Group Policy and Internet Explorer 8

There are approximately 1300 Group Policies for managing Windows® Internet Explorer® 8. Configuring these for the first time may seem like a daunting task. This section provides recommendations for the following important areas: security, performance, and compatibility with Internet Explorer 7 and Internet Explorer 6. This section also lists all the new Group Policies added in Internet Explorer 8.

The Group Policies are listed with information on the policy setting name, scope, and policy path. The policy setting name gives a short description of what the policy does. For more information about each policy, see the policy explain text provided in the Group Policy editor. Group Policies can be set in either Machine or User scope. Machine policy takes precedence over user policy. Finally, the policy path is where the policy is located under the Administrative Templates in the Group Policy editor.

New Group Policies added in Internet Explorer 8

The following table lists the new Group Policies in Internet Explorer 8.

Feature Policy setting name Scope  Policy path

Accelerators

Turn off Accelerators

User, Machine

Windows Components\Internet Explorer\Accelerators

Deploy non-default Accelerators

User, Machine

Windows Components\Internet Explorer\Accelerators

Deploy default Accelerators

User, Machine

Windows Components\Internet Explorer\Accelerators

Use Policy Accelerators

User, Machine

Windows Components\Internet Explorer\Accelerators

ActiveX®

Turn off ActiveX Opt-In Prompt

User, Machine

Windows Components\Internet Explorer

Only use the ActiveX Installer Service for installation of ActiveX controls

User, Machine

Windows Components\Internet Explorer

Only allow approved domains to use ActiveX without prompt

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security\PER ZONE

Disable Per-User Installation of ActiveX Controls

User, Machine

Windows Components\Internet Explorer

AJAX

Turn off Cross Domain Request Object

User, Machine

Windows Components\Internet Explorer\Security Features

Turn off Cross Document Messaging

User, Machine

Windows Components\Internet Explorer\Security Features

Maximum number of connections per server (HTTP 1.0)

User, Machine

Windows Components\Internet Explorer\Security Features\AJAX

Maximum number of connections per server (HTTP 1.1)

User, Machine

Windows Components\Internet Explorer\Security Features\AJAX

Automatic Crash Recovery

Turn off Automatic Crash Recovery Prompt

User, Machine

Windows Components\Internet Explorer

Turn off Reopen Last Browsing Session

User, Machine

Windows Components\Internet Explorer

Caret Browsing support

Turn on Caret Browsing support

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Compatibility View

Turn on Internet Explorer 7 Standards Mode

User, Machine

Windows Components\Internet Explorer\Compatibility View

Turn off Compatibility View

User, Machine

Windows Components\Internet Explorer\Compatibility View

Turn on Internet Explorer Standards Mode for Local Intranet

User, Machine

Windows Components\Internet Explorer\Compatibility View

Use Policy List of Internet Explorer 7 Sites

User, Machine

Windows Components\Internet Explorer\Compatibility View

Turn off Compatibility View button

User, Machine

Windows Components\Internet Explorer\Compatibility View

Include updated Web site lists from Microsoft

User, Machine

Windows Components\Internet Explorer\Compatibility View

Data Execution Prevention

Turn off Data Execution Prevention

User, Machine

Windows Components\Internet Explorer\Security Features

Data URI Support

Turn off Data URI Support

Machine

Windows Components\Internet Explorer\Security Features

Delete Browsing History

Prevent Deleting Web sites that the User has Visited

User, Machine

Windows Components\Internet Explorer\Delete Browsing History

Prevent Deleting Temporary Internet Files

User, Machine

Windows Components\Internet Explorer\Delete Browsing History

Prevent Deleting Cookies

User, Machine

Windows Components\Internet Explorer\Delete Browsing History

Prevent Deleting Favorites Site Data

User, Machine

Windows Components\Internet Explorer\Delete Browsing History

Prevent Deleting InPrivate Blocking data

User, Machine

Windows Components\Internet Explorer\Delete Browsing History

Configure Delete Browsing History on exit

User, Machine

Windows Components\Internet Explorer\Delete Browsing History

Developer Tools

Turn off Developer Tools

User, Machine

Windows Components\Internet Explorer\Toolbars

Encryption support

Turn off Encryption Support

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Favorites Bar

Turn off Favorites Bar

User, Machine

Windows Components\Internet Explorer

InPrivate Filtering

Turn off InPrivate Filterting

InPrivate Filterting

Turn off InPrivate Filterting

User, Machine

Windows Components\Internet Explorer\InPrivate

Do not collect InPrivate Filtering data

User, Machine

Windows Components\Internet Explorer\InPrivate

InPrivate Filtering threshold

User, Machine

Windows Components\Internet Explorer\InPrivate

Disable toolbars and extensions when InPrivate Filtering starts

User, Machine

Windows Components\Internet Explorer\InPrivate

Turn off InPrivate Browsing

User, Machine

Windows Components\Internet Explorer\InPrivate

HTTP 1.1

Use HTTP 1.1

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Use HTTP 1.1 through proxy connections

