Group Policy

I just want to quickly share an issue I worked with related to implementing the ActiveX Installer Service group policy and its parameters. Before I start, I have to thanks the IE support team that recently posted a new blog post that I think will help IE Admin deal with these types of issues.

In my case, I was adding the wrong parameter and value in the group policy [2,2,1,0×00000100||0x00001000||0x00000200||0x00002000 ] and the ASKIE blog Guidelines on enabling, configuring and troubleshooting ActiveX Installer service (Axis) provided me with the correct values [ 2,2,1,0×00003300 ] and now everything is working as expected. As they mentioned in the article the document out of the TechNet: ActiveX Installer Service in Windows 7:   is confusing. The new blog post from these guys are a must have.

Approved Installation Sites for ActiveX Controls

Approved Installation Sites for ActiveX Controls 4 https certificate exception errors parameter/value sample


Happy to see the IE team give back to the community. We deal with a lot of issues in the IE world that has to do with education and interpretation of MS documents.





This blog post is targeted to the IT Administrators having to deal with users that are curious in off to open the IEx64 version of IE on their machines, only to find out that some applications add-on does not work and end up calling the help desk and spent hours troubleshooting. Preventing users of hurting productivity is one of IT Admins job, as these types of actions by users cost Enterprises lots of money.

Today, most web application are design to work in a Windows 32bit Browser configuration and to keep users from hurting productivity, the administrators can use the AppLocker Policy. I will show you how you can locked down the IEx64 version of IE in Windows 7. To read more about Microsoft IEx64 and design, please visit Eric Lawrence Q&A 64-bit Internet Explorer blog post.

AppLocker Policy Steps – Restricting IEx64 .exe process

  • From Start \ Run Type: Gpedit.msc or gpmc.msc to access your domain policy!
  • From the left pane, navigate to: Computer configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules
  • Right click on Executable Rules and select Create Default Rule…


  • A Create Executable Rule wizard will come up. Select Permissions and set it to Deny. I left the User or group: option to Everyone


  • Click on next > to set Conditions and select Path, click on the next > to continue


  • Click on Next > To set the Path. Click on the Browse Files… button and navigate to %PROGRAMFILES%\Internet Explorer\iexplore.exe, click on Next > To continue


  • From the Exceptions, Click on the Add exception: menu and set it to Path. See screenshot below and move to next step…


  •  … then click on the Add… button to set the Exception path. When you get the Path Exception window, just paste this path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Do Not use variable [%PROGRAMFILES(x86)%\Internet Explorer\iexplore.exe ] as it will failed to process! It looks like this policy will read the path the same way, regardless if you use the x86 variable. You could change this using the SET command, but I do not recommended as Microsoft may use these configurations for other purpose!

  • Click on Next > to add a Name. Add a friendly name, that can easily help your administrator identify what the policy restriction is for. In this example, you can use IEx64 Restriction
  • Click on Create to complete. You will more likely get an AppLocker warning, click on Yes to get the Default Rules created. These are all set to allow, you should not have any problems!
  • I recommend you double-check your configuration to make sure everything is set accordingly.  Open it by double-clicking on it and in action, select Deny if not already!
  • Click on the Exception Tab and make sure it is set to Path. And click ok to close
  • Run GPUpdate /Force from command window to test your policy

The warning you will get if you try to open IEx64 from %PROGRAMFILES%\Internet Explorer\iexplore.exe or any shortcut pointing to this directory is something like this:





The Registry location for this policy is under:


We are setting the policy for EXE, so the key to find the above configuration will be under:


The complete key may look like this:


“Value”=”<FilePathRule Id=\”5dcf1ef3-ba15-42a5-9ce7-47f6b8a4399c\” Name=\”IEx64 Restriction\” Description=\”\” UserOrGroupSid=\”S-1-1-0\” Action=\”Deny\”><Conditions><FilePathCondition Path=\”%PROGRAMFILES%\\Internet Explorer\\iexplore.\”/></Conditions><Exceptions><FilePathCondition Path=\”C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\”/></Exceptions></FilePathRule>”


Resources: Windows 7 AppLocker Executive Overview:




Good!… Beta progress can be experience in the new IE9 RC Build. Here are the highlights.
[link back: IE Blog ]

In the order that was presented in the video below :-)

  • 5 Pinned sites with Multiple home pages
  • 4 Tabs placements
  • 3 Closing TABs Enhancement (like every other browsers)
  • 2 Hotkey. See the video for a sample on how to
  • 1 Reduced the amount of space taken by a browser window… the claim is not in off to make a big difference when compared to other browsers.

