Group Policies in Internet Explorer 9

Group Policy provides a secure way to control Microsoft® Windows® Internet Explorer® 9 configurations. Internet Explorer 8 provided nearly 1,500 Group Policy settings that IT professionals can use to manage and control the web browser configuration. For example, Internet Explorer 8 provided Group Policy settings that govern access to settings on the Internet Options dialog box, define security zones, and add or remove websites in a security zone. Internet Explorer 9 adds new Group Policy settings to support new features.

You can learn about Group Policy and the tools IT pros use to manage it at Managing Browser Settings with Group Policy Tools. Additionally, the white paper Group Policy for Beginners offers a tutorial that describes essential Group Policy concepts and tasks.

This topic lists Group Policy settings for security, performance, and compatibility with previous versions of the browser. Each section lists the policy name and policy path (relative to Administrative Templates). The policy name provides a short description of what the policy does. For more information about each policy, see Group Policy Settings Reference – Windows Internet Explorer 9. You can also see the help text that the Group Policy Management Editor displays for each policy setting.

New policies added in Internet Explorer 9

To add these new Group Policy settings, Internet Explorer 9 installs an administrative template (ADMX file) during normal installation. This file is inetres.admx in %WinDir%\PolicyDefinitions. Internet Explorer 9 also installs a language file for the administrative template (ADML file). This file is inetres.adml in %WinDir%\PolicyDefinitions\LCID, where LCID is a language ID.

To create Group Policy Objects (GPOs) in the domain, based on these new settings, you can do one of the following:

Table 1. New Group Policy settings for Internet Explorer 9

Policy name

Policy path

Prevent Deleting Download History

Windows Components\Internet Explorer\Delete Browsing History

Disable add-on performance notifications

Windows Components\Internet Explorer

Enable alternative codecs in HTML5 media elements

Windows Components\Internet Explorer\Internet Control Panel\Advanced settings\Multimedia

Allow Internet Explorer 8 Shutdown Behavior

Windows Components\Internet Explorer

Install binaries signed by MD2 and MD4 signing technologies

Windows Components\Internet Explorer\Security Features\Binary Behavior Security Restriction

Automatically enable newly installed add-ons

Windows Components\Internet Explorer

Turn off Managing SmartScreen Filter

Windows Components\Internet Explorer

Prevent configuration of top result search in the Address bar

Windows Components\Internet Explorer\Internet Settings\Advanced settings\Searching

Prevent Deleting ActiveX Filtering and Tracking Protection data

Windows Components\Internet Explorer\Delete Browsing History

Go to an intranet site for a single word entry in the Address bar

Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing

Show tabs below Address bar

Windows Components\Internet Explorer\Toolbars

Prevent users from bypassing SmartScreen Filter's application reputation warnings about files that are not commonly downloaded from the Internet

Windows Components\Internet Explorer

Disable Browser Geolocation

Windows Components\Internet Explorer

Turn off ability to pin sites

Windows Components\Internet Explorer

Turn on ActiveX Filtering

Windows Components\Internet Explorer

Tracking Protection Threshold

Windows Components\Internet Explorer\Privacy

Turn off Tracking Protection

Windows Components\Internet Explorer\Privacy

Use Policy List of Quirks Mode (KB982063 added this policy to Internet Explorer 8)

Windows Components\Internet Explorer\Compatibility View

Migrating policies from Internet Explorer 8

From Internet Explorer 8 to Internet Explorer 9, a small number of Group Policy settings have changed. Tables 2-4 describe these changes. To migrate Group Policy Objects (GPOs) from Internet Explorer 8 to Internet Explorer 9, you must review the settings that Tables 2-4 describe, and update as necessary.

Additionally, text has changed across nearly all policy settings. For example, the phrase “Notification Bar” replaces the phrase “Information Bar.” However, these changes should not affect your existing GPOs. You will see the new text automatically after updating the inetres.admx and inetres.adml files in the local PolicyDefinitions folder or Group Policy central store. Likewise, settings that were in the folder Windows Components\Internet Explorer\InPrivate are now in Windows Components\Internet Explorer\Privacy.