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

New Tab behavior

Configure new tab page default behavior

User, Machine

Windows Components\Internet Explorer

Printing

Turn off printing menu

User

Windows Components\Internet Explorer\Browser Menu

RSS Feeds

Turn on Basic feed authentication over HTTP

User, Machine

Windows Components\RSS Feeds

Search Provider

Turn off suggestions for all user-installed providers

User, Machine

Windows Components\Internet Explorer

Turn off the activation of the quick pick menu

User, Machine

Windows Components\Internet Explorer

Turn off Windows Search AutoComplete

User, Machine

Windows Components\Internet Explorer\Internet Settings\AutoComplete

Secondary Home Pages

Disable changing secondary home page settings

User

Windows Components\Internet Explorer

Security

Turn off cross-site scripting filter

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\<multiple zones>

Turn on warn about Certificate Address Mismatch

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page

SmartScreen® Filter

Prevent Bypassing SmartScreen Filter Warnings

User, Machine

Windows Components\Internet Explorer

Turn off Managing SmartScreen Filter

User, Machine

Windows Components\Internet Explorer

Use SmartScreen Filter

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\PER ZONE

Suggested Sites

Turn on Suggested Sites

User

Windows Components\Internet Explorer

Tab Grouping

Turn off Tab Grouping

User

Windows Components\Internet Explorer

Tab process growth

Set tab process growth

User, Machine

Windows Components\Internet Explorer

Toolbars

Lock all toolbars

User, Machine

Windows Components\Internet Explorer\Toolbars

Hide the command bar

User, Machine

Windows Components\Internet Explorer\Toolbars

Hide the status bar

User, Machine

Windows Components\Internet Explorer\Toolbars

Set location of Stop and Refresh buttons

User, Machine

Windows Components\Internet Explorer\Toolbars

Use large icons for command buttons

User, Machine

Windows Components\Internet Explorer\Toolbars

Customize command button labels

User, Machine

Windows Components\Internet Explorer\Toolbars

Web Slices

Turn off the feed and Web Slices list

User, Machine

Windows Components\RSS Feeds

Turn off background sync for feeds and Web Slices

User, Machine

Windows Components\RSS Feeds

Turn off addition and removal of feeds and Web Slices

User, Machine

Windows Components\RSS Feeds

Turn off feed and Web Slices discovery

User, Machine

Windows Components\RSS Feeds

By default, Internet Explorer 8 settings are configured to balance security, privacy, and compatibility. In your environment, it may be appropriate to adjust security settings to improve security.

You can restrict users from making configuration changes by configuring the following policies.

Policy setting name Policy path

Disable the Security Page

Windows Components\Internet Explorer\Internet Control Panel

By enabling the SmartScreen Filter, you can help protect users from malicious sites that conduct phishing attacks or attempt to download malicious software. By configuring the “Prevent bypass” setting, you can prevent users from inadvertently ignoring SmartScreen warnings for known-malicious sites.

Policy setting name Policy path

Prevent Bypassing SmartScreen Filter Warnings

Windows Components\Internet Explorer

Turn off Managing SmartScreen Filter

Windows Components\Internet Explorer

Use SmartScreen Filter

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Use SmartScreen Filter

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone

Use SmartScreen Filter

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone

Use SmartScreen Filter

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Zone

Use SmartScreen Filter

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Zone

Use SmartScreen Filter

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone

Use SmartScreen Filter

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone

Malicious or defective add-ons can cause browser performance or security problems. You can configure Group Policies to restrict which add-ons may be installed or run.

