internet Explorer Maintenance Extension policy settings are stored and how they are structured can help you troubleshoot problems you might encounter when you implement Internet Explorer Maintenance. Although GPOs can be linked to sites, domains, and OUs, they are stored only in the domain. See the “How Core Group Policy Works” topic in this collection for more information about how Group Policy stores its data.
The following table lists the setting types and the locations where Internet Explorer Maintenance Extension policy configuration files are stored on both the local computer and the domain.
Physical Structure Components
| Setting Type | Policy File Name |
|---|---|
Browser Title |
install.ins |
Custom Bitmaps |
Install.ins \Branding\Logo\<<small logo file name>> \Branding\Logo\<<big logo file name>> \Branding\Animbmp (empty folder created) |
Toolbar Customization |
\install.ins \Branding\Btoolbar\<<color logo file name>> \Branding\Btoolbar\<<grayscale logo file name>> \Branding\Toolbmp\<<toolbar bmp file name >> |
Connection Settings |
\install.ins \Branding\cs\connect.set \Branding\cs\cs.dat |
Automatic Browser Configuration |
\install.ins |
Proxy Settings |
\install.ins |
User Agent String |
\install.ins |
Favorites and Links |
\install.ins |
Important URLs |
\install.ins |
Security Zones |
\install.ins \Branding\Zones\seczones.inf \Branding\Zones\seczrsop.inf |
Content Ratings |
\install.ins \Branding\Ratings\ratings.inf \Branding\Ratings\ratrsop.inf |
Authenticode Settings |
\install.ins \Branding\Authcode\authcode.inf |
Programs |
\install.ins \Branding\Programs\programs.inf |
Corporate Settings |
\Branding\Adm\inetcorp.adm \Branding\Adm\inetcorp.inf |
Internet Settings |
\Branding\Adm\inetset.adm \Branding\Adm\inetset.inf |
Domain policy settings use the Fully Qualified Domain Name (FQDN) to reference GPOs. There are two main paths where the configuration files are stored:
Domain policy files are stored in the folder
\\FQDN\Sysvol\FQDN\Policies\<GPOGUID>\User\Microsoft\IEAKLocal Machine policy files are stored in the folder
%windir%\System32\GroupPolicy\User\Microsoft\IEAK
The following figure shows the files used by the Internet Explorer Maintenance Extension and where they are stored on both the domain controller and client computers.
Internet Explorer Maintenance Extension File Storage
.gif "Maintenance Extension File Storage")
Internet Explorer Maintenance Extension Processes and Interactions
When working with Internet Explorer Maintenance settings, you can use one of two interfaces. To configure Internet Explorer Maintenance Extension settings, use the Group Policy Object Editor. Use the Group Policy Management Console (GPMC) to view the Internet Explorer Maintenance Extension settings contained within a GPO.
Using Group Policy Object Editor with Internet Explorer Maintenance
To configure Internet Explorer Maintenance settings, an Administrator sets up Internet Explorer on a client computer with the settings to be included in the GPO. The Administrator then uses the Group Policy Object Editor to import the settings for the Security Zones, Content Ratings, Authenticode Settings, Programs, and Connection Settings, areas of the Internet Explorer Maintenance Extension and saves them as part of a GPO. The following figure shows the Internet Explorer Maintenance Extension interface used to import Connection Settings into a GPO.
Importing Internet Explorer Settings
.gif "Importing Internet Explorer Settings")
Configuring and Importing Internet Explorer Maintenance Settings to a GPO
Administrators import settings from the appropriate settings dialog boxes in the Internet Explorer Maintenance extension of Group Policy Object Editor. The following things occur when the settings are imported:
The IEAK Engine (ieakeng.dll) hosts the Internet Options Control Panel (inetcpl.cpl), which then reads the current settings from the registry.
The Administrator then modifies the settings using the user interface of inetcpl.cpl.
When the settings are saved, they are written back to the registry by inetcpl.cpl. Ieakeng.dll then imports them to the appropriate GPO files.
The following figure illustrates the process of importing Internet Explorer Maintenance Extension settings.
Importing Internet Explorer Settings in XP
.gif "Importing Internet Explorer Settings in XP")
Note
- If an administrator tries to view the settings in a GPO by clicking Modify Settings, the current settings from the registry, instead of the GPO, are immediately imported. Clicking OK then overwrites the settings stored in the GPO with the settings in effect on the client, deleting the settings previously contained in the GPO. In this event, the administrator cannot view the GPO to find out what the previous settings were. It then becomes difficult to reconfigure the settings.
Using the Group Policy Management Console to View a GPO
To avoid overwriting the Internet Explorer Maintenance settings in a GPO, use GPMC to view the Internet Explorer Maintenance settings. GPMC runs on Windows XP Professional SP1 and Windows Server 2003 computers, and can manage Group Policy in either Windows 2000 or Windows Server 2003 domains. To see the settings contained in a GPO using GPMC, an Administrator views the Settings tab of the GPO as shown in the following figure.
Viewing Internet Explorer Maintenance Settings in GPMC
.gif "Viewing Maintenance Settings in GPMC")
Applying GPO Settings to a Client Computer
The Internet Explorer Maintenance Extension uses the Internet Explorer Administration Kit (IEAK) infrastructure for both storage of settings and application to the client system.
When Group Policy is applied, Client-Side Extensions process the GPO. Internet Explorer Maintenance settings are handled by the Internet Explorer branding DLL (iedkcs32.dll). The Group Policy CSE invokes iedkcs32.dll, and two things happen:
The Group Policy CSE copies all IEAK settings files created using Internet Explorer Maintenance, listed in the previous Physical Structure Components table, to the following locations:
Documents and Settings\<<username>>\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0\
And
Documents and Settings\<<username>>\Application Data\Microsoft\Network\Connections\pbk\Rasphone.pbk (for connection settings)
Note that the policy’s directory structure shown in the previous Physical Structure Components table is not replicated.
The Branding DLL then applies the settings from the downloaded files to the registry on the client system. There are four possible locations for the registry settings:
HKLM\Software\Policies (preferred)
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
HKCU\Software\Policies (preferred)
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
These locations have security permissions that a standard user cannot modify in order to change applied policy settings. These keys are created the first time a GPO
configuresthem.
Because the IEAK settings files are stored in the user’s profile, the user has full-access permissions and can modify their contents. When the GPO is updated, the files are copied from the policy’s directory structure back to the user profile and any changes the user might have made are overwritten. Although users can modify files in their own profile, attempting to execute the .inf file will give them an Access is denied error if they attempt to write settings to a key located in the secure registry branches previously specified.
If the user has a roaming profile, the IEAK settings files in the profile can be applied when roaming. This will happen if a roaming profile user logs on to the network from a computer that can’t use Group Policy, or from one that isn’t linked to a GPO containing Internet Explorer Maintenance Extension settings. If a user has manually changed the Internet Explorer Maintenance Extension settings located in their user profile, the user’s settings will be applied to the computer. This has the potential of circumventing browser and security settings configured by the administrator. However, any settings appropriately locked-down in the registry (such as security and connection settings) will not have this problem.
Related Information
The following contains additional information that is relevant to this section.
The Microsoft Internet Explorer Administration Kit (IEAK) Web site.
How Core Group Policy Works in the Group Policy collection.