Table 2. Renamed Group Policy settings

Internet Explorer 8

Internet Explorer 9

Policy path

Allow video and animation on a webpage that does not use external media player (through dynsrc attribute)

Allow video and animation on a Web page that uses a legacy media player

Windows Components\Internet Explorer\Internet Control Panel\Security Page\(All Zones)

Open files based on content, not file extension

Enable MIME Sniffing

Windows Components\Internet Explorer\Internet Control Panel\Security Page\(All Zones)

Turn on inline AutoComplete for Web addresses

Turn on inline AutoComplete

Windows Components\Internet Explorer\Internet Settings\AutoComplete

Table 3. Policies split into separate policies for Internet Explorer 8 and Internet Explorer 9

Previous name

Internet Explorer 8

Internet Explorer 9

Policy path

InPrivate Filtering Threshold

InPrivate Filtering Threshold

Tracking Protection Threshold

Windows Components\Internet Explorer\Privacy

Turn off InPrivate Filtering

Turn off InPrivate Filtering

Turn off Tracking Protection

Windows Components\Internet Explorer\Privacy

Turn off Managing SmartScreen Filter

Turn off Managing SmartScreen Filter for Internet Explorer 8

Turn off Managing SmartScreen Filter for Internet Explorer 9

Windows Components\Internet Explorer

Table 4. Policies removed from Internet Explorer 9, but which still apply to earlier versions

Policy name

Policy path

Allow installation of desktop items

Windows Components\Internet Explorer\Internet Control Panel\Security Page\(All Zones)

Do not collect InPrivate Filtering data

Windows Components\Internet Explorer\Privacy

Moving the menu bar above the navigation bar

Windows Components\Internet Explorer

Prevent Deleting InPrivate Filtering data

Windows Components\Internet Explorer\Delete Browsing History

Prevent Internet Explorer Search box from displaying

Windows Components\Internet Explorer

Software channel permissions

Windows Components\Internet Explorer\Internet Control Panel\Security Page\(All Zones)

Turn off page transitions

Windows Components\Internet Explorer\Internet Control Panel\Advanced settings\Browsing

High-security settings

By default, Internet Explorer 9 settings are configured to balance security, privacy, and compatibility. In your environment, it may be appropriate to adjust security settings to meet specific needs for your organization. The following sections describe Group Policy settings for configuring security settings.

Note

You can prevent users from changing security settings by enabling the Group Policy setting named Disable the Security Page. This policy setting is located in the following folder: Windows Components\Internet Explorer\Internet Control Panel.

An additional security resource, the Microsoft Security Compliance Manager provides security configuration recommendations. For more information on this solution accelerator, see Microsoft Security Compliance Manager.

SmartScreen Filter

By enabling the SmartScreen® Filter, you can help protect users from malicious sites that conduct phishing attacks or attempt to download malicious software. By configuring the policy setting named Prevent Bypassing SmartScreen Filter Warnings, you can prevent users from inadvertently ignoring SmartScreen warnings. Table 5 describes the Group Policy settings that you can use to enable and configure the SmartScreen Filter.

Table 5. SmartScreen Filter Group Policy settings

Policy setting name

Policy path

Prevent Bypassing SmartScreen Filter Warnings

Windows Components\Internet Explorer

Prevent users from bypassing SmartScreen Filter's application reputation warnings about files that are not commonly downloaded from the Internet

Windows Components\Internet Explorer

Turn off Managing SmartScreen Filter for Internet Explorer 9

Windows Components\Internet Explorer

Use SmartScreen Filter

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Note

The policy Use SmartScreen Filter is in multiple zones. All policies are under the relative path Windows Components\Internet Explorer\Internet Control Panel\Security Page\ and are available for the following zones:

  • Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone

  • Locked-Down Internet Zone

  • Locked-Down Restricted Zone

  • Locked-Down Trusted Zone

  • Restricted Sites Zone

  • Trusted Sites Zone

Third-party add-ons

Malicious or defective add-ons can cause browser performance or security problems. Table 6 describes the Group Policy settings that you can configure to restrict which add-ons may be installed or run.

