Modalità manutenzione di Internet Eplorer

Come funzione la modalità manutenzione di Internet Eplorer??
A questo link di microsoft una descrizione dettagliata.

(sotto una copia della pagina)







How Internet Explorer Maintenance Extension Works

Questo argomento non è stato ancora valutato Valuta questo argomento
Aggiornamento: marzo 2003
Si applica a: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

How Internet Explorer Maintenance Extension Works

In this section
The Internet Explorer Maintenance Extension of the Group Policy Object Editor enables administrators to define an Internet Explorer configuration as part of a Group Policy Object (GPO). The GPO is linked to Active Directory containers such as sites, domains, or organizational units (OUs), and enables management of the Internet Explorer configuration for multiple users on any computer joined to the domain that is capable of using Group Policy.
Deployment of Internet Explorer Maintenance Extension settings requires Group Policy in a Windows 2000 or Windows 2003 Active Directory environment, and Windows 2000 Professional or Windows XP clients.

Internet Explorer Maintenance Extension Architecture

The following figure illustrates the components important to the Internet Explorer Maintenance Extension.
Internet Explorer Maintenance Extension Architecture
Architettura di estensione della manutenzione di IE
These components are described in the following table. Components not seen in the figure, but important to the process, are also described.
Internet Explorer Maintenance Extension Logical Architecture Components

 

ComponentDescription
Group Policy engine
This component is the framework that manages and implements the Group Policy settings and configurations, made by the admin, across all client-side extensions (CSE). Userenv.dll is the Group Policy engine module.
Internet Explorer Maintenance Client-Side extension (CSE)
The Internet Explorer Maintenance CSE is the component that is called by the Group Policy engine, and that applies the Internet Explorer Maintenance settings. The Internet Explorer Maintenance CSE writes the relevant information into the registry.
WinLogon
WinLogon is the service that contains the Group Policy engine.
Resultant Set of Policy (RSoP) snap-in
This component displays the results of Group Policy, including what Group Policy settings have been applied and when they were last applied. For more information about RSoP, see “What Is Resultant Set of Policy?.”
Local GPO
Contains Group Policy settings for the local computer, including potential Internet Explorer Maintenance policies.
The CSE registration information is written at setup to the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ GPExtensions registry key. This registry key structure exists on both the target and domain controller systems.

Internet Explorer Maintenance Extension Physical Structure

Understanding where Internet Explorer Maintenance Extension policy settings are stored and how they are structured can help you troubleshoot problems you might encounter when you implement Internet Explorer Maintenance. Although GPOs can be linked to sites, domains, and OUs, they are stored only in the domain. See the “How Core Group Policy Works” topic in this collection for more information about how Group Policy stores its data.
The following table lists the setting types and the locations where Internet Explorer Maintenance Extension policy configuration files are stored on both the local computer and the domain.
Physical Structure Components

 

Setting TypePolicy File Name
Browser Title
install.ins
Custom Bitmaps
Install.ins
\Branding\Logo\<<small logo file name>>
\Branding\Logo\<<big logo file name>>
\Branding\Animbmp (empty folder created)
Toolbar Customization
\install.ins
\Branding\Btoolbar\<<color logo file name>>
\Branding\Btoolbar\<<grayscale logo file name>>
\Branding\Toolbmp\<<toolbar bmp file name >>
Connection Settings
\install.ins
\Branding\cs\connect.set
\Branding\cs\cs.dat
Automatic Browser Configuration
\install.ins
Proxy Settings
\install.ins
User Agent String
\install.ins
Favorites and Links
\install.ins
Important URLs
\install.ins
Security Zones
\install.ins
\Branding\Zones\seczones.inf
\Branding\Zones\seczrsop.inf
Content Ratings
\install.ins
\Branding\Ratings\ratings.inf
\Branding\Ratings\ratrsop.inf
Authenticode Settings
\install.ins
\Branding\Authcode\authcode.inf
Programs
\install.ins
\Branding\Programs\programs.inf
Corporate Settings
\Branding\Adm\inetcorp.adm
\Branding\Adm\inetcorp.inf
Internet Settings
\Branding\Adm\inetset.adm
\Branding\Adm\inetset.inf
Domain policy settings use the Fully Qualified Domain Name (FQDN) to reference GPOs. There are two main paths where the configuration files are stored:
  • Domain policy files are stored in the folder \\FQDN\Sysvol\FQDN\Policies\<GPOGUID>\User\Microsoft\IEAK
  • Local Machine policy files are stored in the folder %windir%\System32\GroupPolicy\User\Microsoft\IEAK
The following figure shows the files used by the Internet Explorer Maintenance Extension and where they are stored on both the domain controller and client computers.
Internet Explorer Maintenance Extension File Storage
Archivio file per l'estensione della manutenzione

Internet Explorer Maintenance Extension Processes and Interactions

When working with Internet Explorer Maintenance settings, you can use one of two interfaces. To configure Internet Explorer Maintenance Extension settings, use the Group Policy Object Editor. Use the Group Policy Management Console (GPMC) to view the Internet Explorer Maintenance Extension settings contained within a GPO.

