Internet Explorer Enhanced Security Configuration Considerations

Windows Server 2003 includes a new default security configuration for Internet Explorer, called Internet Explorer Enhanced Security Configuration (ESC). ESC impacts the Security Zones and Privacy settings within the Internet Explorer Maintenance settings of a GPO. The Security Zones and Privacy settings can either be ESC enabled or not.


When you edit settings for Security Zones and Privacy settings in a GPO from a computer where ESC is enabled, that GPO will contain ESC-enabled settings. When you look at the HTML report for that GPO, the Security Zones and Privacy header will be appended with the text (Enhanced Security Configuration enabled).


When you edit settings for Security Zones and Privacy settings in a GPO from a computer where ESC is not enabled, that GPO will contain ESC-disabled settings. ESC is not enabled on any computer running Windows 2000 or Windows XP, nor on computers running Windows Server 2003 where ESC has been explicitly disabled.

ESC settings deployed through Group Policy will only be processed on and applied by computers where ESC is enabled. ESC settings will be ignored on computers where ESC is not enabled (all computers running Windows 2000 and Windows XP, and Windows Server 2003 computers where ESC has been explicitly disabled). The converse is also true: A GPO that contains non-ESC settings will only be processed on and applied by computers where ESC is not enabled.

Furthermore, ESC impacts the functionality contained in the HTML reports produced by GPMC as follows.


On computers with ESC enabled a prompt appears when you attempt to view reports in GPMC. This happens because the reports contain a script that allows you to expand and collapse sections of the reports using Show and Hide. To use the Show and Hide functionality in these reports, you must add the About:security_MMC.exe site to the Trusted Sites zone in Internet Explorer. This site represents all Web pages that are hosted inside MMC. You can do this by clicking Add on the Internet Explorer prompt. This opens the Trusted sites dialog box with the correct entry (About:security_mmc.exe) for the page being called by GPMC. Click Add, and then click Close in the Trusted sites dialog box to add this site to the Trusted sites zone. If the About:security_mmc.exe site is not added to the Trusted sites zone, the reports appear fully expanded and cannot be collapsed.


In addition, the Explain text for a given setting in the HTML report is available by clicking on any setting in the Administrative Templates section of the GPO, assuming you have already added About:security_MMC.exe to the list of trusted sites. A prompt appears when you attempt to view the Explain text for a given administrative template setting in the HTML report. This prompt will ask if you want to add the about:blank site to the list of trusted sites. This is not recommended because it could significantly compromise the security of Internet Explorer on that computer. If you do not add the about:blank site to the list of trusted sites, you will not lose significant functionality in GPMC. You will still be able to view the Explain text, however, the Print and Close buttons in the Explain text dialog box will not be functional. To close the dialog, use the close box in the upper right corner.

0 comments: