Utility SpotlightInternet Explorer Administration Kit

Lance Whitney

Download the code for this article: Utility Spotlight: Internet Explorer Administration Kit 7 (KB)

Your CIO has asked you to install the latest version of Internet Explorer 7 throughout your organization. The deadline is tight, the budget is small, and the requirements are many. You need a customized package that will apply the same features and settings to all your users. You also need to be able to change those settings whenever necessary.

Plus, you need to lock down Internet Explorer® so users can't modify any settings. How can you create and deliver this type of Internet Explorer install quickly and easily?

Here's Microsoft to your rescue with the Internet Explorer Administration Kit, affectionately known as IEAK. This free configuration tool was created to help IT administrators, developers, ISPs, and others create customized installation packages for Internet Explorer. In fact, Yahoo! employed the beta version of IEAK 7 to create a customized Internet Explorer 7 package to download from the Yahoo! Web site.

The Internet Explorer 7 build you create with IEAK needs include only the features and options you specify. You can enable specific security settings and lock out any controls you don't want your users to access.

After Internet Explorer is deployed, those of you with Active Directory® can, of course, use Group Policy to control and update the browser settings. Or, if you like, you can use IEAK to manage the diverse array of Internet Explorer settings.

IEAK 7 is user-friendly, more so than previous versions, providing a simple graphical interface to create your Internet Explorer package. Step-by-step screens guide you along as you select the features and options to incorporate into your build.

The new release of IEAK offers a few changes over prior versions, with some options added and some retired. You now can add default RSS Web feeds to your Internet Explorer build, point to more than one home page and search page, and add support for an anti-phishing filter. You can also set the Microsoft® Windows® Malicious Software Removal Tool to run and update. However, you can no longer customize Outlook® Express and Windows Media® Player with IEAK as those applicationss aren't included with Internet Explorer 7.

You can create an Internet Explorer package for 32-bit or 64-bit platforms-Windows XP with Service Pack 2 (SP2), Windows Server® 2003 with SP1, or Windows Vista™-x86-based, x64-based, or Itanium-based. Before you run IEAK 7, Internet Explorer 7 must be installed on the PC you use to create your package. For compatibility, you should run IEAK on a computer with the same OS as the computers on which you'll apply the build.

In this column, I'll discuss how to use IEAK to create your Internet Explorer 7 installation build and maintain or update your browser settings.

How to Get IEAK 7

You can download the latest version of IEAK 7 for free from microsoft.com/technet/prodtechnol/ie/ieak7. In addition, this page provides documentation and release notes on IEAK, which are worth reading.

When you install IEAK 7 through the downloaded ieak.msi file, you're asked what type of license to use based on your role-ISP, Content Provider or Developer, or via a Corporate Intranet. The screens you see and the type of package you build vary, depending on the role you choose. Thus, if you're creating the build for a business environment, be sure to select the role and license for a Corporate Intranet. After IEAK is installed, a new Program Group called Microsoft IEAK 7 is created on your Start menu containing three items-IEAK Help, IEAK Profile Manager, and Internet Explorer Customization Wizard.

You'll use the Internet Explorer Customization Wizard to build your installation package. Using this wizard is fairly simple as each screen leads you through the process of designing your package. So, what's the catch? Well, knowing how to configure each option requires a clear understanding of the features and controls in Internet Explorer. Fortunately, IEAK 7 can help here too. The tool's built-in help is more detailed and descriptive than in previous versions. A Help button appears on each screen of the Customization Wizard to explain that screen's settings and options. You can access the entire IEAK help file from the IEAK Help shortcut or through the IEAKHelp.chm file in C:\Program Files\Microsoft IEAK 7. I recommend reading the documentation before you create your build to understand each component and plan out the options you require.

The Customization Wizard divides the package creation into the following five distinct stages:

  1. Gathering Information
  2. Specifying Setup Parameters
  3. Customizing the Setup Experience
  4. Customizing the Browser
  5. Additional Customization

Microsoft has streamlined the number of screens you must contend with in IEAK 7, so the process is clearer and cleaner than in prior versions. However, the Customization Wizard still conjures up dozens of screens where you choose the options for your package. As a result, I won't go through every screen in this column-many of them are self-explanatory and I've explained how to access Help for the more intricate ones. Instead, I will provide a brief description of what each stage does and discuss a few of the more important screens.

Stage 1 Gathering Information Here you decide where to store your installation package, what OS and platform it will run on, how you wish to distribute Internet Explorer, and which options to customize. In this stage, you can specify any of three distribution methods for Internet Explorer 7, as displayed in Figure 1-a File installation, which creates a flat directory structure with the files that comprise your build; CD-ROM, which creates an installation disk (handy if you support remote users); and a Configuration-only or Branding-only package, which applies your customized settings to an existing installation of Internet Explorer 7. You might use the last option for Windows Vista if Internet Explorer 7 is already installed, and you want to apply your own customizations to it.

Figure 1 Specifying a Distribution Method

Figure 1** Specifying a Distribution Method **(Click the image for a larger view)

In this stage you also specify which language to use for your build. You can create localized versions of Internet Explorer 7 for each language you need to support.