Table 6. Group Policy settings to restrict add-ons

Policy setting name

Policy path

Allow third-party browser extensions

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Add-on List

Windows Components\Internet Explorer\Security Features\Add-on Management

Deny all add-ons unless specifically allowed in the Add-on List

Windows Components\Internet Explorer\Security Features\Add-on Management

All Processes

Windows Components\Internet Explorer\Security Features\Add-on Management

Process List

Windows Components\Internet Explorer\Security Features\Add-on Management

Do not allow users to enable or disable add-ons

Windows Components\Internet Explorer

Disable add-on performance notifications

Windows Components\Internet Explorer

Website certificates

The Group Policy settings listed in the following table help ensure that users are not tricked by fraudulent certificates or unsigned software.

Table 7. Group Policy settings for website certificates

Policy setting name

Policy path

Prevent ignoring certificate errors

Windows Components\Internet Explorer\Internet Control Panel

Check for server certificate revocation

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Check for signatures on downloaded programs

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Allow software to run or install even if the signature is invalid

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Turn on warn about certificate address mismatch

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

HTTPS algorithms

Table 8 lists the Group Policy setting that you can use to control which HTTPS algorithms are enabled.

Table 8. Group Policy settings for HTTPS algorithms

Policy setting name

Policy path

Turn off encryption support

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Site-to-Zone assignments

By configuring the Site-to-Zone assignment list, you can control which security zone settings are applied to specified sites. Table 9 describes the Group Policy setting that you can use to configure this list.

Table 9. Group Policy setting for Site-to-Zone assignments

Policy setting name

Policy path

Site to Zone Assignment List

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Zone settings

Table 10 lists the Group Policy settings that you can use to configure security zones in Internet Explorer 9. You can reduce the attack surface by configuring zone settings for higher security.

Table 10. Group Policy settings for zone settings

Policy setting name

Policy path name

Internet Explorer Processes

Windows Components\Internet Explorer\Security Features\Local Machine Zone Lockdown Security

Internet Explorer Processes

Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install

Download signed ActiveX controls

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Download unsigned ActiveX controls

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Do not prompt for client certificate selection when no certificates or only one certificate exists

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Run .NET Framework-reliant components signed with Authenticode

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Run .NET Framework-reliant components not signed with Authenticode

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

Do not prompt for client certificate selection when no certificates or only one certificate exists

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone

Run .NET Framework-reliant components signed with Authenticode

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone

Run .NET Framework-reliant components not signed with Authenticode

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone

Allow font downloads

Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone

Locked-Down Internet Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Internet Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Locked-Down Intranet Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Intranet Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Locked-Down Local Machine Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Local Machine Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Locked-Down Restricted Sites Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Restricted Sites Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Locked-Down Trusted Sites Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Trusted Sites Zone Template

Windows Components\Internet Explorer\Internet Control Panel\Security Page

Turn off ActiveX Opt-In Prompt

Windows Components\Internet Explorer

Only use the ActiveX Installer Service for installation of ActiveX controls

Windows Components\Internet Explorer

Only allow approved domains to use ActiveX without prompt

Windows Components\Internet Explorer\Internet Control Panel\Security\PER ZONE

Disable Per-User Installation of ActiveX Controls

Windows Components\Internet Explorer

Turn on ActiveX Filtering

Windows Components\Internet Explorer

Performance settings

While Internet Explorer 9 is designed for high performance, you can tailor its performance to your environment. Performance is affected by factors like bandwidth, site performance, and network infrastructure.

Additionally, add-ons are typically provided by third parties and are known to have the potential for significant performance impact. Table 11 describes Group Policy settings that you can use to control third-party add-ons in Internet Explorer 9.

