Thursday, February 23, 2012

Customizing Internet Explorer Settings for Citrix XenApp Server

I’m sure many who have had to deploy XenApp servers in the past have had to configure policies that customize XenApp server’s internet explorer browser.  Whether it’s to lockdown the controls or simply for cosmetics reason will depend greatly on what applications the XenApp server or servers is publishing.  In the case of one of my recent projects, it was a little bit of both and I found it pain to go and comb through all of the settings available through group policy for the ones you know about but don’t remember exactly which node they’re in so I took this opportunity to document the changes I have made so I can have somewhat of a starting point for similar projects in the future.

Note that the following settings are used because of the following reasons and that each environment is unique so modifications will most likely be necessary for another environment with different requirements:

  1. The XenApp farm is used for publishing applications that contain sensitive medical data that run within a browser.
  2. Access to internet websites will be controlled by a web filter appliance.
  3. Certain settings were enabled because the web applications were not designed for tablet devices and therefore makes it difficult for the user to navigate around the UI on a small screen.

Please also be aware that these settings are in no way complete and will most likely continue to add to the list as additional applications are added or removed.

Path

Setting

Description

State

Administrative Templates –> Windows Components –> Internet Explorer Turn off Favorites bar

This policy setting allows you to manage whether users have access to the Favorites bar in Internet Explorer.

If you enable this policy setting, the Favorites bar will be turned off.

If you disable this policy setting, the Favorites bar will be turned on.

If you do not configure this policy setting, users will be able to turn on or turn off the Favorites bar.

Enabled
Administrative Templates –> Windows Components –> Internet Explorer Turn off Suggested Sites

This policy setting controls the Suggested Sites feature, which recommends sites based on the user’s browsing activity. Suggested Sites reports a user’s browsing history to Microsoft to suggest sites the user might want to visit.

If you enable this policy setting, the user will not be prompted to enable the Suggested Sites. The user’s browsing history will be sent to produce suggestions.

If you disable this policy setting, the entry points and functionality associated with this feature will be disabled.

If you do not configure this policy setting, users will able to enable and disable the Suggested Sites feature.

Enabled
Administrative Templates –> Windows Components –> Internet Explorer Disable Import/Export Settings wizard

This policy settings disables the Import/Export Settings wizard. This wizard allows you to import settings from another browser, import settings from a file, or export settings to a file. Importing settings from another browser allows the user to import favorites and feeds from other browsers. Importing settings from a file allows the user to import favorites, feeds and cookies from a file. Exporting settings to a file allows the user to export favorites, feeds and cookies to a file.
     
If you enable this policy setting, the user will not be able to use the Import/Export Settings wizard.

If you disable or do not configure this policy setting, the user will be able to use the Import/Export Settings wizard.

Enabled
Administrative Templates –> Windows Components –> Internet Explorer Prevent performance of First Run Customize settings

This policy setting prevents performance of the First Run Customize settings ability and controls what the user will see when they launch Internet Explorer for the first time after installation of Internet Explorer.

If you enable this policy setting, you must make one of two choices:
1: Skip Customize Settings, and go directly to the user’s home page.
2: Skip Customize Settings, and go directly to the "Welcome to Internet Explorer" Web page.

If you disable or do not configure this policy setting, users go through the regular first run process.

Enabled

Go direction to home page
Administrative Templates –> Windows Components –> Internet Explorer Prevent Internet Explorer Search box from displaying

This policy setting allows you to disable the Internet Explorer Search box. The Search box includes all installed search providers as well as a link to search settings.

If you enable this policy setting, the Search box in Internet Explorer will be disabled, and will not appear in the Internet Explorer frame.

If you disable or do not configure this policy setting, the Search box will appear by default in the Internet Explorer frame.

Note: If you enable this policy setting, Internet Explorer will not enumerate search providers for the Accelerators infrastructure. If Accelerators are not turned off, users can install search providers as Accelerators to include them on the Accelerator menu.

Enabled
Administrative Templates –> Windows Components –> Internet Explorer Turn off tabbed browsing

This policy setting allows you to turn off tabbed browsing and related entry points from the Internet Explorer user interface.

If you enable this policy setting, tabbed browsing and related entry points will be disabled for Internet Explorer, and this setting cannot be changed by the user.

If you disable this policy setting, tabbed browsing and related entry points will appear in the user interface for Internet Explorer and this setting cannot be changed by the user.