Using Group Policy Object Editor with Internet Explorer Maintenance

To configure Internet Explorer Maintenance settings, an Administrator sets up Internet Explorer on a client computer with the settings to be included in the GPO. The Administrator then uses the Group Policy Object Editor to import the settings for the Security Zones, Content Ratings, Authenticode Settings, Programs, and Connection Settings, areas of the Internet Explorer Maintenance Extension and saves them as part of a GPO. The following figure shows the Internet Explorer Maintenance Extension interface used to import Connection Settings into a GPO.
Importing Internet Explorer Settings
Importazione delle impostazioni di Internet Explorer

Configuring and Importing Internet Explorer Maintenance Settings to a GPO

Administrators import settings from the appropriate settings dialog boxes in the Internet Explorer Maintenance extension of Group Policy Object Editor. The following things occur when the settings are imported:
  • The IEAK Engine (ieakeng.dll) hosts the Internet Options Control Panel (inetcpl.cpl), which then reads the current settings from the registry.
  • The Administrator then modifies the settings using the user interface of inetcpl.cpl.
  • When the settings are saved, they are written back to the registry by inetcpl.cpl. Ieakeng.dll then imports them to the appropriate GPO files.
The following figure illustrates the process of importing Internet Explorer Maintenance Extension settings.
Importing Internet Explorer Settings in XP
Importazione delle impostazioni di Internet Explorer in XP
Note
  • If an administrator tries to view the settings in a GPO by clicking Modify Settings, the current settings from the registry, instead of the GPO, are immediately imported. Clicking OK then overwrites the settings stored in the GPO with the settings in effect on the client, deleting the settings previously contained in the GPO. In this event, the administrator cannot view the GPO to find out what the previous settings were. It then becomes difficult to reconfigure the settings.

Using the Group Policy Management Console to View a GPO

To avoid overwriting the Internet Explorer Maintenance settings in a GPO, use GPMC to view the Internet Explorer Maintenance settings. GPMC runs on Windows XP Professional SP1 and Windows Server 2003 computers, and can manage Group Policy in either Windows 2000 or Windows Server 2003 domains. To see the settings contained in a GPO using GPMC, an Administrator views the Settings tab of the GPO as shown in the following figure.
Viewing Internet Explorer Maintenance Settings in GPMC
Visualizzazione delle impostazioni di manutenzione in GPMC

Applying GPO Settings to a Client Computer

The Internet Explorer Maintenance Extension uses the Internet Explorer Administration Kit (IEAK) infrastructure for both storage of settings and application to the client system.
When Group Policy is applied, Client-Side Extensions process the GPO. Internet Explorer Maintenance settings are handled by the Internet Explorer branding DLL (iedkcs32.dll). The Group Policy CSE invokes iedkcs32.dll, and two things happen:
  1. The Group Policy CSE copies all IEAK settings files created using Internet Explorer Maintenance, listed in the previousPhysical Structure Components table, to the following locations:

    Documents and Settings\<<username>>\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0\

    And

    Documents and Settings\<<username>>\Application Data\Microsoft\Network\Connections\pbk\Rasphone.pbk (for connection settings)

    Note that the policy’s directory structure shown in the previous Physical Structure Components table is not replicated.
  2. The Branding DLL then applies the settings from the downloaded files to the registry on the client system. There are four possible locations for the registry settings:

    • HKLM\Software\Policies (preferred)
    • HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
    • HKCU\Software\Policies (preferred)
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
    These locations have security permissions that a standard user cannot modify in order to change applied policy settings. These keys are created the first time a GPO configures them.
Because the IEAK settings files are stored in the user’s profile, the user has full-access permissions and can modify their contents. When the GPO is updated, the files are copied from the policy’s directory structure back to the user profile and any changes the user might have made are overwritten. Although users can modify files in their own profile, attempting to execute the .inf file will give them an Access is denied error if they attempt to write settings to a key located in the secure registry branches previously specified.
If the user has a roaming profile, the IEAK settings files in the profile can be applied when roaming. This will happen if a roaming profile user logs on to the network from a computer that can’t use Group Policy, or from one that isn’t linked to a GPO containing Internet Explorer Maintenance Extension settings. If a user has manually changed the Internet Explorer Maintenance Extension settings located in their user profile, the user’s settings will be applied to the computer. This has the potential of circumventing browser and security settings configured by the administrator. However, any settings appropriately locked-down in the registry (such as security and connection settings) will not have this problem.

Related Information

The following contains additional information that is relevant to this section.

Nessun commento:

Posta un commento

Lascia qui il tuo commento.