Table 11. Group Policy settings for third-party add-ons

Policy setting name

Policy path

Allow third-party browser extensions

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Add-on List

Windows Components\Internet Explorer\Security Features\Add-on Management

Deny all add-ons unless specifically allowed in the Add-on List

Windows Components\Internet Explorer\Security Features\Add-on Management

All Processes

Windows Components\Internet Explorer\Security Features\Add-on Management

Process List

Windows Components\Internet Explorer\Security Features\Add-on Management

Do not allow users to enable or disable add-ons

Windows Components\Internet Explorer

Internet Explorer 9 does not provide a policy to disable hardware acceleration (GPU rendering). If necessary, you can disable hardware acceleration using Group Policy preferences. Set the registry value UseSWRender in the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main. To learn more about Group Policy preferences, see Managing Browser Settings with Group Policy Tools.

Compatibility settings

To help reduce application and website compatibility issues, or to reduce the learning curve for users as they encounter new features, you can make Internet Explorer 9 behave as closely as possible to previous versions. The following sections describe compatibility settings for Internet Explorer 8, Internet Explorer 7, and Internet Explorer 6.

An alternative to configuring compatibility-related Group Policy settings for Internet Explorer 9 is deploying Microsoft Enterprise Desktop Virtualization (MED-V). It enables large-scale deployment of virtual machines (VMs) running Windows XP Professional with Service Pack 3 and Internet Explorer 6 to computers running Windows 7. You can install legacy applications and configure legacy websites in these VMs to provide continuous access to them. Users can run these applications from the Windows 7 Start menu. For more information about MED-V, see the Microsoft TechNet article, Microsoft Enterprise Desktop Virtualization.

Internet Explorer 8

Table 12 lists Group Policy settings that make Internet Explorer 9 more similar to Internet Explorer 8. Configuring these policy settings approximates the Internet Explorer 8 experience but does not duplicate it exactly. The purpose is to provide users a more familiar experience if they are having difficulty adjusting to the new web browser.

Table 12. Group Policy settings to approximate the Internet Explorer 8 experience

Policy setting name

Settings

Policy path

Hide the Status Bar

Disabled

Windows Components\Internet Explorer\Toolbars

Hide the Command Bar

Disabled

Windows Components\Internet Explorer\Toolbars

Show tabs below Address bar

Enabled

Windows Components\Internet Explorer\Toolbars

Turn off Favorites bar

Disabled

Windows Components\Internet Explorer

Internet Explorer 7

Table 13 lists Group Policy settings that make Internet Explorer 9 more similar to Internet Explorer 7. Configuring these policy settings approximates the Internet Explorer 7 experience but does not duplicate it exactly. Table 14 describes Group Policy settings that configure Internet Explorer 9 to approach functional compatibility with Internet Explorer 7.

Table 13. Group Policy settings to approximate the Internet Explorer 7 experience

Policy setting name

Settings

Policy path

Turn off Connection Scaling

Enabled

Windows Components\Internet Explorer\Security Features

Turn off Automatic Crash Recovery Prompt

Enabled

Windows Components\Internet Explorer

Turn on Caret Browsing support

Disabled

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Turn off Developer Tools

Enabled

Windows Components\Internet Explorer\Toolbars

Turn off InPrivate Browsing

Enabled

Windows Components\Internet Explorer\Privacy

Turn off Tracking Protection

Enabled

Windows Components\Internet Explorer\Privacy

Configure new tab page default behavior

Enabled and set to “about:blank”

Windows Components\Internet Explorer

Turn off suggestions for all user-installed providers

Enabled

Windows Components\Internet Explorer

Turn off the activation of the quick pick menu

Enabled

Windows Components\Internet Explorer

Turn on Suggested Sites

Enabled

Windows Components\Internet Explorer (User only)