Policy setting name Policy path

Allow third-party browser extensions

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Add-on List

Windows Components\Internet Explorer\Security Features\Add-on Management

Deny all add-ons unless specifically allowed in the Add-on List

Windows Components\Internet Explorer\Security Features\Add-on Management

All Processes

Windows Components\Internet Explorer\Security Features\Add-on Management

Process List

Windows Components\Internet Explorer\Security Features\Add-on Management

Do not allow users to enable or disable add-ons

Windows Components\Internet Explorer

Help ensure that users are not spoofed by fraudulent certificates or unsigned software by configuring the following policies:

Policy setting name Policy path

Prevent ignoring certificate errors

Windows Components\Internet Explorer\Internet Control Panel

Check for server certificate revocation

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Check for signatures on downloaded programs

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Allow software to run or install even if the signature is invalid

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Turn on warn about certificate address

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Control which HTTPS algorithms are enabled using the “Turn off encryption support” policy.

Policy setting name Policy path

Turn off encryption support

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

By configuring the Site-to-Zone assignment list, you can control which security zone settings are applied to specified sites.

Policy setting name Policy path

Site to Zone Assignment List

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Depending on your needs, you may wish to restrict the following zone settings to reduce attack surface.

Policy setting name Policy path name

Internet Explorer Processes

Windows Components\Internet Explorer\Security Features\Local Machine Zone Lockdown Security

Internet Explorer Processes

Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install

Download signed ActiveX controls

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Download unsigned ActiveX controls

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Do not prompt for client certificate selection when no certificates or only one certificate exists

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Run .NET Framework-reliant components signed with Authenticode

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Run .NET Framework-reliant components not signed with Authenticode

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Do not prompt for client certificate selection when no certificates or only one certificate exists

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone

Run .NET Framework-reliant components signed with Authenticode

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone

Run .NET Framework-reliant components not signed with Authenticode

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone

Allow font downloads

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone

Locked-Down Internet Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Internet Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Locked-Down Intranet Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Intranet Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Locked-Down Local Machine Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Local Machine Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Locked-Down Restricted Sites Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Restricted Sites Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Locked-Down Trusted Sites Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Trusted Sites Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Turn off ActiveX Opt-In Prompt

Windows Components\Internet Explorer

Only use the ActiveX Installer Service for installation of ActiveX controls

Windows Components\Internet Explorer

Only allow approved domains to use ActiveX without prompt

Windows Components\Internet Explorer\Internet Control Panel\Security\PER ZONE

Disable Per-User Installation of ActiveX Controls

Windows Components\Internet Explorer

To reduce application and Web site compatibility issues, or to reduce the learning curve for users as they encounter new features, you may want to make Internet Explorer 8 behave as closely as possible to previous versions.

Compatibility with Internet Explorer 7

The following recommended settings for Group Policies will make Internet Explorer 8 behave as closely as possible to Internet Explorer 7.

Note

Turning off the Web Slice feature will also include turning off the RSS Feeds feature.

Policy setting name Settings Arguments Scope Policy path

Turn off Accelerators

Enabled

n/a

User, Machine

Windows Components\Internet Explorer\Accelerators

Turn off COM Activities

Enabled

n/a

User, Machine

Windows Components\Internet Explorer\Accelerators

Turn off Connection Scaling

Enabled

n/a

User, Machine

Windows Components\Internet Explorer\Security Features

Turn off Automatic Crash Recovery Prompt

Enabled

n/a

User, Machine

Windows Components\Internet Explorer

Turn on Caret Browsing support

Disabled

n/a

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Turn on Internet Explorer 7 Standards Mode

Enabled

n/a

User, Machine

Windows Components\Internet Explorer\Compatibility View

Turn off Developer Tools

Enabled

n/a

User, Machine

Windows Components\Internet Explorer\Toolbars

Turn off InPrivate Browsing

Enabled

n/a

User, Machine

Windows Components\Internet Explorer\InPrivate

Turn off InPrivate Filtering

Enabled

n/a

User, Machine

Windows Components\Internet Explorer\InPrivate

Configure new tab page default behavior

Enabled

about:blank

User, Machine

Windows Components\Internet Explorer

Turn off suggestions for all user-installed providers

Enabled

n/a

User, Machine

Windows Components\Internet Explorer

Turn off the activation of the quick pick menu

Enabled

n/a

User, Machine

Windows Components\Internet Explorer

Turn on Suggested Sites

Enabled

n/a

User

Windows Components\Internet Explorer

Turn off background sync for feeds and Web Slices

Enabled

n/a

User, Machine

Windows Components\RSS Feeds

Turn off addition and removal of feeds and Web Slices

Enabled

n/a

User, Machine

Windows Components\RSS Feeds

Turn off feed and Web Slices discovery

Enabled

n/a

User, Machine

Windows Components\RSS Feeds

The following list contains security features that were not available in Internet Explorer 7, but are available in Internet Explorer 8. If these features are causing application or Web site compatibilities issues, consider turning them off through the listed Group Policies. It is important to understand the implications of this tradeoff. To learn more, see the Internet Explorer security site.