Stage 2 Specifying Setup Parameters Here you download the latest components and updates for Internet Explorer to build your package.

Stage 3 Customizing the Setup Experience In this stage you choose the installation your users will receive-Interactive (where the user is presented with choices during the installation), Hands-free (where the user can see the installation taking place, but cannot intervene), or Completely Silent (where the installation runs completely in the background without user interaction). If you're building a CD-ROM, this stage will prompt you to create a start page and other elements for the CD.

Stage 4 Customizing the Browser Here you customize the appearance of Internet Explorer; set the URLs for Home Page, Support Page, and Favorites; configure your proxy settings; and establish the privacy and security settings for the browser. In this stage, you can also specify the name and location for an auto-configuration file, or an Internet settings (INS) file, with which you can manage your browser settings if you don't use plan to use Group Policy.

The INS file is a simple text file that contains all the major browser settings, from home page to Favorites to security options to proxy configuration. You store this INS file on an internal Web server. Each PC then points to this file to get its browser settings. If you need to modify any setting in the future, simply edit the INS file, and your users automatically receive that change. You can specify the frequency at which the settings are updated and applied.

Also in this stage is the opportunity to establish your proxy servers, either by manually entering their IP addresses and port numbers or by creating and specifying the name of a JScript® (JS), JavaScript (JVS), or Proxy Auto-Configuration (PAC) file with your proxy information. IEAK Help provides examples of code you can use to create these files.

You can also enable Protected Mode if you're designing an Internet Explorer 7 package in and for Windows Vista. You just simply turn on Protected mode in Internet Explorer 7 on your reference PC and then import that setting into IEAK.

Stage 5 Additional Customization Finally, in this stage, you set user policies and security restrictions for your build. You can selectively lock out individual settings you don't want your users to see or modify. Figure 2 displays the Additional Settings screen with five categories of controls you can enable or disable. The settings on these screens are drawn from five ADM templates for Internet Explorer 7, which are installed after you download the latest browser components in Stage 2 of the wizard. If you use Group Policy, you can bypass this stage. If not, then you can configure the options in the five categories. As these categories come directly from the ADM templates, you can even modify them by editing each ADM file in a text editor to add your own customized controls. The ADM files are located in C:\Program Files\Microsoft IEAK 7\pol-icies under different subdirectories for each Windows operating system and platform. Figure 3 displays the five categories with a brief description of each.

Figure 3 Categories in Additional Settings Screen

Category Description
Control Management This category lets you enable or disable certain ActiveX controls. The settings in this category don't apply to Windows Vista, only to Windows XP and Windows Server 2003.
Custom Settings This category displays security settings. You can enable or disable certain controls and actions by zone (Internet, Intranet, Trusted Sites, or Restricted Sites).
Corporate Settings In this category, you can set the size and parameters for the browser cache.
Corporate Restrictions Here you can lock out specific controls and screens in Internet Explorer so that your users can't see them. These settings don't apply to Windows Vista, only to Windows XP and Windows Server 2003.
Internet Settings This category offers options for AutoComplete, display size, and the advanced settings displayed in the Internet Options menu of Internet Explorer.

Figure 2 Customizing Internet Explorer Features

Figure 2** Customizing Internet Explorer Features **(Click the image for a larger view)

Checking the Build

After you complete the screens in the Customization Wizard, your package is created in the location you specified in Stage 1 or by default in c:\builds. Under this will be the destination directory-IEAK uses the current date for this directory name, for example, 01012007 for January 1, 2007. Under this will be two subdirectory paths, one named INS and the other with the name of the distribution method you chose-FLAT, CD, or BrndOnly.

The INS directory acts as a workspace or repository that keeps track of your customizations as you build your package. A text file in this directory called install.ins stores all the settings you create. If you restart the Customization Wizard, your previous selections are automatically picked up from this file.

The FLAT, CD, or BrndOnly directories store the actual installation files. Under any of these three locations will be a subdirectory named for the OS and platform, such as WIN32 for 32-bit Windows XP or Windows Vista. The final subdirectory is named for the language you used for your package, such as EN for English. As an example, if you created a build on January 1, 2007 using a Flat distribution for 32-bit Windows in English, the directory path of your build would be c:\builds\01012007\FLAT\WIN32\EN.

To find the installation created with a Flat distribution method, drill down through the FLAT directory structure until you see the IE7Setup.exe file in the language subdirectory. This is a self-extracting executable containing all the binaries and configuration files that make up your build. This file is all you need to deploy your Internet Explorer 7 package (the files in the INS directory are not required for installation). You can copy this single file to your distribution server to test your package, and then when ready, deploy it to your users.

If you chose a CD-ROM distribution, you must copy everything from within the CD directory to your CD. This includes an autorun.inf file, which is automatically generated, and a directory with the executable file that installs Internet Explorer from the CD.

If you built a Configuration-only or Branding-only package, drill down through the BrndOnly directory structure until you see the Setup.exe file in the language subdirectory. This is a self-extracting executable, which you can copy to your distribution server for deployment.

