Recently, i have had the pleasure of working on some very challenging items across a whole slew of products and operating systems; I came across a particular problem one day in relation to Internet Explorer settings for IE7 and IE8. The problem was around authentication with internal websites, several sharepoints and internal web farms kept prompting for credentials despite being in the trusted sites zone.

However unaffected were the IE6 users… Strange huh ? Well apparently the guys over at the internet explorer team decided that it was time for people to start using the zone assignments correctly, large business has a habbit of adding everything into the trusted sites zone (ment for external trusted sites) instead of placing it in the Intranet zone… Bold large business!

So i began my mission of correcting this problem, but noticed straight away that Dr. Google was a wash with half answers and untested answers… So i was going to have to work this one out on my own.

Scope

As the internet explorer 6 users were able to function correctly without issue, it became apparent that we don’t want to disturb this in any way, so we have to rely on some cunning features of group policy. Unfortunately nearly all the group policy settings for internet explorer are agnostic to the version, meaning we couldn’t simply create a second gpo with different specific IE7/8 settings.

How do we do this ?

Its impractical for us to do AD Groups, especially as this problem is across a large enterprise of 10k+ clients; So this meant we had to try leverage a function/component/feature of windows that could decide for itself what policy (IE6 or IE7/8 based policy) needs to be applied dynamically.

The only real clean way of doing this is by leveraging WMI (Windows Management Instrumentation).

What to do

  1. Clone your existing IE Policy (Export and import) and put IE8 on the end when naming it.
  2. Move your internal sites into the intranet zone, leaving external trusted sites in the trusted zone.
  3. Create two filters (call them IE6 filter and IE7/8 Filter)

In Filter 1 (IE6 Filter) Place the following Code:

root\CIMv2

SELECT * FROM CIM_DataFile WHERE Filename = 'iexplore' AND Path = '\\Program Files\\Internet Explorer\\' AND version<'6.00.9999.9999'

In Filter 2 (IE7/8 Filter) place the following Code:

SELECT * FROM CIM_DataFile WHERE Filename = 'iexplore' AND Path = '\\Program Files\\Internet Explorer\\' AND version>'7.0'

Link & Apply

Simply set your filters in your GPO and test and see if they are applying correctly.

On Windows XP Open a command prompt and type:

gpresult

On Windows Vista/7 Open a command prompt and type:

gpresult /R