Group Policy and Internet Explorer 8

Group Policy and Internet Explorer ...

There are approximately 1300 Group Policies for managing Windows® Internet Explorer® 8. Configuring these for the first time may seem like a daunting task. This section provides recommendations for the following important areas: security, performance, and compatibility with Internet Explorer 7 and Internet Explorer 6. This section also lists all the new Group Policies added in Internet Explorer 8.

The Group Policies are listed with information on the policy setting name, scope, and policy path. The policy setting name gives a short description of what the policy does. For more information about each policy, see the policy explain text provided in the Group Policy editor. Group Policies can be set in either Machine or User scope. Machine policy takes precedence over user policy. Finally, the policy path is where the policy is located under the Administrative Templates in the Group Policy editor.

New Group Policies added in Internet Explorer 8

The following table lists the new Group Policies in Internet Explorer 8.

Feature	Policy setting name	Scope	Policy path
Accelerators	Turn off Accelerators	User, Machine	Windows Components\Internet Explorer\Accelerators
	Deploy non-default Accelerators	User, Machine	Windows Components\Internet Explorer\Accelerators
	Deploy default Accelerators	User, Machine	Windows Components\Internet Explorer\Accelerators
	Use Policy Accelerators	User, Machine	Windows Components\Internet Explorer\Accelerators
ActiveX®	Turn off ActiveX Opt-In Prompt	User, Machine	Windows Components\Internet Explorer
	Only use the ActiveX Installer Service for installation of ActiveX controls	User, Machine	Windows Components\Internet Explorer
	Only allow approved domains to use ActiveX without prompt	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security\PER ZONE
	Disable Per-User Installation of ActiveX Controls	User, Machine	Windows Components\Internet Explorer
AJAX	Turn off Cross Domain Request Object	User, Machine	Windows Components\Internet Explorer\Security Features
	Turn off Cross Document Messaging	User, Machine	Windows Components\Internet Explorer\Security Features
	Maximum number of connections per server (HTTP 1.0)	User, Machine	Windows Components\Internet Explorer\Security Features\AJAX
	Maximum number of connections per server (HTTP 1.1)	User, Machine	Windows Components\Internet Explorer\Security Features\AJAX
Automatic Crash Recovery	Turn off Automatic Crash Recovery Prompt	User, Machine	Windows Components\Internet Explorer
	Turn off Reopen Last Browsing Session	User, Machine	Windows Components\Internet Explorer
Caret Browsing support	Turn on Caret Browsing support	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Compatibility View	Turn on Internet Explorer 7 Standards Mode	User, Machine	Windows Components\Internet Explorer\Compatibility View
	Turn off Compatibility View	User, Machine	Windows Components\Internet Explorer\Compatibility View
	Turn on Internet Explorer Standards Mode for Local Intranet	User, Machine	Windows Components\Internet Explorer\Compatibility View
	Use Policy List of Internet Explorer 7 Sites	User, Machine	Windows Components\Internet Explorer\Compatibility View
	Turn off Compatibility View button	User, Machine	Windows Components\Internet Explorer\Compatibility View
	Include updated Web site lists from Microsoft	User, Machine	Windows Components\Internet Explorer\Compatibility View
Data Execution Prevention	Turn off Data Execution Prevention	User, Machine	Windows Components\Internet Explorer\Security Features
Data URI Support	Turn off Data URI Support	Machine	Windows Components\Internet Explorer\Security Features
Delete Browsing History	Prevent Deleting Web sites that the User has Visited	User, Machine	Windows Components\Internet Explorer\Delete Browsing History
	Prevent Deleting Temporary Internet Files	User, Machine	Windows Components\Internet Explorer\Delete Browsing History
	Prevent Deleting Cookies	User, Machine	Windows Components\Internet Explorer\Delete Browsing History
	Prevent Deleting Favorites Site Data	User, Machine	Windows Components\Internet Explorer\Delete Browsing History
	Prevent Deleting InPrivate Blocking data	User, Machine	Windows Components\Internet Explorer\Delete Browsing History