Policy setting name Scope Policy path

Turn off Cross Domain Request Object

User, Machine

Windows Components\Internet Explorer\Security Features

Turn off Cross Document Messaging

User, Machine

Windows Components\Internet Explorer\Security Features

Turn off Data Execution Prevention

User, Machine

Windows Components\Internet Explorer\Security Features

Turn off Data URI Support

User, Machine

Windows Components\Internet Explorer\Security Features

Compatibility with Internet Explorer 6

To make Internet Explorer 8 behave as closely as possible to Internet Explorer 6, you must apply the recommended Group Policies for compatibility with Internet Explorer 7, in addition to the following list of Group Policies specific for compatibility with Internet Explorer 6:

Policy setting name Settings Arguments Scope Policy path

Turn off ClearType

Enabled

none

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Do not allow resetting Internet Explorer settings

Enabled

none

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Turn off friendly http error messages

Disabled

none

User

Windows Components\Internet Explorer\Internet Settings \Advanced settings\Browsing

Turn off page transitions

Disabled

none

User

Windows Components\Internet Explorer\Internet Settings \Advanced settings\Browsing

Turn on the display of a notification about every script error

Disabled

none

User

Windows Components\Internet Explorer\Internet Settings \Advanced settings\Browsing

Turn off smooth scrolling

Disabled

none

User

Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing

Use UTF-8 for mailto links

Enabled

none

User, Machine

Windows Components\Internet Explorer\Internet Control Panel

Turn off sending URLs as UTF-8 (requires restart)

Disabled

none

User

Windows Components\Internet Explorer\Internet Settings\URL Encoding

Prevent the configuration of cipher strength update information URLs

Disabled

none

Machine

Windows Components\Internet Explorer\Internet Settings\Component Updates\Help Menu

Turn on the Internet Connection Wizard Auto Detect

Disabled

none

User

Windows Components\Internet Explorer\Internet Control Panel\Advanced settings\Internet Connection Wizard Settings

Add a specific list of search providers to the user's search provider list

Disabled

none

User, Machine

Windows Components\Internet Explorer

Turn on menu bar by default

Enabled

none

User, Machine

Windows Components\Internet Explorer

Customize User Agent String

Enabled

"MSIE6.0"

User, Machine

Windows Components\Internet Explorer

Prevent "Fix settings" functionality

Disabled

none

User, Machine

Windows Components\Internet Explorer

Moving the menu bar above the navigation bar

Enabled

none

User

Windows Components\Internet Explorer

Turn on Compatibility Logging

Disabled

none

User, Machine

Windows Components\Internet Explorer

Turn off page zooming functionality

Enabled

none

User, Machine

Windows Components\Internet Explorer

Prevent performance of First Run Customize settings

Enabled

1: Skip Customize Settings, and go directly to the user’s home page.

User

Windows Components\Internet Explorer

Prevent the Internet Explorer search box from displaying

Enabled

none

User, Machine

Windows Components\Internet Explorer

Turn off Quick Tabs functionality

Enabled

none

User, Machine

Windows Components\Internet Explorer

Turn off tabbed browsing

Enabled

none

User, Machine

Windows Components\Internet Explorer

Prevent participation in the Customer Experience Improvement Program

Enabled

none

User, Machine

Windows Components\Internet Explorer

Help menu: Remove 'Tour' menu option

Enabled

none

User

Windows Components\Internet Explorer\Browser menus

Turn off automatic image resizing

Disabled

none

User

Windows Components\Internet Explorer\Internet Settings\Advanced settings\Multimedia

Prevent configuration of search from the Address bar

Enabled

none

User

Windows Components\Internet Explorer\Internet Settings\Advanced settings\Searching

Turn off toolbar upgrade tool

Enabled

none

User, Machine

Windows Components\Internet Explorer\Toolbars

Turn off changing the URL to be displayed for checking updates to Internet Explorer and Internet Tools

Enabled

none

Machine

Windows Components\Internet Explorer\Internet Settings\Component Updates\Periodic check for updates to Internet Explorer and Internet Tools

The following list contains security features that were not available in Internet Explorer 6, but are available in Internet Explorer 8 and Internet Explorer 7. If these features are causing application or Web site compatibilities issues, consider turning them off through the listed Group Policies. It is important to understand the implications of this tradeoff. To learn more, see the Internet Explorer security site.

