Group Policies in Internet Explorer 9

Group Policy provides a secure way to control Microsoft® Windows® Internet Explorer® 9 configurations. Internet Explorer 8 provided nearly 1,500 Group Policy settings that IT professionals can use to manage and control the web browser configuration. For example, Internet Explorer 8 provided Group Policy settings that govern access to settings on the Internet Options dialog box, define security zones, and add or remove websites in a security zone. Internet Explorer 9 adds new Group Policy settings to support new features.

You can learn about Group Policy and the tools IT pros use to manage it at Managing Browser Settings with Group Policy Tools. Additionally, the white paper Group Policy for Beginners offers a tutorial that describes essential Group Policy concepts and tasks.

This topic lists Group Policy settings for security, performance, and compatibility with previous versions of the browser. Each section lists the policy name and policy path (relative to Administrative Templates). The policy name provides a short description of what the policy does. For more information about each policy, see Group Policy Settings Reference – Windows Internet Explorer 9. You can also see the help text that the Group Policy Management Editor displays for each policy setting.

To add these new Group Policy settings, Internet Explorer 9 installs an administrative template (ADMX file) during normal installation. This file is inetres.admx in %WinDir%\PolicyDefinitions. Internet Explorer 9 also installs a language file for the administrative template (ADML file). This file is inetres.adml in %WinDir%\PolicyDefinitions\LCID, where LCID is a language ID.

To create Group Policy Objects (GPOs) in the domain, based on these new settings, you can do one of the following:

• Install the Remote Server Administration Tools (RSAT) on a computer that runs Windows 7 and Internet Explorer 9. Then, turn on the Group Policy Management Tools feature, and use the Group Policy Management Console (GPMC) to edit GPOs in the domain. For more information about installing RSAT and turning on individual remote management tools, see Remote Server Administration Tools for Windows 7.

• Copy the ADMX and ADML files to the Group Policy central store, and then edit GPOs in the domain as usual. For more information about managing ADMX and ADML files, see How to Create a Central Store for Group Policy Administrative Templates in Windows Vista.

Table 1. New Group Policy settings for Internet Explorer 9

From Internet Explorer 8 to Internet Explorer 9, a small number of Group Policy settings have changed. Tables 2-4 describe these changes. To migrate Group Policy Objects (GPOs) from Internet Explorer 8 to Internet Explorer 9, you must review the settings that Tables 2-4 describe, and update as necessary.

Additionally, text has changed across nearly all policy settings. For example, the phrase “Notification Bar” replaces the phrase “Information Bar.” However, these changes should not affect your existing GPOs. You will see the new text automatically after updating the inetres.admx and inetres.adml files in the local PolicyDefinitions folder or Group Policy central store. Likewise, settings that were in the folder Windows Components\Internet Explorer\InPrivate are now in Windows Components\Internet Explorer\Privacy.

Table 2. Renamed Group Policy settings

Table 3. Policies split into separate policies for Internet Explorer 8 and Internet Explorer 9

Table 4. Policies removed from Internet Explorer 9, but which still apply to earlier versions

By default, Internet Explorer 9 settings are configured to balance security, privacy, and compatibility. In your environment, it may be appropriate to adjust security settings to meet specific needs for your organization. The following sections describe Group Policy settings for configuring security settings.

An additional security resource, the Microsoft Security Compliance Manager provides security configuration recommendations. For more information on this solution accelerator, see Microsoft Security Compliance Manager.

By enabling the SmartScreen® Filter, you can help protect users from malicious sites that conduct phishing attacks or attempt to download malicious software. By configuring the policy setting named Prevent Bypassing SmartScreen Filter Warnings, you can prevent users from inadvertently ignoring SmartScreen warnings. Table 5 describes the Group Policy settings that you can use to enable and configure the SmartScreen Filter.

