Thursday, October 8, 2015

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Site restrictions are common in business networks. Mangers and entrepreneurs want to limit potential distractions and Microsoft offers a range of solutions to achieve the objective. An usual practice is to adopt a proxy server but you can enforce site restrictions on Internet Explorer – even the latest versions – using a simple Active Directory Group Policy.
In this tutorial we’ll take advantage of the Content Advisor functionalities of Internet Explorer, a feature Microsoft hid in IE 10 and IE 11.
The first step is to download and install the Internet Explorer Administration Kit (IEAK). We’ll use it to create a configuration executable for IE.
Run IEAK:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
Choose a shared folder (accessible by the restricted users) where to save the package:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
Select the target platform:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
Select the target language:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
Check Configuration-only package:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
Clear All then check Security Zones and Content Ratings:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
Synchronize your version of IE with the latest available and click Next:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
Check Import the current Content Ratings settings then click Modify Settings:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
We’re now in the Content Advisor configurator. Unrestrict all the ICRA3 categories:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
In the Approved Sites tab you can restrict the sites. Specify a domain and click Never, it will appear in the list below:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
In the General tab check Users can see websites that have no ratings then click Create password:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
Specify the supervisor password:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
You’re ready to generate the .msi package:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
The executable is ready, now we need to install it on the client machines. Open the Group Policy Management panel and create a new policy:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
Configure the Security Filter:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
From the Settings tab right-click on User Configuration and select Edit:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
Add a new software package:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
Select the .msi file:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
Choose the deployment method:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
The Group Policy is ready:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
Activate the Group Policy:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy
After a reboot the client machines won’t be able to access Facebook, Twitter and Pinterest:
Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

No comments:

Post a Comment