	Configure Delete Browsing History on exit	User, Machine	Windows Components\Internet Explorer\Delete Browsing History
Developer Tools	Turn off Developer Tools	User, Machine	Windows Components\Internet Explorer\Toolbars
Encryption support	Turn off Encryption Support	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Favorites Bar	Turn off Favorites Bar	User, Machine	Windows Components\Internet Explorer
InPrivate Filtering	Turn off InPrivate Filterting
InPrivate Filterting	Turn off InPrivate Filterting	User, Machine	Windows Components\Internet Explorer\InPrivate
	Do not collect InPrivate Filtering data	User, Machine	Windows Components\Internet Explorer\InPrivate
	InPrivate Filtering threshold	User, Machine	Windows Components\Internet Explorer\InPrivate
	Disable toolbars and extensions when InPrivate Filtering starts	User, Machine	Windows Components\Internet Explorer\InPrivate
	Turn off InPrivate Browsing	User, Machine	Windows Components\Internet Explorer\InPrivate
HTTP 1.1	Use HTTP 1.1	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
	Use HTTP 1.1 through proxy connections	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
New Tab behavior	Configure new tab page default behavior	User, Machine	Windows Components\Internet Explorer
Printing	Turn off printing menu	User	Windows Components\Internet Explorer\Browser Menu
RSS Feeds	Turn on Basic feed authentication over HTTP	User, Machine	Windows Components\RSS Feeds
Search Provider	Turn off suggestions for all user-installed providers	User, Machine	Windows Components\Internet Explorer
	Turn off the activation of the quick pick menu	User, Machine	Windows Components\Internet Explorer
	Turn off Windows Search AutoComplete	User, Machine	Windows Components\Internet Explorer\Internet Settings\AutoComplete
Secondary Home Pages	Disable changing secondary home page settings	User	Windows Components\Internet Explorer
Security	Turn off cross-site scripting filter	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\<multiple zones>
	Turn on warn about Certificate Address Mismatch	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page
SmartScreen® Filter	Prevent Bypassing SmartScreen Filter Warnings	User, Machine	Windows Components\Internet Explorer
	Turn off Managing SmartScreen Filter	User, Machine	Windows Components\Internet Explorer
	Use SmartScreen Filter	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\PER ZONE
Suggested Sites	Turn on Suggested Sites	User	Windows Components\Internet Explorer
Tab Grouping	Turn off Tab Grouping	User	Windows Components\Internet Explorer
Tab process growth	Set tab process growth	User, Machine	Windows Components\Internet Explorer
Toolbars	Lock all toolbars	User, Machine	Windows Components\Internet Explorer\Toolbars
	Hide the command bar	User, Machine	Windows Components\Internet Explorer\Toolbars
	Hide the status bar	User, Machine	Windows Components\Internet Explorer\Toolbars
	Set location of Stop and Refresh buttons	User, Machine	Windows Components\Internet Explorer\Toolbars
	Use large icons for command buttons	User, Machine	Windows Components\Internet Explorer\Toolbars
	Customize command button labels	User, Machine	Windows Components\Internet Explorer\Toolbars
Web Slices	Turn off the feed and Web Slices list	User, Machine	Windows Components\RSS Feeds
	Turn off background sync for feeds and Web Slices	User, Machine	Windows Components\RSS Feeds
	Turn off addition and removal of feeds and Web Slices	User, Machine	Windows Components\RSS Feeds
	Turn off feed and Web Slices discovery	User, Machine	Windows Components\RSS Feeds

Recommended high-security settings

By default, Internet Explorer 8 settings are configured to balance security, privacy, and compatibility. In your environment, it may be appropriate to adjust security settings to improve security.

You can restrict users from making configuration changes by configuring the following policies.

Policy setting name	Policy path
Disable the Security Page	Windows Components\Internet Explorer\Internet Control Panel

By enabling the SmartScreen Filter, you can help protect users from malicious sites that conduct phishing attacks or attempt to download malicious software. By configuring the “Prevent bypass” setting, you can prevent users from inadvertently ignoring SmartScreen warnings for known-malicious sites.