Table 5. SmartScreen Filter Group Policy settings

• Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
  
  
• Locked-Down Internet Zone
  
  
• Locked-Down Restricted Zone
  
  
• Locked-Down Trusted Zone
  
  
• Restricted Sites Zone
  
  
• Trusted Sites Zone
  
  

Malicious or defective add-ons can cause browser performance or security problems. Table 6 describes the Group Policy settings that you can configure to restrict which add-ons may be installed or run.

Table 6. Group Policy settings to restrict add-ons

The Group Policy settings listed in the following table help ensure that users are not tricked by fraudulent certificates or unsigned software.

Table 7. Group Policy settings for website certificates

Table 8 lists the Group Policy setting that you can use to control which HTTPS algorithms are enabled.

Table 8. Group Policy settings for HTTPS algorithms

By configuring the Site-to-Zone assignment list, you can control which security zone settings are applied to specified sites. Table 9 describes the Group Policy setting that you can use to configure this list.

Table 9. Group Policy setting for Site-to-Zone assignments

Table 10 lists the Group Policy settings that you can use to configure security zones in Internet Explorer 9. You can reduce the attack surface by configuring zone settings for higher security.

Table 10. Group Policy settings for zone settings

While Internet Explorer 9 is designed for high performance, you can tailor its performance to your environment. Performance is affected by factors like bandwidth, site performance, and network infrastructure.

Additionally, add-ons are typically provided by third parties and are known to have the potential for significant performance impact. Table 11 describes Group Policy settings that you can use to control third-party add-ons in Internet Explorer 9.

Table 11. Group Policy settings for third-party add-ons

Internet Explorer 9 does not provide a policy to disable hardware acceleration (GPU rendering). If necessary, you can disable hardware acceleration using Group Policy preferences. Set the registry value UseSWRender in the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main. To learn more about Group Policy preferences, see Managing Browser Settings with Group Policy Tools.

To help reduce application and website compatibility issues, or to reduce the learning curve for users as they encounter new features, you can make Internet Explorer 9 behave as closely as possible to previous versions. The following sections describe compatibility settings for Internet Explorer 8, Internet Explorer 7, and Internet Explorer 6.

An alternative to configuring compatibility-related Group Policy settings for Internet Explorer 9 is deploying Microsoft Enterprise Desktop Virtualization (MED-V). It enables large-scale deployment of virtual machines (VMs) running Windows XP Professional with Service Pack 3 and Internet Explorer 6 to computers running Windows 7. You can install legacy applications and configure legacy websites in these VMs to provide continuous access to them. Users can run these applications from the Windows 7 Start menu. For more information about MED-V, see the Microsoft TechNet article, Microsoft Enterprise Desktop Virtualization.

Table 12 lists Group Policy settings that make Internet Explorer 9 more similar to Internet Explorer 8. Configuring these policy settings approximates the Internet Explorer 8 experience but does not duplicate it exactly. The purpose is to provide users a more familiar experience if they are having difficulty adjusting to the new web browser.

Table 12. Group Policy settings to approximate the Internet Explorer 8 experience

Table 13 lists Group Policy settings that make Internet Explorer 9 more similar to Internet Explorer 7. Configuring these policy settings approximates the Internet Explorer 7 experience but does not duplicate it exactly. Table 14 describes Group Policy settings that configure Internet Explorer 9 to approach functional compatibility with Internet Explorer 7.

Table 13. Group Policy settings to approximate the Internet Explorer 7 experience

Table 14. Group Policy settings for compatibility with Internet Explorer 7

Table 15 lists Group Policy settings that make Internet Explorer 9 more similar to Internet Explorer 6. Configuring these policy settings approximates the Internet Explorer 6 experience but does not duplicate it exactly. Table 16 describes Group Policy settings that configure Internet Explorer 9 to approach functional compatibility with Internet Explorer 6.

Table 15. Group Policy settings to approximate the Internet Explorer 6 experience

Table 16. Group Policy settings for compatibility with Internet Explorer 6