What Is Internet Explorer Maintenance Extension?

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

What Is Internet Explorer Maintenance Extension?

In this subject

  • Common Internet Explorer Maintenance Extension Scenarios

  • Internet Explorer Maintenance Extension Dependencies on or Interactions with Other Technologies

  • Related Information

The Internet Explorer Maintenance Extension is part of the Group Policy Object Editor, and it enables you to define an Internet Explorer configuration as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and enable administrators to manage the Internet Explorer configuration for multiple users on any computer joined to the domain.

The Internet Explorer Maintenance Extension uses two sets of extensions to accomplish its purpose: a snap-in extension to the Group Policy Object Editor, and a Client-Side Extension (CSE). The snap-in extension (ieaksie.dll) is used to configure Internet Explorer settings in a GPO. The Client-Side Extension (iedkcs32.dll) is a dynamic-link library (DLL) on the client computer that implements the Internet Explorer Maintenance Extension settings contained in the GPO.

The security risks inherent in exposure to the Internet for large computer networks require organizations to adopt a computer security policy. Users can accidentally compromise security for the entire network by misconfiguring their own, or a coworker’s, computer. Providing users with information useful in solving problems or in accomplishing their jobs is not very effective if users are not familiar with the information, or if the information is difficult to access. The Internet Explorer Maintenance Extension enables administrators to stipulate custom favorites, links, security, interface, and other settings to specify an Internet Explorer configuration as part of a GPO. Administrators are able to enforce Internet-related security standards, and provide a common browser interface within the organization. Specifying custom links provides users easy access to useful information, and can aid in reducing end-user help calls.

Common Internet Explorer Maintenance Extension Scenarios

The Internet Explorer Maintenance Extension can be used to configure either mandatory or default settings for Internet Explorer.

Mandatory Internet Explorer Settings

Mandatory settings are used to enforce security, interface and other Internet Explorer settings by making users unable to change those settings. To configure mandatory settings, the settings are created while Internet Explorer Maintenance Extension is in Policy mode. When a GPO containing Policy mode settings is applied to a user configuration, the settings are reapplied only when Group Policy is forcefully reapplied to the target computer or changes are made to the GPO. Without further configuration using Group Policy Administrative Templates Extension settings, users are able to change their browser settings. There are two additional steps that must be completed to impose the mandatory status of the GPO:

  • The Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance policy processing setting must be configured to process settings even if they have not been changed.

  • All of the settings in the User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel node must be enabled.

Default Internet Explorer Settings

Internet Explorer Maintenance Extension can also be used to configure default settings for users the first time the GPO is applied to their computers. This provides users with the same starting configuration for their browsers, but enables them to personalize the configuration. To configure default settings, the settings are created while Internet Explorer Maintenance Extension is in Preference mode. Once a GPO containing Preference mode settings is applied to a user configuration, the settings are not reapplied unless there are changes to the GPO settings, even when Group Policy is forcefully reapplied to the target computer. Preference Mode also enables two additional groups of settings:

  • Corporate Settings. These are used to configure temporary internet file settings, and download locations for ActiveX controls and Java code.

  • Internet Settings. These are used to configure Internet Explorer link and text colors, AutoComplete settings, how often Internet Explorer checks for updates, and other advanced settings.

Internet Explorer Maintenance Extension Settings

The mode setting for Internet Explorer Maintenance Extension settings is exclusive within a GPO. Policy and Preference mode settings cannot coexist in the same GPO. The following table lists the available Internet Explorer Maintenance Extension Group Policy settings and their descriptions. It also notes if a setting is available in only Preference mode or Policy mode.

Internet Explorer Maintenance Extension Configuration Settings

Browser User Interface Description

Browser Title (Policy mode only)

This setting customizes the text that appears in the title bar of the Internet Explorer browser. The text is appended to the string “Microsoft Internet Explorer provided by.”

Custom Logo (Policy mode only)

This setting replaces the static Internet Explorer logo in the upper-right corner of the Internet Explorer window with a custom static logo. It also replaces the animated Internet Explorer logo in the upper-right corner of the Internet Explorer window with a properly formatted custom animated logo.

Browser Toolbar Customizations

This setting customizes the background and buttons of the Internet Explorer toolbar.

Connection

Description

Connection Settings

This setting enables you to import connection settings from the Internet Control Panel Connections tab of an already-configured computer. It restricts how users can interact with connection settings through the System Policies and Restrictions page. It is not necessary to import current settings in order to set theses restrictions. Connections Settings is also used to remove old dial-up connection settings from users’ computers.

Automatic Browser Configuration

Automatic Configuration (auto-config) is used to update a user’s computer after deployment by specifying a URL to an .ins file, an auto-proxy URL, or both. You can set the interval in minutes for when auto-config will happen. If the interval value is left blank, or at zero, auto-config will happen only when the browser has been started and navigates to a page.