Policy setting name	Policy path
Prevent Bypassing SmartScreen Filter Warnings	Windows Components\Internet Explorer
Turn off Managing SmartScreen Filter	Windows Components\Internet Explorer
Use SmartScreen Filter	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Use SmartScreen Filter	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
Use SmartScreen Filter	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
Use SmartScreen Filter	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Zone
Use SmartScreen Filter	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Zone
Use SmartScreen Filter	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Use SmartScreen Filter	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone

Malicious or defective add-ons can cause browser performance or security problems. You can configure Group Policies to restrict which add-ons may be installed or run.

Policy setting name	Policy path
Allow third-party browser extensions	Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Add-on List	Windows Components\Internet Explorer\Security Features\Add-on Management
Deny all add-ons unless specifically allowed in the Add-on List	Windows Components\Internet Explorer\Security Features\Add-on Management
All Processes	Windows Components\Internet Explorer\Security Features\Add-on Management
Process List	Windows Components\Internet Explorer\Security Features\Add-on Management
Do not allow users to enable or disable add-ons	Windows Components\Internet Explorer

Help ensure that users are not spoofed by fraudulent certificates or unsigned software by configuring the following policies:

Policy setting name	Policy path
Prevent ignoring certificate errors	Windows Components\Internet Explorer\Internet Control Panel
Check for server certificate revocation	Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Check for signatures on downloaded programs	Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Allow software to run or install even if the signature is invalid	Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Turn on warn about certificate address	Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Control which HTTPS algorithms are enabled using the “Turn off encryption support” policy.

Policy setting name	Policy path
Turn off encryption support	Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

By configuring the Site-to-Zone assignment list, you can control which security zone settings are applied to specified sites.

Policy setting name	Policy path
Site to Zone Assignment List	Windows Components\Internet Explorer\Internet Control Panel\Security Page

Depending on your needs, you may wish to restrict the following zone settings to reduce attack surface.

Policy setting name	Policy path name
Internet Explorer Processes	Windows Components\Internet Explorer\Security Features\Local Machine Zone Lockdown Security
Internet Explorer Processes	Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install
Download signed ActiveX controls	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Download unsigned ActiveX controls	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Do not prompt for client certificate selection when no certificates or only one certificate exists	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Run .NET Framework-reliant components signed with Authenticode	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Run .NET Framework-reliant components not signed with Authenticode	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Do not prompt for client certificate selection when no certificates or only one certificate exists	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
Run .NET Framework-reliant components signed with Authenticode	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
Run .NET Framework-reliant components not signed with Authenticode	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
Allow font downloads	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Locked-Down Internet Zone Template	Windows Components\Internet Explorer\Internet Control Panel\Security Page
Internet Zone Template	Windows Components\Internet Explorer\Internet Control Panel\Security Page
Locked-Down Intranet Zone Template	Windows Components\Internet Explorer\Internet Control Panel\Security Page
Intranet Zone Template	Windows Components\Internet Explorer\Internet Control Panel\Security Page
Locked-Down Local Machine Zone Template	Windows Components\Internet Explorer\Internet Control Panel\Security Page
Local Machine Zone Template	Windows Components\Internet Explorer\Internet Control Panel\Security Page
Locked-Down Restricted Sites Zone Template	Windows Components\Internet Explorer\Internet Control Panel\Security Page
Restricted Sites Zone Template	Windows Components\Internet Explorer\Internet Control Panel\Security Page
Locked-Down Trusted Sites Zone Template	Windows Components\Internet Explorer\Internet Control Panel\Security Page
Trusted Sites Zone Template	Windows Components\Internet Explorer\Internet Control Panel\Security Page
Turn off ActiveX Opt-In Prompt	Windows Components\Internet Explorer
Only use the ActiveX Installer Service for installation of ActiveX controls	Windows Components\Internet Explorer
Only allow approved domains to use ActiveX without prompt	Windows Components\Internet Explorer\Internet Control Panel\Security\PER ZONE
Disable Per-User Installation of ActiveX Controls	Windows Components\Internet Explorer

Recommended compatibility settings

To reduce application and Web site compatibility issues, or to reduce the learning curve for users as they encounter new features, you may want to make Internet Explorer 8 behave as closely as possible to previous versions.

