Thinking back, I think we can all remember a time sitting in our high school computer labs, clamoring away on the keyboard trying to finish some assignment our Computer Studies teacher, Mr. Smith for the example I’m going to use in this post, had assigned. Something that I always found amazing was how the high school IT Administrators, usually also Mr. Smith, would be able to manage such an environment on a relatively tiny budget.
Today’s large corporations can afford fairly specialized IT Pro staff. However, my post today will be focusing on small IT Pro shops and providing guidance on how to customize and deploy Internet Explorer 8. In particular, I will be using the example of how Mr. Smith can use IE8 to improve the education experience of his students.
Customizing Internet Explorer 8
Though, there are many ways to configure IE on your existing machines, this post will focus on Internet Explorer Administration Kit (IEAK) and Group Policy.
IEAK allows you to deploy customized packages and manage IE settings post deployment. For instance, Mr. Smith could use IEAK to create a custom IE package for his students that has school related favorites, search providers, home pages, Web Slices, Accelerators, and more. IEAK allows you to choose preferred defaults; the end-user can still overwrite these defaults. IEAK8 is available for everyone to try. To learn more about the IEAK, check out my interview on Technet Edge.
Group Policy on the other hand can be used to lock down features or settings that a user cannot overwrite, as they are always written to a secure tree in the registry. If you use an Active Directory environment, Group Policy provides a wide set of policy settings to manage IE8 after you have deployed it to your users' computers (For more information on Active Directory and how to set it up, read this TechNet article.) Furthermore, Group Policy allows you to create IE (and other software) configurations as a part of Group Policy objects (GPOs). The GPOs are linked to hierarchical Active Directory containers such as sites, domains, or organizational units. A client-side extension ensures that your policies are applied and refreshed regularly. You can always configure different policies for different sets of users based on their needs. We have added approximately 140 new Group Policies in IE8 RC1. We have also conveniently put all the IE Group Policies, including IE8 policies, in an Excel format for easier reading and searching.
Now, let’s assume Mr. Smith has the following resources at Acme High School, the school where he works:
With IEAK8 and group policy, Mr. Smith can join these resources to provide a convenient and seamless experience for his students. Let’s assume that Mr. Smith would like to make customizations in the following areas:
IEAK comes in three licensing modes: Corporate, Internet Content Provider (ICP) and Internet Service Provider (ISP) modes. Each of these modes has varying degrees of customizability; the What Internet Explorer Administration Kit Can Do For You article describes the different licensing modes.
In Mr. Smith’s case, as he is distributing the customized IE internally he can use the IEAK corporate license mode.
Customized home pages are a perfect way to draw student’s attention to important school information as they open their browsers. Mr. Smith can use the Important URLs – Home page and Support dialog of the IEAK8 to add home pages like Acme High School site, Acme High Grades site, Acme High Gym schedule.
To add homepages, simply click on the Add button and provide the relevant URLs. IEAK gives the option to retain previous home pages in the upgrade scenario; in this case, Mr. Smith has chosen to ignore that option.
Instead of providing default home pages, what if Mr. Smith wanted to lock down the home pages to ensure that your students always checked the latest updates on their class websites? He can use the Disable changing home page settings and the Disable changing secondary home page settings group policy to accomplish this. Furthermore, the Mr. Smith can use the Configure new tab page default behavior group policy to ensure that a new tab always opens the home page.
Disable changing home page settings
Windows Components\Internet Explorer
Disable changing secondary home page settings
Configure new tab page default behavior
The following screenshot is an example of the Acme High School branded home pages that Mr. Smith could add through IEAK or Group Policy:
One of the new exciting features of IE8 are Accelerators. Accelerators can help students increase efficiency in navigation and can be used to promote the school resources. Mr. Smith may be interested in creating Accelerators for Acme High School email, Searching with Acme High School Library Database and Translating Spanish for Spanish 101, as examples. Instructions for creating the required Accelerator XML file can be found in the OpenService Accelerators Developer Guide.
In IEAK8, Mr. Smith can use the Accelerators dialog to import or add Accelerators.
The Import button will import Accelerators that are currently installed on Mr. Smith’s local IE8. This makes it easy for him to import his favorite Accelerators. To add Accelerators, Mr. Smith needs to click on the Add button and simply point to the Accelerator XML file. Setting an Accelerator as the default for that category allows it to appear in the main Accelerator drop down.