Watch the quick video to get familiar with these new 5 things.

Other highlights

1)    HTML5 GeoLocation is supported now ..
2)    ActiveX filter
3)    Tracking Protection Lists
4)    Option to have tabs on a separate row.
5)    Ability to pin sites when task bar is not at the bottom of the screen.
6)    Setting to go to Intranet site for one word searches (GPO Available for IT Admins. See below!)
7)    Download speed is displayed on the notification bar.
8)    Performance and stability improvements.

Here is the new GPO Location on how to set the “Setting to go to Intranet site for one word searches”.

Download IE9 RC Build to take advantage of this new change in the code.

GPO Location:
This policy is available in both Computer and user Configuration!

Administrative Template\Windows Components\Internet Explorer\Internet Settings\Advanced Settings\Browsing\Go to an intranet site for a single word entry in the Address bar

Registry Location:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main]

Dword value of 1 = Enable

Dword value of 0 = Disable

IE Setting Screenshot:

Go to an intranet site for a single word entry in the Address bar

Registry Setting: GotoIntranetSiteForSingleWordEntry


The X man


I am sharing an .exe that will help you disable IE Enhanced Securiy on Windows 2008 or Windows 2003 TS Servers.

Microsoft article  933991 outlines some of the known issues around IE Enhanced Security in Terminal Servers, but it does not provide you the Fix/Solution when dealing with an AD Environment. Here I will show you how you could potentially affect both New users as well as Existing users.

The Scenario:

When you logon as regular user, you discovered that you cannot manage the IE Security Settings. Basically, the option to add Trusted Sites is gray out or a pre-defined group policy appears that it is not getting apply.


This is because IE Enhanced Security was turned on and tattooed the users profile.

We also know that this is an old issue that has carry over new Windows Servers, where IE Enhanced Security even when you have disable it from the UI, it does not properly update the registry until you go back and enable and then disable it again. This action, will only affect the new users and existing users will still have the entries on their profiles/registry.


I have written a bat file and an exe that will fix the problem profile. You will have to execute the bat or .exe while logon with the user account in order to affect the user profile. So, to fix this particular scenario, you would want to first, fix the .default profile by creating a new local user account. Fix this account with the .bat or .exe file that will add the entries below and then, copy this new profile to the .default profile.

To affect existing users, you can use the .exe or .bat as a logon script.

This is the best way you can affect everyone.

Download the .exeIEHarden_Disable.


Keys the .exe will affect:

Basically, I am running a fix.reg with following keys:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]



[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]






[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents]




From the .exe, I have a bat that will execute the following Command:


regedit /s fix.reg

Rundll32 iesetup.dll,IEHardenUser

Rundll32 iesetup.dll,IEHardenAdmin

Rundll32 iesetup.dll,IEHardenMachineNow



Here is a .BAT file that will execute the same function outline above, but using reg.exe.


::Related Article

::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server



:: If required, backup the registry keys

:: This is always a good idea before making registry changes

REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” “HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A7-37EF-4b3f-8CFC-4F3A74704073.reg”

REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” “HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A8-37EF-4b3f-8CFC-4F3A74704073.reg”


REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f

REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f


Rundll32 iesetup.dll, IEHardenLMSettings

Rundll32 iesetup.dll, IEHardenUser

Rundll32 iesetup.dll, IEHardenAdmin


REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /f /va

REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /f /va



Related Article

933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server;EN-US;933991

Profile Article:

Known issue with Windows 2008 and Profile Creation:

The documents you may find out there may not properly cover the profile creation for windows 2008 or Vista, so we have to use the steps below.