Compatibility with Internet Explorer 7

The following recommended settings for Group Policies will make Internet Explorer 8 behave as closely as possible to Internet Explorer 7.

Note
Turning off the Web Slice feature will also include turning off the RSS Feeds feature.

Policy setting name	Settings	Arguments	Scope	Policy path
Turn off Accelerators	Enabled	n/a	User, Machine	Windows Components\Internet Explorer\Accelerators
Turn off COM Activities	Enabled	n/a	User, Machine	Windows Components\Internet Explorer\Accelerators
Turn off Connection Scaling	Enabled	n/a	User, Machine	Windows Components\Internet Explorer\Security Features
Turn off Automatic Crash Recovery Prompt	Enabled	n/a	User, Machine	Windows Components\Internet Explorer
Turn on Caret Browsing support	Disabled	n/a	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Turn on Internet Explorer 7 Standards Mode	Enabled	n/a	User, Machine	Windows Components\Internet Explorer\Compatibility View
Turn off Developer Tools	Enabled	n/a	User, Machine	Windows Components\Internet Explorer\Toolbars
Turn off InPrivate Browsing	Enabled	n/a	User, Machine	Windows Components\Internet Explorer\InPrivate
Turn off InPrivate Filtering	Enabled	n/a	User, Machine	Windows Components\Internet Explorer\InPrivate
Configure new tab page default behavior	Enabled	about:blank	User, Machine	Windows Components\Internet Explorer
Turn off suggestions for all user-installed providers	Enabled	n/a	User, Machine	Windows Components\Internet Explorer
Turn off the activation of the quick pick menu	Enabled	n/a	User, Machine	Windows Components\Internet Explorer
Turn on Suggested Sites	Enabled	n/a	User	Windows Components\Internet Explorer
Turn off background sync for feeds and Web Slices	Enabled	n/a	User, Machine	Windows Components\RSS Feeds
Turn off addition and removal of feeds and Web Slices	Enabled	n/a	User, Machine	Windows Components\RSS Feeds
Turn off feed and Web Slices discovery	Enabled	n/a	User, Machine	Windows Components\RSS Feeds

The following list contains security features that were not available in Internet Explorer 7, but are available in Internet Explorer 8. If these features are causing application or Web site compatibilities issues, consider turning them off through the listed Group Policies. It is important to understand the implications of this tradeoff. To learn more, see the Internet Explorer security site.

Policy setting name	Scope	Policy path
Turn off Cross Domain Request Object	User, Machine	Windows Components\Internet Explorer\Security Features
Turn off Cross Document Messaging	User, Machine	Windows Components\Internet Explorer\Security Features
Turn off Data Execution Prevention	User, Machine	Windows Components\Internet Explorer\Security Features
Turn off Data URI Support	User, Machine	Windows Components\Internet Explorer\Security Features

Compatibility with Internet Explorer 6

To make Internet Explorer 8 behave as closely as possible to Internet Explorer 6, you must apply the recommended Group Policies for compatibility with Internet Explorer 7, in addition to the following list of Group Policies specific for compatibility with Internet Explorer 6:

