Managing Internet Explorer add-ons by using Group Policy
A number of Group Policy items can help you manage Internet Explorer
add-ons throughout an organization.
Running ActiveX and Enhanced Protected Mode
By using Group Policy, you can also manage how ActiveX controls operate when Protected Mode is enabled.
-
Policy Name Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled. -
Policy Path The path is Windows Components, Internet Explorer, Internet Control Panel, Advanced Page. -
Policy Description
This policy setting prevents ActiveX controls from running in Protected
Mode when Enhanced Protected Mode is enabled. When a user has an
ActiveX control installed that is not compatible with Enhanced
Protected Mode and a website attempts to load the control, Internet
Explorer notifies the user and offers the option to run the website in
regular Protected Mode. This policy
setting disables this notification and forces all websites to run in
Enhanced Protected Mode. Enhanced Protected Mode provides additional
protection against malicious websites by using 64-bit processes on
64-bit versions of Windows. For computers running
Windows 8, Enhanced Protected Mode also limits the locations Internet
Explorer can read from in the registry and the file system. -
Enabled When
Enhanced Protected Mode is enabled, and a user encounters a website
that attempts to load an ActiveX control that is not compatible with
Enhanced Protected Mode, Internet Explorer notifies the user and offers
the option to disable Enhanced Protected Mode for that particular
website. If you enable this policy setting, Internet Explorer will not
allow the user to disable Enhanced Protected Mode. All Protected Mode
websites will run in Enhanced Protected Mode. -
Disabled Or Not Configured
If you disable or do not configure this policy setting, Internet
Explorer notifies users and provides an option to run websites with
incompatible ActiveX controls in regular Protected Mode. This is the
default behavior.
Preventing the installation of add-ons
By using the following Group Policy settings, you can prevent the installation of add-ons unless those add-ons are included as part of another Group Policy, called the Add-On List.
-
Policy Name Deny all add-ons unless specifically allowed in the Add-On List. -
Policy Path The path is Windows Components, Internet Explorer, Security Features, Add-on Management. -
Policy Description
This policy setting enables you to ensure that any Internet Explorer
add-ons not listed in the Add-On List policy setting are denied.
Add-ons in this case are controls such as ActiveX controls, toolbars,
and browser helper objects (BHOs), which are specifically written to
extend or enhance the functionality of the browser or webpages. By
default, the Add-On List policy setting (described next) defines a list
of add-ons to be allowed or denied through Group Policy. However, users
can still use the Add-On Manager within Internet Explorer to manage
add-ons not listed in the Add-On List policy setting. This policy
setting effectively removes this option from users; all add-ons are
assumed to be denied unless they are specifically allowed through the
Add-On List policy setting. -
Enabled If you
enable this policy setting, Internet Explorer allows only add-ons that
are specifically listed (and allowed) through the Add-On List policy
setting. -
Disabled Or Not Configured
If you disable or do not configure this policy setting, users can use
Add-On Manager to allow or deny any add-ons that are not included in
the Add-On List policy setting.
Note
CHANGING THE STATE OF AN ADD-ON
If an add-on is listed in the Add-On List policy
setting, the user cannot change its state by using Add-On Manager
(unless its value has been set to allow user management; which follows, for more details).
Although you might establish a Group Policy that disallows the
installation of add-ons, you can still enable the installation of
specific policies by enabling and configuring the following policy, as
shown in Figure 7:
-
Policy Name Add-On List. -
Policy Path The path is Windows Components, Internet Explorer, Security Features, Add-on Management. -
Policy Description
This policy setting enables you to manage a list of add-ons to be
allowed or denied by Internet Explorer. Add-ons in this case are
controls such as ActiveX controls, toolbars, and BHOs that are
specifically written to extend or enhance the functionality of the
browser or webpages. This list can be used with the Deny All Add-Ons
Unless Specifically Allowed In The Add-On List policy setting, which
defines whether add-ons not listed here are assumed to be denied. -
Enabled If you
enable this policy setting, you can enter a list of add-ons to be
allowed or denied by Internet Explorer. For each entry you add to the
list, enter the following information:
-
Name of the value The CLSID (class identifier) for the add-on you
want to add to the list. The CLSID should be in brackets, for example,
{000000000-0000-0000-0000-0000000000000}. The CLSID for an add-on can
be obtained by reading the OBJECT tag from a webpage on which the
add-on is referenced. -
Value A number indicating whether Internet Explorer should deny or
allow the add-on to be loaded. To specify that an add-on should be
denied, enter a 0 (zero) in this field. To specify that an add-on
should be allowed, enter a 1 (one) in this field. To specify that an
add-on should be allowed and to permit the user to manage the add-on by
using Add-On Manager, enter a 2 (two) in this field.
-
Disabled If you
disable this policy setting, the list is deleted. The Deny All Add-Ons
Unless Specifically Allowed In The Add-On List policy setting will
still determine whether add-ons not in this list are assumed to be
denied.
|