If you do not configure this policy setting, the user will be able to enable or disable tabbed browsing.

Enabled
Administrative Templates –> Windows Components –> Internet Explorer Set tab process growth

This policy setting allows you to set the rate at which Internet Explorer creates new tab processes. There are two algorithms Internet Explorer uses.

The default algorithm has four settings: low, medium, high, or default. Low creates very few tab processes; medium creates a moderate amount of tab processes; and high allows the tab process to grow very quickly and is intended only for machines with ample physical memory. The default setting creates the optimal number of tab processes based on the operating system and amount of physical memory. Default is recommended.

The second algorithm must be explicitly enabled by creating an integer setting. In this case, each Internet Explorer isolation setting will quickly grow to use the specified integer number of tab processes, independent of the physical memory on the machine or how many Internet Explorer isolation settings are running.

If you enable this policy setting, you will set the rate at which Internet Explorer creates new tab processes to low, medium, or high, or to an integer.

If you disable or do not configure this policy setting, the tab process growth will set to default. The user may change this value with the registry key. Note: on Terminal Server, the default value is the integer “1”.

Enabled

0
Administrative Templates –> Windows Components –> Internet Explorer –> Accelerators Turn off Accelerators

This policy setting allows you to manage whether users have access to Accelerators.

If you enable this policy setting, users will not be able to access Accelerators.

If you disable or do not configure this policy setting, users will be able to access Accelerators and install new Accelerators.

Enabled
Administrative Templates –> Windows Components –> Internet Explorer –> Browser menus Hide Favorites menus

Prevents users from adding, removing, editing or viewing the list of Favorite links.

The Favorites list is a way to store popular links for future use.

If you enable this policy, the Favorites menu is removed from the interface, and the Favorites button on the browser toolbar appears dimmed. The Add to Favorites command on the shortcut menu is disabled; when users click it, they are informed that the command is unavailable.

If you disable this policy or do not configure it, users can manage their Favorites list.

Note: If you enable this policy, users also cannot click Synchronize on the Tools menu (in Internet Explorer 6) to manage their favorite links that are set up for offline viewing.

Enabled
Administrative Templates –> Windows Components –> Internet Explorer –> InPrivate Turn off InPrivate Browsing

This policy setting allows you to disable the InPrivate Browsing feature.

InPrivate Browsing prevents Internet Explorer from storing data about a user's browsing session. This includes cookies, temporary Internet files, history, and other data.

If you enable this policy setting, InPrivate Browsing will be disabled.

If you disable this policy setting, InPrivate Browsing will be available for use.

If you do not configure this setting, InPrivate Browsing can be turned on or off through the registry.

Enabled
Administrative Templates –> Windows Components –> Internet Explorer –> InPrivate Use Large Icons for Command Buttons

This policy setting allows you to make the icons for the command buttons bigger (20x20 pixels).

If you enable this setting, the icons for the command buttons will be bigger (20x20 pixels), and cannot be made smaller (16x16 pixels).

If you disable this setting, the icons will be 16x16 pixels (the default),  and cannot be made bigger (20x20 pixels).

If you do not configure this setting, the icons will be 16x16 pixels, and the user has the option to make them bigger (20x20 pixels).

Enabled

The following screenshot shows what the browser looks like with these policy changes:

image

In case anybody is wondering why I did not state whether these policies were applied at the Computer level or the User level, it’s because this varies between different environments so choose between the two by reviewing your requirements.

One of the other common decisions that also needs to be made is how to set the Trusted and Intranet sites.  Should it be set in the Computer policy or the User policy?  This also depends on how the XenApp servers are being used.  I find that the deciding factor is whether how locked down you want the browser to be.  If you want to allow your users to add and see what sites are added to different zones, use the User policy, otherwise, use the Computer policy because the latter gray’s out the zones and prevents the users from knowing or adding sites to the zones.

4 comments:

kevin sharan said...
This comment has been removed by a blog administrator.
khalil said...

what i do..... i simply install firefox to test if everything is working all problems solved!!!... ie on server 2008 is locked down too much....

Brewmaster said...

Ha, some organizations do not allow Firefox to be installed. Thanks Terence for the good recommendations for IE.

Anonymous said...

Nice Blog, very usefull. And all the Admins which installed firefox, greeting and have much fun with configuring the userprofiles! Because the chache is in the User Profile and central Management for firefox is not easy going.