Sunday, August 16, 2009

how to lock down internet explorer 8 with GPO registry

Please purchase these instructions for $4.99 USD here (a value of over $100 for Microsoft support) :










In my search to lock down internet explorer 8 with group policy objects through registry entries I have found the following techniques work best:

1. You may want use the default settings from IE8 group policy objects available (this wasn't sufficient for me) to do that you need to download and save the install file of IE8 from IE installer website, open the file with winrar or 7zip then find and extract the following file: inetres.adm into your desktop or my documents or the default template location (C:\WINDOWS\inf). Now load it using my instructions on the bottom of this post.

The default settings might work fine for removing the options menu, status bar and such but there were two more things I need that were not there. I searched high and low for the following tasks:
  • Hide/remove/disable address bar
  • Hide/remove/disable favourites and the command bar


I finally found them and will show you the registry changes first and then how to put it together into an adm template, which can be added to your group policy editor and modified from there. (Instructions for that are found at the bottom of this post)

  • To remove/hide the address bar the following registry change must be made:

HKEY_Current_USER\software\policies\microsoft\internet explorer\toolbars\restrictions
Value name: NoNavBar
Type: DWORD
Value: 1 (on)

  • To remove/hide the command bar (includes favourites), this registry change must be made:

HKEY_Current_USER\software\policies\microsoft\internet explorer\toolbars\restrictions
Value name: NoCommandBar
Type: DWORD
Value: 1 (on)


create a new notepad text file/or open notepad and copy+past the following
class user

category IESettings

policy "disable/hide IE command bar"
keyname "software\policies\microsoft\internet explorer\toolbars\restrictions"
explain "here is the explaination"
valuename "NoCommandBar"
valueon numeric 1
valueoff numeric 0
end policy

policy "disable/hide IE nav bar"
keyname "Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions"
explain "here is the explaination"
valuename "NoNavBar"
valueon numeric 1
valueoff numeric 0
end policy

end category

Make sure to add this blank space at the bottom of the file (ask MS why this is, I just know the gpo editor won't accept it otherwise)

Save it as NAME.adm (remove the .txt) where NAME is what you would like to name it i.e removeaddressbar.adm (doesn't make any difference)

Now to add the file to gpo editor user the instructions at the bottom of THIS POST.

Once that is done you will see it under IESettings, enable the nessary objects for you and replicate the changes (Go to Start>Run>cmd and type "gpupdate /force" to speed things up)

This works for me but as we know with different environments and settings so let me know if you have problems!


Enjoy and good luck!

P.S. If you would like to leave the back, forward and refresh buttons follow this post

8 comments:

Pixa said...

Great post, works perfectly...


Thanks

Anonymous said...

Thanks Buddy. I seached so much for the GPO settings to disable the address bar in IE8 but no luck and your article resolved my issue so quickly.

....Prachi

theborisedu said...

Your welcome!
:)

Anonymous said...

Works perfect on Windows Server 2003. Using it for a Citrix deployment and this solves all my problems.

theborisedu said...

That is awesome!
Glad to hear it!

Anonymous said...

hi,

i tried to follow your registry folders in both xp and win7 (HKEY_Current_USER\software\policies\microsoft\internet explorer\toolbars\restrictions)

but there is no internet explorer folder visible in that file path. please help!

theborisedu said...

You will not be able to find the policies manually but it will work using the GPO method. Unfortunately I think you require a server to apply the policies.

Anonymous said...

Thanks for this. It worked a treat. Can't imagine why Microsoft would not include this setting as part of the IE8 installation?

Thanks again! Chris