Group Policy gives a few options to configure Accelerators. The Deploy non-default Accelerators and Deploy default Accelerators allows Mr. Smith to append Accelerators to the user’s existing Accelerators (Non-default Accelerators are Accelerators that are found in the spill way full Accelerators menu). The user cannot delete these Accelerators but can continue to add additional Accelerators.
Deploy non-default Accelerators
Windows Components\Internet Explorer\Accelerators
Deploy default Accelerators
Turn off Accelerators
Use Policy Accelerators
Mr. Smith has the additional option to completely turn off Accelerators or limit their use to just policy Accelerators with the Turn off Accelerators and Use Policy Accelerators policies. With all Accelerator policies, you need to place the Accelerator XML file on a network location.
The following screenshot is an example of the Acme High School branded Accelerators that Mr. Smith could add through IEAK or Group Policy:
Another new IE8 feature is Web Slices. With Web Slices students wouldn’t need to go back to the same websites again and again for updates on Grades, Exam schedules, Gym times or trip information – those updates would come to them. In order to create a Web Slice, please refer to the Web Slice Format Specification documentation.
Web Slices can be added from the Favorites, Favorites Bar and Feeds dialog of the IEAK8. To add a Web Slice, click on the Favorites Bar and select Add URL. Give the Web Slice a name and provide the Web Slice URL, as shown below and you’re done.
Mr. Smith can also ensure that his students won’t be deleting the Web Slices that he adds by enabling the Turn off addition and removal of feeds and Web Slices Group Policy.
Turn off addition and removal of feeds and Web Slices
Windows Components\RSS Feeds
The Search Provider box is another area of customization that would help students use valuable resources, like searching the Acme School Library database, encyclopedia, or even local newspapers. For information on creating search providers, please refer to the Search Provider Extensibility in Internet Explorer documentation.
Search Providers can be added in the Search Providers dialog of IEAK8. Clicking on the Import button will, as is the case with Accelerators, import Search Providers that are already on Mr. Smith’s local box. In IEAK8, we have added support for Suggests URL and Accelerator preview URL to give a rich visual search experience.
You can also add Search Providers through the Restrict search providers to a specific list of providers Group Policy. In order to use this policy, you need to create a custom Administrative Template file. Custom Administrative Template files can be created by program developers or IT professionals to extend the use of registry-based policy settings to new programs and components. To learn how to create a custom Administrative Template file to add search providers, please see this article.
The following screenshot is an example of the Acme High School branded Search Providers that Mr. Smith could add through IEAK or Group Policy:
In order to protect his students and the school resources, Mr. Smith would be very interested in locking down the security settings of his school computers.
Internet Explorer 8 security zones enable you to divide the Internet and intranet into four groups of trusted and untrusted areas, and to designate the particular safe and unsafe areas that specific Web content belongs to. This Web content can be any item, from an HTML or graphics file to a Microsoft ActiveX® control, a Java applet, or an executable program. Mr. Smith can assign sites to particular zones using the Site to Zone Assignment Group Policy. After establishing zones of trust, he can set browser security levels for each zone, by using the Zone Template Group Policies found under the Security Page node, Windows Components\Internet Explorer\Internet Control Panel\Security Page. In this manner, he can control settings for ActiveX controls, downloading and installation, scripting, cookie management, password authentication, cross-frame security, and Microsoft virtual machine (VM) capabilities.
For the template policies, it is recommended to configure them in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
By enabling the SmartScreen Filter, Mr. Smith can help protect users from malicious sites that conduct phishing attacks or attempt to download malicious software. By configuring the “Prevent bypass” setting, he can prevent users from inadvertently ignoring SmartScreen warnings for known-malicious sites.
Policy setting name
Prevent Bypassing SmartScreen Filter Warnings
Turn off Managing SmartScreen Filter
Use SmartScreen Filter
Windows Components\Internet Explorer\Internet Control Panel\Security Page\[Per Zone]
Malicious or defective add-ons can cause browser performance or security problems. Mr. Smith can configure Group Policies to restrict which add-ons may be installed or run.
