IE 8's Group Policy settings

Internet Explorer 8's treatment of group policy settings offers some nice new features for security professionals.

For many years, Microsoft has given us the ability to lock down Internet Explorer using group policy settings. With over 1,300 group policy settings that can be applied to Internet Explorer 8, I can't possibly cover all of them. The following group policy security settings used with Internet Explorer 8 are four that, I believe, are worth highlighting.

(Note: I only list partial paths for the group policy settings because most of these policies can be applied at both the user and machine level of the group policy hierarchy. To find the policy settings that I will be discussing, look under either Computer Configuration \ Administrative Templates or User Configuration \ Administrative Templates within the Group Policy Object Editor.)

The SmartScreen Filter
The biggest new Internet Explorer 8 (IE8) security feature is the SmartScreen Filter. The SmartScreen Filter is essentially an enhanced version of the phishing filter that debuted in Internet Explorer 7.

The SmartScreen Filter is a reputation-based antimalware component that is designed to compliment traditional antimalware software. As you may be aware, more and more cases are emerging in which malicious files are being posted on otherwise safe sites, such as social networking sites. As such, the SmartScreen Filter has been designed to identify and completely block websites that are known to be malicious, or block only the malicious portion of an otherwise safe site. The SmartScreen filter can be used to monitor file downloads as well.

The group policy settings that control the SmartScreen filter are as follows:


Policy Name Location
Prevent Bypassing SmartScreen Filter Warnings Windows Components\Internet Explorer
Turn Off Managing SmartScreen Filter Windows Components\Internet Explorer
Use SmartScreen Filter Windows Components\Internet Explorer\Internet Control Panel\Security Page\ (There is a separate SmartScreen Filter setting for each Internet Explorer zone).

Data Execution Prevention
One of the most common types of attacks against Windows, over the last several years, has been a buffer overflow attack. Generally speaking, this type of attack works by inserting malicious code into an unchecked buffer, causing that buffer to overflow into other memory space, where the malicious code can then be executed.

Windows Vista protects against this type of attack by using Data Execution Prevention. Using this feature, Windows knows which memory areas code should and should not be executed in, and therefore takes steps to prevent code from running in memory locations that should be off limits.

Data Execution Prevention has been used by 64-bit versions of Windows Vista from the beginning, but Internet Explorer 7 was somehow exempt due to compatibility issues. Internet Explorer 8 resolves these problems and adds Data Execution Prevention capabilities to the browser.

Data Execution Prevention is enabled by default. Enabling Data Execution Prevention at the higher levels of the group policy hierarchy may prevent future malware from disabling Data Execution Prevention at the local computer level. The following is the group policy setting that controls it:

Policy Name Location
Turn Off Data Execution Prevention Windows Components \ Internet Explorer \ Security Features

InPrivate Browsing and InPrivate Filtering
InPrivate Browsing is a new feature that is designed to protect the user's privacy. When the user enables InPrivate Browsing, Internet Explorer opens a new browser window and does not record the Web pages that are viewed or any searches that are performed during that session.

InPrivate Filtering is a similar feature that is designed to give users a choice as to the types of information that websites can use to track the user's browsing habits. Like InPrivate Browsing, InPrivate Filtering must be enabled and only applies to the current session. The group policy settings that are related to InPrivate Browsing and InPrivate Filtering are as follows:


Policy Name Location
Prevent Deleting InPrivate Blocking Data Windows Components \ Internet Explorer \ Delete Browsing History
Turn Off InPrivate Filtering Windows Components \ Internet Explorer \ InPrivate
Do Not Collect InPrivate Filtering Data Windows Components \ Internet Explorer \ InPrivate
InPrivate Filtering Threshold Windows Components \ Internet Explorer \ InPrivate
Disable Toolbars and Extensions When InPrivate Filtering Starts Windows Components \ Internet Explorer \ InPrivate
Turn Off InPrivate Browsing Windows Components \ Internet Explorer \ InPrivate

Suggested Sites
The Suggested Sites feature isn't a security feature, but I felt I should address it anyway. When the Suggested Sites feature is enabled, Internet Explorer suggests other websites that the user might enjoy based on the sites that they have visited.

There are several websites that have raised privacy concerns over this feature because of the way that it transmits your browsing history and your IP address to Microsoft for analysis. There have also been allegations that this feature might someday be used to serve targeted advertising, although Microsoft denies these claims. The following is the group policy setting that controls the Suggested Sites feature:


Policy Name Location
Turn On Suggested Sites Windows Components \ Internet Explorer (This setting only applies to the user configuration.)

If you would like to see a more comprehensive list of the policy settings that are available, I recommend checking out the Microsoft TechNet article Group Policy and Internet Explorer 8.

Read more on Web application security