Policy setting name Scope Policy path

Turn off Encryption Support

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Turn off Managing SmartScreen Filter

User, Machine

Windows Components\Internet Explorer

Use SmartScreen Filter

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Use SmartScreen Filter

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone

Use SmartScreen Filter

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone

Use SmartScreen Filter

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone

Use SmartScreen Filter

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone

Use SmartScreen Filter

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone

Use SmartScreen Filter

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Zone

Use SmartScreen Filter

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Zone

Use SmartScreen Filter

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone

Use SmartScreen Filter

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone

Turn off the Security Settings Check feature

User, Machine

Windows Components\Internet Explorer

All Processes

User, Machine

Windows Components\Internet Explorer\Application Compatibility\Enable cut, copy or paste operations from the clipboard if URLACTION_SCRIPT_PASTE is set to Prompt

Internet Explorer Processes

User, Machine

Windows Components\Internet Explorer\Application Compatibility\Enable cut, copy or paste operations from the clipboard if URLACTION_SCRIPT_PASTE is set to Prompt

Process List

User, Machine

Windows Components\Internet Explorer\Application Compatibility\Enable cut, copy or paste operations from the clipboard if URLACTION_SCRIPT_PASTE is set to Prompt

Enable Native XMLHttp Support

User, Machine

Windows Components\Internet Explorer\Security Features

Per-Zone settings are:

Policy name Scope Policy path

Turn Off First-Run Opt-In

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Allow status bar updates via script

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Turn on Protected Mode

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Web Browser Applications

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Disable WinFX Runtime Components Setup

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Loose or un-compiled XAML files

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

XPS files

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Allow video and animation on a webpage that does not use external media player (through dynsrc attribute)

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone

Allow Scriptlets

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone

Internet Explorer 8 has been designed with performance in mind. Certain Group Policies can be used to help improve performance within your environment. As performance is affected by factors like bandwidth availability, specific sites, and network infrastructure, this section only lists Group Policies that an IT professional may wish to investigate.

Add-ons and Third-Party Browser Extensions

The Add-ons and Third-Party Browser Extensions are typically provided by third parties, and may not share the same performance goals as Internet Explorer. Add-ons and browser extensions are known to have the potential for significant performance impact.

The following Group Policies can be used to manage add-ons and browser extensions in your environment:

Policy path Policy setting name Scope

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Allow third-party browser extensions

User, Machine

Windows Components\Internet Explorer\Security Features\Add-on Management

Add-on List

User, Machine

Windows Components\Internet Explorer\Security Features\Add-on Management

Deny all add-ons unless specifically allowed in the Add-on List

User, Machine

Windows Components\Internet Explorer\Security Features\Add-on Management

All Processes

User, Machine

Windows Components\Internet Explorer\Security Features\Add-on Management

Process List

User, Machine

Windows Components\Internet Explorer

Do not allow users to enable or disable add-ons

User, Machine

Tab process growth and connection scaling

Other features that can be customized to improve performance are connection scaling and tab process growth.

Policy path Policy setting name Scope

Windows Components\Internet Explorer\Security Features

Turn off Connection Scaling

User, Machine

Windows Components\Internet Explorer

Set tab process growth

User

In Internet Explorer 8, the default connection limit has been increased from two connections per host to six connections per host. Connection scaling may impact performance; however, there are several factors involved, including bandwidth availability, specific sites, and network infrastructure. Depending on your environment, connection scaling settings may improve performance.

The Set tab process growth Group Policy allows you to set the rate at which Internet Explorer creates new tab processes. There are two algorithms Internet Explorer uses. The default algorithm has four settings: low, medium, high, or default. Low creates very few tab processes; medium creates a moderate number of tab processes; and high allows the tab process to grow very quickly, and is intended only for machines with ample physical memory. The default setting creates the optimal number of tab processes, based on the operating system and amount of physical memory. In most circumstances, default is recommended. However, if the systems on your environment do not have ample memory, setting the tab process growth to low may improve performance.

The second algorithm for Set tab process growth Group Policy sets an explicit integer number of tabs per process. On Terminal Server, the default value is the integer “1”.