Turn off background sync for feeds and Web Slices

Enabled

Windows Components\RSS Feeds

Turn off addition and removal of feeds and Web Slices

Enabled

Windows Components\RSS Feeds

Turn off feed and Web Slices discovery

Enabled

Windows Components\RSS Feeds

Table 14. Group Policy settings for compatibility with Internet Explorer 7

Policy setting name

Settings

Policy path

Turn off Accelerators

Enabled

Windows Components\Internet Explorer\Accelerators

Turn off COM Activities

Enabled

Windows Components\Internet Explorer\Accelerators

Turn on Internet Explorer 7 Standards Mode

Enabled

Windows Components\Internet Explorer\Compatibility View

Warning

Internet Explorer 9 provides Group Policy settings that turn off security features that were not available in Internet Explorer 7. While these features can address compatibility issues, Microsoft does not recommend using them. Configuring these policy settings to gain compatibility can weaken security and increase the attack surface. Consider using MED-V as an alternative for websites that are not compatible with Internet Explorer 9 security.

Internet Explorer 6

Table 15 lists Group Policy settings that make Internet Explorer 9 more similar to Internet Explorer 6. Configuring these policy settings approximates the Internet Explorer 6 experience but does not duplicate it exactly. Table 16 describes Group Policy settings that configure Internet Explorer 9 to approach functional compatibility with Internet Explorer 6.

Table 15. Group Policy settings to approximate the Internet Explorer 6 experience

Policy setting name

Settings

Policy path

Turn on the display of a notification about every script error

Disabled

Windows Components\Internet Explorer\Internet Settings \Advanced settings\Browsing (User only)

Turn off smooth scrolling

Disabled

Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing (User only)

Turn on the Internet Connection Wizard Auto Detect

Disabled

Windows Components\Internet Explorer\Internet Control Panel\Advanced settings\Internet Connection Wizard Settings (User only)

Add a specific list of search providers to the user's search provider list

Disabled

Windows Components\Internet Explorer

Turn on menu bar by default

Enabled

Windows Components\Internet Explorer

Prevent "Fix settings" functionality

Disabled

Windows Components\Internet Explorer

Turn off page zooming functionality

Enabled

Windows Components\Internet Explorer

Prevent performance of First Run Customize settings

Enabled and set to “1: Skip Customize Settings, and go directly to the user’s home page.”

Windows Components\Internet Explorer (User only)

Prevent the Internet Explorer search box from displaying

Enabled

Windows Components\Internet Explorer

Turn off Quick Tabs functionality

Enabled

Windows Components\Internet Explorer

Turn off tabbed browsing

Enabled

Windows Components\Internet Explorer

Prevent participation in the Customer Experience Improvement Program

Enabled

Windows Components\Internet Explorer

Help menu: Remove 'Tour' menu option

Enabled

Windows Components\Internet Explorer\Browser menus (User only)

Turn off automatic image resizing

Disabled

Windows Components\Internet Explorer\Internet Settings\Advanced settings\Multimedia (User only)

Turn off toolbar upgrade tool

Enabled

Windows Components\Internet Explorer\Toolbars

Table 16. Group Policy settings for compatibility with Internet Explorer 6

Policy setting name

Settings

Policy path

Do not allow resetting Internet Explorer settings

Enabled

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Use UTF-8 for mailto links

Enabled

Windows Components\Internet Explorer\Internet Control Panel

Turn off sending URLs as UTF-8 (requires restart)

Disabled

Windows Components\Internet Explorer\Internet Settings\URL Encoding (User only)

Customize User Agent String

Enabled and set to "MSIE6.0"

Windows Components\Internet Explorer

Turn on Compatibility Logging

Disabled

Windows Components\Internet Explorer

Prevent configuration of search from the Address bar

Enabled

Windows Components\Internet Explorer\Internet Settings\Advanced settings\Searching (User only)

Warning

Internet Explorer 9 provides Group Policy settings that turn off security features that were not available in Internet Explorer 6. While these features can address compatibility issues, Microsoft does not recommend using them. Configuring these policy settings to gain compatibility can weaken security and increase the attack surface. Consider using MED-V as an alternative for websites that are not compatible with Internet Explorer 9 security.