IE Security Tweaks with GPO

By | October 17, 2006

If you check Microsoft’s IE security web site, the first thing you’ll see is Microsoft’s statement regarding IE security: Internet Explorer comes with improved security features that help online users protecting their computer and information. This security tweak will introduce the reader to a different side of IE security.

For most computer users and administrators, securing Internet Explorer means deploying the latest security patches and tightening their Internet Properties. While they definitely improve security, they all overlook the significant amount of control Group Policy gives you over IE. Besides being a great security enhancement, it is also a time saver for administrators who need to deploy IE security settings across the entire domain.

In order to secure Internet Explorer, we need to restrict some of its functionality. The types of functionality that should be restricted include anything that gives the ability to execute remote code. This includes anything from plug-ins, scripts and so on.

Restricting IE functionality is possible using Group Policy (GPO). Group Policy gives system administrators a fair amount of control over Internet Explorer, particularly under Windows XP Service Pack 2. If your domain server runs anything but Windows 2003 server, we strongly recommend managing domain policies using a Windows XP SP2 client. You can start Group Policy from the command line with the command “gpedit.msc”.

Group Policy allows you to lock down Internet Explorer both by user and machine. However, certain features can only be restricted by user. Internet Explorer policy settings are available either under Computer Configuration or User Configuration.

Using Group Policy, administrators can control almost any aspect of Internet Explorer starting from Toolbar menu, Internet Settings Options, Approved ActiveX controls and so on. Doing so will significantly limit workstation exposure to security issues.

Leave a Reply