New group policy settings for Internet Explorer 11

Caution

Update: The retired, out-of-support Internet Explorer 11 desktop application has been permanently disabled through a Microsoft Edge update on certain versions of Windows 10. For more information, see Internet Explorer 11 desktop app retirement FAQ.

Internet Explorer 11 gives you some new Group Policy settings to help you manage your company's web browser configurations, including:

Policy Category Path Supported on Explanation
Allow IE to use the HTTP2 network protocol Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page IE11 on Windows 10 This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization.

If you enable this policy setting, IE uses the HTTP2 network protocol.

If you disable this policy setting, IE won't use the HTTP2 network protocol.

If you don't configure this policy setting, users can turn this behavior on or off, using the Internet Explorer Advanced Internet Options settings. The default is on.

Allow IE to use the SPDY/3 network protocol Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page IE11 on Windows 10 This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.

If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.

If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.

If you don't configure this policy setting, users can turn this behavior on or off, on the Advanced* tab of the **Internet Options dialog box. The default is on.

Note
We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the Allow IE to use the HTTP2 network protocol setting.

Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar Administrative Templates\Windows Components\Internet Explorer IE11 on Windows 10 This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.

If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the Suggestions setting on the Settings charm.

If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the Suggestions setting on the Settings charm.

If you don’t configure this policy setting, users can change the Suggestions setting on the Settings charm.

Allow only approved domains to use the TDC ActiveX control
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
IE11 in Windows 10 This policy setting determines whether users can run the Tabular Data Control (TDC) ActiveX control, based on security zone. By default, the TDC ActiveX Control is disabled in the Internet and Restricted Sites security zones.

If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone.

If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone.

Allow SSL3 Fallback Administrative Templates\Windows Components\Internet Explorer\Security Features Internet Explorer 11 on Windows 10 This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled.

If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols.

If you disable or don’t configure this setting, Internet Explorer uses the default system protocols.

Important:
By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks.

Allow VBScript to run in Internet Explorer
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Internet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Intranet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Local Machine Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Internet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Intranet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Local Machine Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Restricted Sites Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Trusted Sites Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Restricted Sites Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Trusted Sites Zone
Internet Explorer 11 This policy setting lets you decide whether VBScript can run on pages in specific Internet Explorer zones.

If you enable this policy setting (default), you must also pick one of the following options from the Options box:

  • Enable. VBScript runs on pages in specific zones, without any interaction.
  • Prompt. Employees are prompted whether to allow VBScript to run in the zone.
  • Disable. VBScript is prevented from running in the zone.

If you disable or don’t configure this policy setting, VBScript runs without any interaction in the specified zone.

Always send Do Not Track header Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page At least Internet Explorer 10 This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.

If you enable this policy setting, IE sends a DNT:1 header with all HTTP and HTTPS requests. The DNT:1 header signals to the servers not to track the user.

In Internet Explorer 9 and 10:
If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.

In at least IE11:
If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.

If you don't configure the policy setting, users can select the Always send Do Not Track header option on the Advanced* tab of the **Internet Options dialog box. By selecting this option, IE sends a DNT:1 header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a DNT:0 header. By default, this option is enabled.

Don't run antimalware programs against ActiveX controls
(Internet, Restricted Zones)
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
IE11 on Windows 10 This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's Security settings.

Don't run antimalware programs against ActiveX controls
(Intranet, Trusted, Local Machine Zones)
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
IE11 on Windows 10 This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's Security settings.

Hide Internet Explorer 11 Application Retirement Notification Administrative Templates\Windows Components\Internet Explorer Internet Explorer 11 on Windows 10 20H2 & newer This policy setting allows you to prevent the notification bar that informs users of Internet Explorer 11’s retirement from showing up.
If you disable or don’t configure this setting, the notification will be shown.
Hide the button (next to the New Tab button) that opens Microsoft Edge User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Settings\Advanced Settings\Browsing\ IE11 on Windows 10, version 1703 This policy setting lets you decide whether employees can see the open Microsoft Edge button, which appears next to the New Tab button.

If you enable this policy setting, the button to open Microsoft Edge from Internet Explorer will be hidden.

If you disable this policy setting, the button to open Microsoft Edge from Internet Explorer appears.

If you don't configure this policy setting, the button to open Microsoft Edge from Internet Explorer can be configured by your employees.

Let users turn on and use Enterprise Mode from the Tools menu Administrative Templates\Windows Components\Internet Explorer IE11 on Windows 10 This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.

If you enable this policy setting, users can see and use the Enterprise Mode option from the Tools menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.

If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally.

Limit Site Discovery output by Domain Administrative Templates\Windows Components\Internet Explorer At least Internet Explorer 8 This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.

Note:
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit.

Limit Site Discovery output by Zone Administrative Templates\Windows Components\Internet Explorer At least Internet Explorer 8 This policy setting allows you to control which zones are included in the discovery function of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all specified security zones.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all security zones.

