Internet Explorer Administration Kit and Group Policy in IE7

I am a program manager on the Internet Explorer team and in this post I would like to share what we are doing in the manageability, customization and deployment space. The two key features are IEAK 7 - The Internet Explorer Administration Kit, and GP - Group Policy in Internet Explorer 7.

Before going on to IEAK & GP, I want to briefly talk about some terms I have used ahead -

Deployment - The process of distributing and installing a software program on a number of machines. This becomes important as administrators move up to hundreds, thousands, or even hundreds of thousands of computers.

Customization - The process of specifying the defaults, like default home page, favorites, or security settings.

Preferences - are defaults for various settings that administrators might want to provide as a one time thing. Users always have the option to change these as desired by them. E.g. administrator specifying the home page as a preference and user having the ability to change it by going to tools, internet options and general tab in Internet Explorer.

Policies - are restrictions on settings that administrators would want to enforce to respect a company policy, as opposed to allowing the users to configure the application as per their preference. Policies can be applied to any logical groups E.g. when Group Policy is set at the local computer level, everyone who logs on to the local machine is affected by the policy settings (Local Group Policy).

Manageability - ability to manage or lock down the settings in an application using policies. It is required for enforcing company policies and most importantly, to avoid misuse of the applications and safeguard interests of corporations by enforcing (policies) security settings. E.g. an administrator might want to turn on anti-phishing and avoid the users from turning it off in his organization. He can do so by setting a policy to "Turn off managing the phishing filter".

Thus in an end to end scenario,a corporate administrator might want to install (deploy) internet explorer on a number of machines in his corporation. He may want to customize it by specifying the default home page, favorites etc. He may also want to manage internet explorer by pre-specifying certain security settings and locking them down so that users can’t modify them.

Active Directory – This is a part of the Windows Server environment and is used by companies with domains and organizational units (OUs). An organizational unit is a logical container into which users, groups, computers, and other organizational units are placed and to which a Group Policy object can be linked and policy be applied. Active Directory provides essential directory services for the domain and provides features that enable advanced controls through Group Policy.

IEAK vs. Group Policy

In an Active Directory environment, the administrator can deploy and manage Internet Explorer using the Active Directory infrastructure. He has the ability to lock down Internet Explorer settings using Group Policy. This is the best way for managing Internet Explorer settings and is consistent with how other Windows settings can be managed. Also in an Active Directory environment, a client side extension ensures that policies are applied all the time. If policies are changed, they can be refreshed immediately rather than relying on a logon or startup script of the user machine for policies to get applied.

Consider a non Active Directory environment where a corporate administrator wants to deploy, customize and manage Internet Explorer. In such a scenario, the admin can use the IEAK to perform all three.  Administrators can deploy Internet Explorer using IEAK in a variety of ways, including creating a CD or hosting on an internal server or creating flat files (all files in one directory). If you build your packages on a local area network you can select the flat file option to place all the necessary files in one folder under the target destination

For those of you who can’t use Group Policy and wish to customize Internet Explorer 7 by setting preferences, IEAK 7 is the way to go.

Target scenarios for IEAK 7

  • A corporate system admin wants to deploy IE7 and have it immediately configured according to specifications.
  • A corporate system admin wants to give IE7 to users but wants to add additional updates for internal apps in the same deployment.
  • An ISP wants to provide a customized IE7 to its users.
  • An ISV/ICP wants to include a customized IE7 with its application.
  • An OEM wants to deploy a custom IE7 package on its machine.

What is new in Internet Explorer Group Policy - We have made most existing IEM (Internet Explorer Maintenance - snap in to the Group Policy Editor) settings, including IEM preference mode settings, available outside of Preference Mode as true policies. This will provide corporate administrators greater control in locking down some of the legacy Internet Explorer settings. We have also provided policies for all new IE7 features and made the Internet Control Panel Group Policy aware.

What is new in IEAK 7? - As I described above, IEAK 7 allows deployment, customization & management of Internet Explorer for corporations, Internet Service Providers (ISPs), Original Equipment Manufacturers (OEMs), Independent Software Vendors (ISVs) and Internet Content Providers (ICPs). IEAK 7 makes this available for IE 7, providing customization abilities for all new features in IE7. Here’s a sneak preview of some of them -

Customization of Feeds -

Customize Feeds

Ability to Add Search Providers and set Default Search Providers

Ability to customize multiple Home Pages for various tabs -

Customize Multiple Home Pages

Additional improvements in IEAK 7 include -

  • Improved user experience through a better layout and structure of the wizard aimed at exposing key features in a user-friendly manner.
  • Components that shipped with previous Internet Explorer versions but are not shipping with Internet Explorer 7, such as Outlook Express and Windows Media Player, will no longer be configurable in IEAK7
  • Ability to create small branding packages that can customize existing installations of Internet Explorer 7 without requiring Internet Explorer to be downloaded on the client machine.

Thus if you have large number of machines and a number of Organizational Units (OUs) to manage, we strongly recommend Group Policy as the best way to do it. If you can’t, there are a number of changes in IEAK7 that will make your life easier. You can check out IEAK by downloading and trying the following – IEAK7 B2P or IEAK6 SP1. You can read more about IEAK at Technet.

Have a feature suggestion? Love to hear from you…

 - Puneet