Allow third-party browser extensions
Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Windows Components\Internet Explorer\Security Features\Add-on Management
Deny all add-ons unless specifically allowed in the Add-on List
Do not allow users to enable or disable add-ons
For more information on recommended Group Policy settings for high security, please take a look at the IE8 Deployment Guide recommended security settings section.
What if Mr. Smith wants to install additional components as he is installing IE8? The Custom Components dialog of the IEAK8 is designed specifically for this purpose.
On this dialog, Mr. Smith can add up to ten components that will be installed at the same time as Internet Explorer. These components could be course specific educational software, toolbars, or any software Mr. Smith wants to include on his environment. These components can be compressed cabinet (.cab) files or self-extracting executable (.exe) files.
Custom code that is downloaded over the Internet should be signed to let users know that they can trust the code before downloading it to their computers. The default settings in Internet Explorer 8 reject unsigned code.
When you add a component, you can specify when to install components in relation to the installation of Internet Explorer. To minimize the number of restarts, you can install the component before or after Internet Explorer in installed, or after the required system restart. Install before Internet Explorer option is usually used for batch files that configure user settings, while installing after Install after Internet Explorer option is usually used for software updates. Install after system restarts option should be used if the component contains system service packs or Java Virtual machine updates, as examples.
Customers often ask me about the other options on this dialog:
InPrivate Browsing allows users to not leave any traces of web browsing actions by preventing browsing history, temporary Internet files, form data, cookies and usernames/passwords from being stored or retained locally. Mr. Smith would most probably want to keep track of student’s browsing habits and can turn off this feature entirely using the Turn off InPrivate Browsing Group Policy.
Turn off InPrivate Browsing
Windows Components\Internet Explorer\InPrivate
If the school network sites are all designed to be used in IE7 and Mr. Smith wants to save costs in testing all of his sites, he can use the Turn on Internet Explorer 7 Standards Mode group policy. Likewise, if all of his sites are tested for IE8, but he hasn’t got around to a few, he can use the Use Policy List of Internet Explorer 8 sites group policy to determine the rendering mode on a per site basis.
Turn on Internet Explorer 7 Standards Mode
Windows Components\Internet Explorer\Compatibility View
Use Policy List of Internet Explorer 7 sites
What if the computer lab had really old computers? Or maybe they are brand new and Mr. Smith wants to maximize performance? He can use the Set tab process growth group policy to configure how many processes you want per tab. The default setting will create the optimal number of tab processes based on the operating system and amount of physical memory.
He could also increase the maximum number of connections per server by using the connection scaling group policies.
Set tab process growth
Maximum number of connections per server (HTTP 1.0)
Windows Components\Internet Explorer\Security Features\AJAX
Maximum number of connections per server (HTTP 1.1)
Mr. Smith could have a mixed environment with some computers running IE7 and others running IE8. How would he go about configuring Group Policy? Mr. Smith does not need to create separate Group Policy Objects for each version of IE; the policies will apply to the version of IE that is supported. If a policy has changed behavior between IE versions, the explain text will be clear on the different behavior for each version. The Requirements field, in the policy explain text, describes the supported versions of IE.
Mr. Smith can build customized IE8 packages in 24 languages using the IEAK. The IEAK Wizard itself is localized in 24 languages. So if Mr. Dixon in France wants to build French IE8 packages using a French IEAK Wizard, he can do so. Please note that for Windows XP, the IEAK8 language needs to match the base OS language (except for English) in order to install the localized IEAK.
Deploying Internet Explorer 8
Mr. Smith has a few options to deploy his customized IE8 package. He can use IEAK to create either a full installation of IE as an .exe or .msi or a configuration-only package. The configuration-only package is a branding only package when IE8 is already installed.
Mr. Smith can use System Center Configuration Manager (SCCM) or Active Directory to deploy the customized IE package. As Mr. Smith already has an Active Directory environment, this is the recommended approach. To deploy applications in Active Directory environments, the application installer must be a Windows Installer package, which means that we need to use the .msi package rather than the .exe package. To use Active Directory to deploy software, read this KB article.
As this blog has described, even a small IT Pro shop like that of Mr. Smiths can use Internet Explorer 8 to help students fully realize all the resources that are available. I hope this information was useful and look forward to your feedback once you’ve had a chance to try it out.
Jatinder Mann Program Manager