If we select the “C:\Users\Default” as the path in Step 7-e of this article, It wipes all the Data from the Directory (After giving a Warning of course).
When a new user logs on, it picks up the custom profile from “C:\Users\Default”.
The side effect of this workaround is, as all the data is lost from the “C:\Users\Default” it also causes the junction points to be removed.

Note that in Windows Server 2008 and Windows Vista, there are junction points associated for the profile folders.

There might be an application which has dependencies with these junction points. So below is the valid solution for this.


The following TechNet article talks about the valid steps to customize the default user profile.

Managing Roaming User Data Deployment Guide (Section : Create a Default Network User Profile)

Creating the new profile:

1)       Log on to a computer running Windows 2008 with any domain user account. Do not use a domain administrator account.

2)      Configure user settings such as connection settings, zone settings whatever is it you want this profile to have. Run the IE Enhanced Security .exe or .bat file to get this profile get the IE Enhanced settings (Turn off). Log off the computer. MAKE SURE YOU TEST THIS NEW USER PROFILE!!!  Log out and log back in and doublecheck your settings to make sure this is what you want/need. then move to next steps.

3)      Log on to the computer used in step 1 with a domain administrator account.

4)      Click Start, right-click Computer, and then click Properties.

5)       Click Start, right-click Computer, and then click Properties.

6)      Click Advanced System Settings. Under User Profiles, click Settings.

7)       The User Profiles dialog box shows a list of profiles stored on the computer. Click the name of the user you used in step 1. Click Copy To.

8)      In the Copy To dialog box, click on Browse button and find path to the Windows default user folder.

9)      In Permitted to use, click Change. Type the name Everyone ,and then click OK.

10)    Click OK to commit the changes.

NOTE:  You can copy the working profile to your Sysvol netlogon share if you like to affect everyone on your domain. Windows will use the local default profile when it cannot locate a default network profile.

                  It may be favorable to perform these steps during off-peak hours, if you are using a production environment. A default network profile is optional.

                  You can also use the .exe as a logon script, but this will be executed every time the user log on to your network and it is not the best case scenario.



You can download the zip file that contains the .exe from here.


Have fun,


Here I will show you how to hide Favorites btn from IE 8. This solution should work with all IE versions (Internet Explore 6, Internet Explorer 7, Internet Explore 8).

Here is how you can disable Internet Explore FAVORITES Button. I know that

The Registry key:

Windows Registry Editor Version 5.00

 [HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Toolbars]

 [HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions]


Custom ADM

How to load the Custom ADM Template?

  1. To start Group Policy, click Start and then click Run. In the Open box, type GPedit.msc or GPMC.msc if from a Domain policy and then click OK.
  2. Select Administrative Templates from the Computer Configuration branch.
  3. Right-click the Administrative Templates branch, and then select All Tasks.
  4. Select Add/Remove Templates.
  5. Click Add.
  6. Load the ADM templates.

Here is how you disable the Group policy filer, so you can see the new Policy Template:

  1. Right click on the Policy and select View > detail > Filtering
  2. Remove the check mark from the check box next to “Only show policy settings that can be fully managed”
  3. You should see the template now.

Copy and paste from line below!;

———————- Start————————

;This policy will help you hide the Favorite Button from IE Toolbar

;The value is a Dword NoCommandBar set to 1= Enable and 0=Disable


 CATEGORY “Custom Favorite Toolbars”

  POLICY “Remove_IE_Favorite_Button”

  Explain “This Policy will allow you to remove the Favorite Btn from IE Toolbar”

  KEYNAME “Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions”

  VALUENAME “NoCommandBar”







RemoveFavoritesBTN=”Removes Favorites Button from IE Toolbar”

RemoveFavoritesBTN=”Now you can hide Favorites… Nice”

 ;———————- END ————————

I hope this helps you achive your restrictions needs!