Policy setting name	Settings	Arguments	Scope	Policy path
Turn off ClearType	Enabled	none	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Do not allow resetting Internet Explorer settings	Enabled	none	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Turn off friendly http error messages	Disabled	none	User	Windows Components\Internet Explorer\Internet Settings \Advanced settings\Browsing
Turn off page transitions	Disabled	none	User	Windows Components\Internet Explorer\Internet Settings \Advanced settings\Browsing
Turn on the display of a notification about every script error	Disabled	none	User	Windows Components\Internet Explorer\Internet Settings \Advanced settings\Browsing
Turn off smooth scrolling	Disabled	none	User	Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing
Use UTF-8 for mailto links	Enabled	none	User, Machine	Windows Components\Internet Explorer\Internet Control Panel
Turn off sending URLs as UTF-8 (requires restart)	Disabled	none	User	Windows Components\Internet Explorer\Internet Settings\URL Encoding
Prevent the configuration of cipher strength update information URLs	Disabled	none	Machine	Windows Components\Internet Explorer\Internet Settings\Component Updates\Help Menu
Turn on the Internet Connection Wizard Auto Detect	Disabled	none	User	Windows Components\Internet Explorer\Internet Control Panel\Advanced settings\Internet Connection Wizard Settings
Add a specific list of search providers to the user's search provider list	Disabled	none	User, Machine	Windows Components\Internet Explorer
Turn on menu bar by default	Enabled	none	User, Machine	Windows Components\Internet Explorer
Customize User Agent String	Enabled	"MSIE6.0"	User, Machine	Windows Components\Internet Explorer
Prevent "Fix settings" functionality	Disabled	none	User, Machine	Windows Components\Internet Explorer
Moving the menu bar above the navigation bar	Enabled	none	User	Windows Components\Internet Explorer
Turn on Compatibility Logging	Disabled	none	User, Machine	Windows Components\Internet Explorer
Turn off page zooming functionality	Enabled	none	User, Machine	Windows Components\Internet Explorer
Prevent performance of First Run Customize settings	Enabled	1: Skip Customize Settings, and go directly to the user’s home page.	User	Windows Components\Internet Explorer
Prevent the Internet Explorer search box from displaying	Enabled	none	User, Machine	Windows Components\Internet Explorer
Turn off Quick Tabs functionality	Enabled	none	User, Machine	Windows Components\Internet Explorer
Turn off tabbed browsing	Enabled	none	User, Machine	Windows Components\Internet Explorer
Prevent participation in the Customer Experience Improvement Program	Enabled	none	User, Machine	Windows Components\Internet Explorer
Help menu: Remove 'Tour' menu option	Enabled	none	User	Windows Components\Internet Explorer\Browser menus
Turn off automatic image resizing	Disabled	none	User	Windows Components\Internet Explorer\Internet Settings\Advanced settings\Multimedia
Prevent configuration of search from the Address bar	Enabled	none	User	Windows Components\Internet Explorer\Internet Settings\Advanced settings\Searching
Turn off toolbar upgrade tool	Enabled	none	User, Machine	Windows Components\Internet Explorer\Toolbars
Turn off changing the URL to be displayed for checking updates to Internet Explorer and Internet Tools	Enabled	none	Machine	Windows Components\Internet Explorer\Internet Settings\Component Updates\Periodic check for updates to Internet Explorer and Internet Tools

The following list contains security features that were not available in Internet Explorer 6, but are available in Internet Explorer 8 and Internet Explorer 7. If these features are causing application or Web site compatibilities issues, consider turning them off through the listed Group Policies. It is important to understand the implications of this tradeoff. To learn more, see the Internet Explorer security site.

Policy setting name	Scope	Policy path
Turn off Encryption Support	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Turn off Managing SmartScreen Filter	User, Machine	Windows Components\Internet Explorer
Use SmartScreen Filter	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Use SmartScreen Filter	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
Use SmartScreen Filter	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
Use SmartScreen Filter	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
Use SmartScreen Filter	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
Use SmartScreen Filter	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
Use SmartScreen Filter	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Zone
Use SmartScreen Filter	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Zone
Use SmartScreen Filter	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Use SmartScreen Filter	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
Turn off the Security Settings Check feature	User, Machine	Windows Components\Internet Explorer
All Processes	User, Machine	Windows Components\Internet Explorer\Application Compatibility\Enable cut, copy or paste operations from the clipboard if URLACTION_SCRIPT_PASTE is set to Prompt
Internet Explorer Processes	User, Machine	Windows Components\Internet Explorer\Application Compatibility\Enable cut, copy or paste operations from the clipboard if URLACTION_SCRIPT_PASTE is set to Prompt
Process List	User, Machine	Windows Components\Internet Explorer\Application Compatibility\Enable cut, copy or paste operations from the clipboard if URLACTION_SCRIPT_PASTE is set to Prompt
Enable Native XMLHttp Support	User, Machine	Windows Components\Internet Explorer\Security Features