To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:

  • 0 – Restricted Sites zone
  • 0 – Internet zone
  • 0 – Trusted Sites zone
  • 0 – Local Intranet zone
  • 0 – Local Machine zone

Example 1: Include only the Local Intranet zone (binary representation: 00010), based on:
  • 0 – Restricted Sites zone
  • 0 – Internet zone
  • 0 – Trusted Sites zone
  • 1 – Local Intranet zone
  • 0 – Local Machine zone

Example 2: Include only the Restricted Sites, Trusted Sites, and Local Intranet zones (binary representation: 10110), based on:
  • 1 – Restricted Sites zone
  • 0 – Internet zone
  • 1 – Trusted Sites zone
  • 1 – Local Intranet zone
  • 1 – Local Machine zone

Note:
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit.

Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History At least Windows Internet Explorer 9 In Internet Explorer 9 and Internet Explorer 10:
This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the Personalized Tracking Protection List, which blocks third-party items while the user is browsing.

In IE11:
This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the Delete Browsing History dialog box, for visited websites.

If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks Delete.

If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks Delete.

If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking Delete.

Send all sites not included in the Enterprise Mode Site List to Microsoft Edge Administrative Templates\Windows Components\Internet Explorer IE11 on Windows 10, version 1607 This policy setting lets you decide whether to open all sites that aren’t specified to open in IE11 by the Enterprise Mode site list, to open in Microsoft Edge.

If you enable this policy setting, you must also enable the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode site list.

If you disable or don't configure this policy setting, all sites will open based on the currently active browser.

Note:
If you’ve also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11.

Show message when opening sites in Microsoft Edge using Enterprise Mode Administrative Templates\Windows Components\Internet Explorer IE11 on Windows 10, version 1607 This policy setting lets you decide whether employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.

If you enable this policy setting, employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.

If you disable or don't configure this policy setting, the default app behavior occurs and no additional page appears.

Turn off automatic download of the ActiveX VersionList Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management At least Windows Internet Explorer 8 This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.

If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.

If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.

Important:
Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking (https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) topic.

Turn off loading websites and content in the background to optimize performance Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page IE11 on Windows 10 This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.

If you enable this policy setting, IE doesn't load any websites or content in the background.

If you disable this policy setting, IE preemptively loads websites and content in the background.

If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default.

Turn off phone number detection Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing IE11 on Windows 10 This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.

If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.

If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.

If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on.

Turn off sending URL path as UTF-8 User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding At least Windows Internet Explorer 7 This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.

If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.

If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.

If you don't configure this policy setting, users can turn this behavior on or off.

Turn off sending UTF-8 query strings for URLs Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page IE11 on Windows 10 This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.

If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:

  • 0. Never encode query strings.
  • 1. Only encode query strings for URLs that aren't in the Intranet zone.
  • 2. Only encode query strings for URLs that are in the Intranet zone.
  • 3. Always encode query strings.

If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8.

Turn off the ability to launch report site problems using a menu option Administrative Templates\Windows Components\Internet Explorer\Browser menus Internet Explorer 11 This policy setting allows you to manage whether users can start the eport Site Problems dialog box from the Internet Explorer settings area or from the Tools menu.

If you enable this policy setting, users won’t be able to start the Report Site Problems dialog box from the Internet Explorer settings or the Tools menu.

If you disable or don’t configure this policy setting, users will be able to start the Report Site Problems dialog box from the Internet Explorer settings area or from the Tools menu.

Turn off the flip ahead with page prediction feature Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page At least Internet Explorer 10 on Windows 8 This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.

If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.

If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.

If you don’t configure this setting, users can turn this behavior on or off, using the Settings charm.

Note
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop.

Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page IE11 on Windows 10 This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.

Important
When using 64-bit processes, some ActiveX controls and toolbars might not be available.

Turn on Site Discovery WMI output Administrative Templates\Windows Components\Internet Explorer At least Internet Explorer 8 This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as Microsoft Configuration Manager.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.

Note:
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit.

Turn on Site Discovery XML output Administrative Templates\Windows Components\Internet Explorer At least Internet Explorer 8 This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.

Note:
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit.

Use the Enterprise Mode IE website list Administrative Templates\Windows Components\Internet Explorer IE11 on Windows 10, version 1511 This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.

If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server (https://), to help protect against data tampering.

If you disable or don’t configure this policy setting, Internet Explorer opens all websites using Standard mode.

Removed Group Policy settings

IE11 no longer supports these Group Policy settings:

  • Turn on Internet Explorer 7 Standards Mode

  • Turn off Compatibility View button

  • Turn off Quick Tabs functionality

  • Turn off the quick pick menu

  • Use large icons for command buttons

Viewing your policy settings

After you've finished updating and deploying your Group Policy, you can use the Resultant Set of Policy (RSoP) snap-in to view your settings.

To use the RSoP snap-in

  1. Open and run the Resultant Set of Policy (RSoP) wizard, specifying the information you want to see.

  2. Open your wizard results in the Group Policy Management Console (GPMC).

    For complete instructions about how to add, open, and use RSoP, see Use the RSoP Snap-in