Select Page

A recent thread on the GPOGUY.COM GPTalk Mailing list prompted me to write about managing IE settings using Group Policy. In an article I wrote for Windows IT Pro Magazine in 2011, I talked about the various technologies in Group Policy that you can use to manage IE configuration. It’s definitely a mixed bag, with no less than 3 different policy areas that can be used, depending upon the setting and the desired effect. In the case of the IE Popup Blocker (see user interface below) you have a number of different options you can configure, including the “Allow-list” of websites that are allowed to show popups.

IE's Popup Blocker Configuration

IE's Popup Blocker Configuration

This allow list is configurable via Group Policy, and is configurable in one of three ways–either through Administrative Templates, IE Maintenance Policy or GP Preferences. From an end-user functionality perspective, IE Maintenance and GP Preferences are nearly identical.  I summarize each of the behavior in the table below. The key thing to recognize is that if you manage the Popup Allow List using Administrative Templates, the user will not see the domains that you’ve added via the policy, but they will be able to add and remove their own. This is unlike the other two, which let the user add and remove both their own and the policy managed sites. Note that all of my testing was using IE9. Other versions of IE could behave differently (it would not surprise me!)

Policy Area  Behavior for End User Effect of a GP Refresh &   Policy Removal
Computer (or User) Configuration\Administrative Templates\Windows   Components\Internet Explorer\Pop-up Allow List User cannot see the administratively assigned domains in the pop-up allow list but they can add and remove their own domains GP refresh will not have a visible effect on the end user. When policy   is removed administratively added domains will be removed, but user will not notice
User Configuration\Windows Settings\IE Maintenance \Security\Security Zones and Content Ratings\Privacy User sees the administratively assigned domains in the allow-list and can remove them or add their own. If the user removed one of the administratively assigned domains, a refresh will put it back. Removing the policy will leave any administratively assigned domains in the list.
User Configuration\Preferences\Control Panel Settings\Internet Settings Same behavior as IE Maintenance Same behavior as IE Maintenance

 

Of course, IE Maintenance comes with its own set of baggage, as some of you who have used it know. If it were me, I would stick to either Admin Templates or GP Preferences to configure the allow list, depending upon your needs.

Darren