Internet Printing

(Note: This topic describes not just Windows XP Professional with Service Pack 2, but also Windows XP Professional with Service Pack 3.)

On This Page

Benefits and Purposes of Internet printing
Overview: Using Internet Printing in a Managed Environment
How Internet Printing Communicates with Sites on the Internet
Controlling Internet Printing to Prevent the Flow of Information to and from the Internet
Procedures for Disabling Internet Printing
Related Links

Benefits and Purposes of Internet printing

Internet printing makes it possible for client computers running Microsoft Windows XP Professional with Service Pack 2 (SP2) to use printers located anywhere in the world by sending print jobs using Hypertext Transfer Protocol (HTTP).

Additionally, computers running Windows XP can use Microsoft Internet Information Services (IIS) or a Web peer server to create a Web page that provides information about printers and provides the transport for printing over the Internet.

Overview: Using Internet Printing in a Managed Environment

You need to consider both the server and client components of Internet printing:

• Server: It is possible for a person who logs on as the administrator of a computer running Windows XP to install IIS and then configure that computer to act as a print server, allowing Internet printing. In a managed environment, you may want to prevent users from logging on as administrators so they cannot install IIS. You may also want to disable the Internet printing functionality of IIS, or properly secure IIS and Internet printing so that they are available only to authorized users.

• Client: Client computers can install an Internet printer using a Web browser, the Add Printer Wizard, or the Run dialog box. In order to prevent Internet printing, you must remove the ability for users to add an Internet printer.

Details on how to configure your Windows XP implementation to achieve these goals can be found later in this section.

How Internet Printing Communicates with Sites on the Internet

The Internet printing process is as follows:

1. A user connects to a print server over the Internet by typing the URL for the print device.

2. The HTTP request is sent over the Internet to the print server.

3. The print server requires the client to provide authentication information. This ensures that only authorized users print documents on the print server.

4. After a user has authorized access to the print server, the server presents status information to the user by using Active Server Pages (ASP), which contain information about currently available printers.

5. When the user connects to any of the printers on the Internet printing Web page, the Windows XP client first tries to find a driver for the printer locally. If an appropriate driver cannot be found, the print server generates a cabinet file (.cab file, also known as a setup file) that contains the appropriate printer driver files. The print server downloads the .cab file to the client computer. The user on the client computer is prompted for permission to download the .cab file.

6. After users connect to an Internet printer, they can send documents to the print server by using Internet Printing Protocol (IPP).

Communication for Internet printing uses IPP and HTTP (or HTTPS) over any port that the print server has configured for this service. Because the service is using HTTP or HTTPS, this is typically port 80 or port 443. Because Internet printing does support HTTPS traffic, communication can be encrypted, depending on the user’s Internet browser settings.

Client computers running Windows XP can use Internet printing by default. Users must be authenticated by the print server, however, before they can use any of the printers connected to that server. If you install IIS on Windows XP (which requires being logged on as an administrator), Internet printing is automatically enabled as a feature of IIS. As described earlier, you can disable or restrict computers running Windows XP from hosting Internet printing through a variety of methods. See the following subsections for additional details.

The print server can use IIS and other technologies to collect and log extensive data about the user, the computer that sends the printing request, and the request itself. It is beyond the scope of this white paper to describe Web site operations and the specifics of what type of information can be collected. For more information about IIS and other related resources, see "Internet Information Services in Windows XP with SP2" in this white paper.

Controlling Internet Printing to Prevent the Flow of Information to and from the Internet

Client Computers

To prevent the use of Internet printing from a client computer running Windows XP, you can configure Group Policy.

Print Servers

As described earlier, only a person logged on as an administrator on a computer running Windows XP can install IIS and configure that computer to act as a print server. In order to control this, you can:

• Prevent users from logging on as administrators, which prevents them from installing IIS (recommended)

• Use Group Policy to disable Internet printing when IIS is installed

• Restrict access to the printer to limited user IDs

Procedures for Disabling Internet Printing

Procedures for Disabling Internet Printing on a Client Computer Running Windows XP

To prevent users from using Internet printing on a client computer running Windows XP, use Group Policy as described in the following procedure.

To Disable Internet Printing on a Computer Running Windows XP by Using Group Policy

1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates,” for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.

2. If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, click Computer Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, click User Configuration.

3. Click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings.

4. In the details pane, double-click Turn off printing over HTTP, and then click Enabled.

   Important   You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management or in User Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."

During the process of Internet printing, print drivers might be downloaded to a client, as described in “How Internet Printing Communicates with Sites on the Internet,” earlier in this section. To prevent this type of download of print driver to computers running Windows XP with SP2, use Group Policy as described in the following procedure.

To Prevent the Downloading of Print Drivers over HTTP to Computers Running Windows XP by Using Group Policy

1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates,” for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.

2. If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, click Computer Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, click User Configuration.

3. Click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings.

4. In the details pane, double-click Turn off downloading of print drivers over HTTP, and then click Enabled.

   Important   You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management or in User Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."

Procedures for Disabling Internet Printing on a Computer Running IIS

We recommend that you prevent users from logging on as administrators, which will prevent them from installing IIS on computers not specifically designated as Internet servers. More details on how to achieve this can be found in "Internet Information Services in Windows XP with SP2" in this white paper.

For those computers that are running IIS, you can disable Internet printing if this is appropriate for your installation. The following procedure describes how to do this through Group Policy.

To Disable Internet Printing Using Group Policy

1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO.

2. Click Computer Configuration, click Administrative Templates, and then click Printers.

3. In the details pane, double-click Web-based Printing.

4. Select Disabled.

Related Links

For general information about Group Policy, see Appendix B, "Learning About Group Policy and Updating Administrative Templates."

To learn about specific Group Policy settings that can be applied to computers running Windows XP, see the Group Policy Settings Reference on the Microsoft Web site at:

https://go.microsoft.com/fwlink/?LinkId=29911

For more information about the use of IIS in a controlled environment, see "Internet Information Services in Windows XP with SP2" in this white paper.

For more information about Internet printing, see the following sources:

• Article 323428, “HOW TO: Configure Internet Printing in Windows Server 2003” in the Microsoft Knowledge Base at:

  https://go.microsoft.com/fwlink/?LinkId=29209

• “Effectively Using IPP Printing” on the Microsoft Windows Server 2003 Web site at:

  https://go.microsoft.com/fwlink/?LinkId=29131