Internet Explorer Maintenance settings within Group Policy not getting applied for Internet Explorer 10
I’m a big fan of Microsoft. I prefer nearly all of their products to the competitors. Windows RT? Love it. Windows Phone? Love it. Microsoft Office? Mostly love it. Hotmail, SQL Server, Windows Server, Windows 7 and 8, Exchange Server and more I use and like a lot. Sometimes though I have to scratch my head and wonder what someone at Microsoft was thinking. Exchange 2013 brought a lot of good improvements. The web interface for managing it is great. There’s several things they changed that I’m still scratching my head about (mailbox delegation, anti-spam functionality and a few others).
Today I’m scratching my head about changes to Group Policy regarding Internet Explorer 10. I have a handful of generic domain accounts that I don’t want on the internet. They can access a few internet sites but mostly just intranet sites are allowed. Up to this point I use Group Policy – Internet Explorer Maintenance settings to control that stuff. You can enforce proxy settings and exceptions. So, I make these generic users have a proxy address of 127.0.0.1 for all internet traffic and I feed it a list of exceptions I want to allow. It’s not full proof, I know. A slightly savvy user could get around these restrictions a few different ways but I’m not concerned with that. I just want to make sure I’m doing something to block the normal user.
Here’s another head scratcher. Why are there all kinds of Internet Explorer settings under the Administrative Templates/Windows Components/Internet Explorer and yet no connection settings there? Why not just put the connection settings there and be done with it? There’s probably a perfectly good explanation for that, surely.
Anyways, I’ve been loading several new Windows 7 machines and I noticed they were able to access the internet after running all of the Windows updates. What’s up with that? Well after much head scratching and running gpresult and web searches I finally find a document about how the Internet Explorer Maintenance settings were deprecated in favor of the Group Policy preferences. Here is a document about the replacements as well.
Ok, I’m used to change. I try new phones and tablets and devices all the time. I can adapt. I poke around and try to setup a set of preferences for IE 10. You have to create the preferences in the Internet Settings of your group policy. It’s a little funky. You have to right click and select new. Well I do that and there’s two items “Internet Explorer 5 and 6″ and “Internet Explorer 7.” Huh? I’m doing the group policy editing on a Server 2008 machine with Service Pack 2 installed. There’s no option for IE 8,9 or 10 (Oh, and what happens when 11,12 and 13 come out?). Sheesh. (What’s the gorilla have to do with this post? Nothing. His look is how I’m feeling at this point.)
More head scratching, more web searches and finally I find someone that says you can only make Internet Explorer 10 preference settings on a machine with Group Policy editor running Windows 8 or Server 2012. I haven’t deployed Windows 8 just yet but my workstation is running it. So, I install the Remote Server Administration Tool for Windows 8.1. This give me the Group Policy editor, I launch it using a Domain Admin account and now I can see a set Preference settings for “Internet Explorer 8 and 9″ and “Internet Explorer 10.” Sweet! I’m almost there right? Nope.
Next I go through and create a set of preferences for Internet Explorer 10 and I set the home page and the proxy settings and the exclusions. Go back to the Windows 7 machine I started with and run gpupdate /force. Open Internet Explorer and……only a few of the preferences I configured are set. The proxy address isn’t and the exclusions aren’t. Seriously? I’m getting tired and irritated by now.
More head scratching, more web searches and I run across a forum post where someone explains the green lines and the red dashed lines that are on the settings screen. I saw them but didn’t really take notice of them. Well the red dashed lines means that setting “may” getting applied and the green line means that setting will always get applied. There’s nothing on the screen that indicates this nor is there anything that says that you can change it from red dashed to green. You have to hit F6 on the setting to change it from red dashed to green. You can hit F7 to change it from green to red dashed.
After changing those things and running gpupdate /force on my Windows 7 machine the settings are applied and all is well. Until someone at Microsoft decides to change it to something else. Or IE 11 comes out. Or the moon becomes full.