Windows XP SP2 introduces new registry keys and values for Microsoft Internet Explorer security features. These security features, called Feature Control, have been incorporated in Windows Server 2003 SP1. This section explains the behavior of the Feature Control registry settings with each security feature.
A modified Inetres.adm file contains the Feature Control settings as policies. Administrators can manage the Feature Control policies by using GPOs. When Internet Explorer is installed, the default Feature Control settings are registered on the computer in HKEY_LOCAL_MACHINE. In Group Policy, the Administrator can set them in either HKEY_LOCAL_MACHINE (Computer Configuration) or HKEY_CURRENT_USER (User Configuration).
The new Feature Control policies are:
Binary Behavior Security Restriction
MK Protocol Security Restriction
Local Machine Zone Lockdown Security
Consistent Mime Handling
Mime Sniffing Safety Feature
Object Caching Protection
Scripted Window Security Restrictions
Protection From Zone Elevation
Information Bar
Restrict ActiveX Install
Restrict FileDownload
Network Protocol Lockdown
The Feature Control policies can be found in the Group Policy Management Console (GPMC). To locate the local computer policies, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerSecurity Features
To locate the current user policies, follow this path:
User ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerSecurity Features
The policy for the feature must be enabled for the process—for example, IExplore.exe—before the zones’ individual security setting policies or preferences are applied.
Administrators of Group Policy can manage these new policies in the Administrative Templates extension to the GPMC. When configuring these policies, the administrator can enable or disable the security feature for explorer processes (Internet Explorer and Windows Explorer), for executable processes he has defined, or for all processes that host the WebOC.
Users cannot see any of the Feature Control policies or preference settings in Internet Explorer except Local Machine Zone Lockdown Security. Feature Control policies can be set only by using the GPMC, and Feature Control preference settings can be changed only programmatically or by editing the registry.
Group Policy is the recommended tool for managing Internet Explorer for client computers on a corporate network. Internet Explorer supports Group Policy management for the Internet Explorer feature controls included in Windows XP SP2 and Windows Server 2003 SP1 as well as for Security page settings or URL Actions. Administrators of Group Policy can manage these policy settings in the Administrative Templates extension of the GPMC.
When you implement policy settings, you should configure template policy settings in one GPO and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (such as precedence, inheritance, or enforce) to apply individual settings to specific client computers.
Policies can be read by users but can be changed only by Group Policy management or by an administrator. You can change preference settings programmatically by editing the registry or, in the case of URL Actions, by using Internet Explorer.
For operating systems earlier than Windows XP SP2 and Windows Server 2003 SP1 and for previous Internet Explorer versions, Internet Explorer Kit/Internet Explorer Maintenance (IEAK) 6.0 SP1 is the recommended tool for solution providers and application developers to customize Internet Explorer for users. IEAK support and the IEAK/IEM process does not change for Internet Explorer versions before Windows XP SP2. The process also has not changed for using IEAK/IEM to set user setting preferences in Internet Explorer versions before and including Windows Server 2003 SP1. This includes the new Internet Explorer 6.0 in Windows XP SP2 and Windows Server 2003 SP1 preference settings. However, the true policy settings incorporated by this feature can be managed only within Group Policy.
More Info
For more information about IEAK, see "Microsoft Internet Explorer 6 Administration Kit Service Pack 1" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=26002.