Per-Zone settings are:

Policy name	Scope	Policy path
Turn Off First-Run Opt-In	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow status bar updates via script	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Turn on Protected Mode	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Web Browser Applications	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Disable WinFX Runtime Components Setup	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Loose or un-compiled XAML files	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
XPS files	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow video and animation on a webpage that does not use external media player (through dynsrc attribute)	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
Allow Scriptlets	User, Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone

Recommended performance settings

Internet Explorer 8 has been designed with performance in mind. Certain Group Policies can be used to help improve performance within your environment. As performance is affected by factors like bandwidth availability, specific sites, and network infrastructure, this section only lists Group Policies that an IT professional may wish to investigate.

Add-ons and Third-Party Browser Extensions

The Add-ons and Third-Party Browser Extensions are typically provided by third parties, and may not share the same performance goals as Internet Explorer. Add-ons and browser extensions are known to have the potential for significant performance impact.

The following Group Policies can be used to manage add-ons and browser extensions in your environment:

Policy path	Policy setting name	Scope
Windows Components\Internet Explorer\Internet Control Panel\Advanced Page	Allow third-party browser extensions	User, Machine
Windows Components\Internet Explorer\Security Features\Add-on Management	Add-on List	User, Machine
Windows Components\Internet Explorer\Security Features\Add-on Management	Deny all add-ons unless specifically allowed in the Add-on List	User, Machine
Windows Components\Internet Explorer\Security Features\Add-on Management	All Processes	User, Machine
Windows Components\Internet Explorer\Security Features\Add-on Management	Process List	User, Machine
Windows Components\Internet Explorer	Do not allow users to enable or disable add-ons	User, Machine

Tab process growth and connection scaling

Other features that can be customized to improve performance are connection scaling and tab process growth.

Policy path	Policy setting name	Scope
Windows Components\Internet Explorer\Security Features	Turn off Connection Scaling	User, Machine
Windows Components\Internet Explorer	Set tab process growth	User

In Internet Explorer 8, the default connection limit has been increased from two connections per host to six connections per host. Connection scaling may impact performance; however, there are several factors involved, including bandwidth availability, specific sites, and network infrastructure. Depending on your environment, connection scaling settings may improve performance.

The Set tab process growth Group Policy allows you to set the rate at which Internet Explorer creates new tab processes. There are two algorithms Internet Explorer uses. The default algorithm has four settings: low, medium, high, or default. Low creates very few tab processes; medium creates a moderate number of tab processes; and high allows the tab process to grow very quickly, and is intended only for machines with ample physical memory. The default setting creates the optimal number of tab processes, based on the operating system and amount of physical memory. In most circumstances, default is recommended. However, if the systems on your environment do not have ample memory, setting the tab process growth to low may improve performance.

The second algorithm for Set tab process growth Group Policy sets an explicit integer number of tabs per process. On Terminal Server, the default value is the integer “1”.

Tags

: Add a tag

Community Content

Add new content

Annotations

"Turn off Data Execution Prevention" only applies to the Computer Configuration

rpr.nospam | Edit | Show History

While editing a GPO I've noticed that the "Turn off Data Execution Prevention" setting is not available in User Configuration of a GPO. In another words, that policy settings has only the machine scope.

Tags

: Add a tag

Flag as ContentBug

compatibility view not listed

jd142 | Edit | Show History

I loaded the adm files from the IEAK8 policy folder and I don't even see it listed under Windows Components\Internet Explorer\Compatibility View. The Internet Explorer subkeys jump from Browser Menus to Internet Control Panel. Are other people seeing this?

Tags

: Add a tag

Flag as ContentBug

@ JD142

felsan | Edit | Show History

@jd142

I added the inetres.admx and the inetres.adml from the local polices on my 2k8 DC to my domain policydefinitions and then it showed. I suggest backing up those files before copying the new ones.

Tags

: @jd142 (x) Add a tag

Flag as ContentBug

Site Feedback