Managing Your Settings

Your Internet Explorer 7 package contains all the features and settings you need initially. But what do you do when you need to change an option? You have two choices. If you have Active Directory you can update your browser settings using Group Policy. If not, IEAK provides a tool called Profile Manager to modify the settings. Let's look briefly at Group Policy first.

Using Group Policies Group Policy is the best method for managing Internet Explorer as it supports all browser settings. With past versions of IEAK and Internet Explorer, you'd have to add ADM files and Internet Explorer Maintenance (IEM) files to your Group Policy console to incorporate all of the settings for Internet Explorer. But for Internet Explorer 7, Windows XP SP2 and Windows Vista include all necessary Group Policy settings to maintain and update the browser.

If you open the Group Policy Editor (gpedit.msc), you'll find all the required settings for Internet Explorer 7 under Administrative Templates | Windows Components | Internet Explorer.

Using IEAK Profile Manager With the IEAK Profile Manager you build and create the autoconfiguration, or INS file, to store the settings for Internet Explorer 7. Profile Manager initially requires you to load or create a new INS file. You could start from scratch and create a new INS file with the same settings you configured in the Customization Wizard. But why duplicate work? When you built your package IEAK created the default install.ins file to store the browser settings. Instead of creating a new INS file in Profile Manager, use install.ins. To load this file, browse to the INS path in your builds directory, say c:\builds\01012007\INS. Drill down through the remaining subdirectories until you see the file.

Profile Manager divides its settings into two sections, as you can see in Figure 4. The Wizard Settings cover browser options such as home page, proxy settings, and security zones. These correspond to the settings in Stages 3-5 of the Customization Wizard. The Policies and Restrictions section controls user restrictions and corresponds to the settings in the five categories from Policies and Restrictions in Stage 5 of the Customization Wizard.

Figure 4 Configuring Internet Explorer Using Profile Manager

Figure 4** Configuring Internet Explorer Using Profile Manager **(Click the image for a larger view)

Since you already defined these settings when you built your package, you shouldn't need to modify anything. This is, however, a good opportunity to review all the settings you chose for your package to make sure they're accurate.

After you've verified the settings in Profile Manager, save the install.ins file elsewhere and then copy it to an internal Web server. To do this you'll need to enter the Universal Naming Convention (UNC) path of the server, the same path you specified in the Automatic Configuration screen in Stage 4 of the Customization Wizard. You're also prompted to save a CAB file along with the INS file, displayed in Figure 5. Why? When you modify your Internet Explorer 7 settings with Profile Manager, IEAK often needs to download Registry entries to your Windows clients. These entries are stored in INF files, which are then stored in a CAB file. If the version number of the INS file changes due to new modifications, a new CAB file gets generated for download. Store the CAB file in the same location on your Web server as your INS file.

Figure 5 Saving Your Auto-Configuration Files

Figure 5** Saving Your Auto-Configuration Files **(Click the image for a larger view)

It's a good idea to then make copies of both the INS file and the CAB file and save them to different locations on your Web server. Think of these as both your backup copies and your test copies. When you modify your Internet Explorer settings with Profile Manager in the future, you can load and modify your test INS file to test your changes before you modify the live INS file.

Changing a browser setting or control through Profile Manager is simple. Just select the appropriate category and you can enable or disable any of its options. After you've made your changes, resave the INS file and then copy it back to your server.

One more recommendation: the INS file is a simple text file. You can open it in Notepad to view its settings. Can you also edit the INS file in Notepad? You can, and the settings will take effect. However, using Profile Manager to modify the INS file provides a couple of benefits. Profile Manager automatically generates a CAB file if one is needed, and it also stamps the INS file with a new version number each time it's modified. Therefore, you should always use Profile Manager to modify your INS file.


IEAK is an effective tool for creating and customizing your Internet Explorer 7 build quickly and efficiently. The latest version, IEAK 7, boasts several improvements over previous versions (clearer screens, more helpful Help) to work with you to design your installation package. By understanding and using IEAK, you should be able to deliver a reliable Internet Explorer 7 installation to your users and please your CIO at the same time.

Automatic Delivery of Internet Explorer 7

Microsoft plans to distribute Internet Explorer 7 as a high-priority update through Automatic Updates and through the Windows Update and Microsoft Update sites shortly after the final version of Internet Explorer 7 is released. This may pose a problem for you as an administrator, depending on your environment. If your users don't have local admin rights, they won't receive this update. Also, if you manage your environment with Microsoft Systems Management Server (SMS) or Windows Server Update Services (WSUS), then you already control the updates your users receive. If, however, some or all of your users have local admin rights and you have no system to manage updates, then you may need to block the Internet Explorer 7 update. Microsoft has created an Internet Explorer 7 Blocker Toolkit. This Toolkit (available from the Microsoft Download Center) includes both a Group Policy template and a script that sets a registry key to prevent the Internet Explorer 7 update from running.

Lance Whitney is an IT consultant, trainer, and technical writer. He's created and supported installation packages for Internet Explorer since version 4.0. Originally a journalist, he took a blind leap into the IT world about 15 years ago.

© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.