Proxy Settings

This setting specifies to which proxy servers, if any, users connect.

User Agent String (Policy mode only)

The user agent string is what the browser sends to visited servers to identify itself. It is often used to keep Internet traffic statistics. You can enter custom text that will be appended to the default Internet Explorer string. The default string is different for each platform.

URLs

Description

Favorites and Links

You can customize Favorites and Links by specifying the URLs. You can also specify the order of each folder, add an icon for each Favorite and Link, and import an existing folder structure.

Important URLs

You can specify a custom home page, search bar URL, and online support page.

Security

Description

Security Zones and Content Ratings

You can customize the settings of each security zone as well as customize the privacy settings. Content ratings enable you to prevent users from viewing sites with risky content.

Authenticode Settings

Authenticode enables you to designate software publishers as trustworthy. You can prevent users from adding new trusted publishers while using the browser. Enabling this lockdown does not prevent access to the Content control panel, but doing so is possible using the Administrative Templates Extension of Group Policy.

Programs

Description

Programs

You can import the current default programs settings. The programs selected specify which program Windows automatically uses for each Internet service.

Advanced

Description

Corporate Settings (Preference mode only)

These settings specify the location of a file containing settings used to make the browser work best for your corporation. These settings can be useful in reducing the cost of supporting applications in your corporation. Advanced features, as well as details of other features, can all be configured through these options.

Internet Settings (Preference mode only)

These settings specify the location of a file used to preset defaults for Internet Explorer settings that are not set through the IEAK Wizard. Most of these settings apply to defaults in the Internet Control Panel.

Internet Explorer Maintenance Extension Dependencies on or Interactions with Other Technologies

Deployment of Internet Explorer Maintenance Extension settings requires Group Policy in a Windows 2000 or Windows 2003 Active Directory environment, and Windows 2000 Professional or Windows XP clients running Internet Explorer.

The Internet Explorer Maintenance Extension leverages the Internet Explorer Administration Kit (IEAK) management infrastructure, a part of Internet Explorer, in order to configure Internet Explorer. IEAK is an application used to deploy and manage customized Internet Explorer software packages. The packages can be used to configure Internet Explorer, just like the Internet Explorer Maintenance Extension, or to install completely customized versions.

Internet Explorer Maintenance Extension and Internet Explorer Enhanced Security Configuration

Another Technology the Internet Explorer Maintenance Extension interacts with is the Internet Explorer Enhanced Security Configuration component of Windows Server 2003. Internet Explorer Enhanced Security Configuration, also known as Microsoft Internet Explorer Hardening, reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings. You can deploy Internet Explorer Enhanced Security Configuration settings to target computers through Internet Explorer Maintenance only if Internet Explorer Enhanced Security Configuration is enabled on the target computer. This is because the Internet Explorer Maintenance CSE stores these settings on the target computer in the equivalent registry location from where they were imported. Those registry keys are read only by Windows Server 2003 because it is currently the only operating system that supports Internet Explorer Hardening.

If Internet Explorer Enhanced Security Configuration is enabled on your computer, the sites list is read from and written to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ESCDomains.

If Internet Explorer Enhanced Security Configuration is disabled on your computer, or if your computer is running an earlier version of Windows, the sites list is read from and written to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains.

Internet Explorer Enhanced Security Configuration settings (as imported by the computer when editing the GPO) can be applied only to computers on which Internet Explorer Enhanced Security Configuration is already enabled. Likewise, if Internet Explorer Enhanced Security Configuration is disabled on your computer, you can deploy security settings and trusted sites to other servers running with Internet Explorer Enhanced Security Configuration disabled. These variables are shown in the following table.

Expected Behaviors on Target Computers for HKEY_CURRENT_USER Preferences with Internet Explorer Maintenance

Computer Importing Settings to the GPO (Your administrative computer) Windows Server 2003 with Internet Explorer Enhanced Security Configuration enabled Windows Server 2003 with Internet Explorer Enhanced Security Configuration disabled Windows 2000 Server

 

(writes to HKCU\...\ESCDomain)

(writes to HKCU\...\Domain

(reads HKCU\...\Domain)

Windows Server 2003 with Internet Explorer Enhanced Security Configuration enabled

(writes to HKCU\...\ESCDomain)

Security settings and trusted sites

No security settings or trusted sites

No security settings or trusted sites

Windows Server 2003 with Internet Explorer Enhanced Security Configuration disabled (writes to HKCU\...\Domain)

No security settings or trusted sites

Security settings and trusted sites

Security settings and trusted sites

Windows 2000 Server

(writes to HKCU\...\Domain)

No security settings or trusted sites

Security settings and trusted sites

Security settings and trusted sites

The following contains additional information that is relevant to this section.