Overview: System Policies and Restrictions

System policies and restrictions for Internet Explorer are a powerful mechanism for improving the control and manageability of computers. System policies and restrictions, which are defined in a policy file, control user and computer access privileges by overriding default registry values when the user logs on.

You can use the Internet Explorer Customization wizard to predefine system policies and restrictions and to create a standard Internet Explorer configuration as part of your custom browser package. After the Internet Explorer installation, you can use the IEAK Profile Manager to centrally manage and update system policies and restrictions on your users' desktops. Also, if different groups of users have unique needs, you can use the IEAK Profile Manager to create separate policy files for each group.

Important For Windows 2000 clients, you should use Group Policy, instead of the system policies and restrictions in the Internet Explorer Customization wizard, to set user restrictions. For information about Internet Explorer settings in Group Policy, see Appendix A. For in-depth information about Group Policy, see the "Group Policy" chapter in the Distributed Systems Guide of the Windows 2000 Resource Kit.

If you are using Windows 2000 Server to administer other operating systems, however, you can set restrictions by using the system policies and restrictions feature in the Internet Explorer Customization wizard.

For example, you might want to implement system policies and restrictions to do the following:

• Determine the features that users can change, such as the Active Desktop and Internet Explorer toolbars.
• Manage bandwidth, and control the behavior and appearance of Internet Explorer.
• Specify server lists for components.
• Determine which programs are used for electronic mail and for placing Internet calls.
• Specify the users' connection settings.

Benefits of Using System Policies and Restrictions

Organizations can realize the following benefits from implementing system policies and restrictions:

• System policies and restrictions enable you to implement a standard Internet Explorer configuration. You can create a custom browser package for your users that includes common settings for browser features and functions.
• You can restrict the features that users can access within Internet Explorer by using system policies and restrictions. For example, you can preset the NetMeeting options to control audio and video access. Also, you have the option to lock down features and functions, so they either don't appear or appear dimmed on users' desktops.
• Setting system policies and restrictions enables you to change default registry values. You can use the settings in a policy file to change registry values on multiple computers, eliminating the need to specify settings individually on each user's computer.

Issues to Consider Before Setting System Policies and Restrictions

Before implementing system policies and restrictions, you should consider the following issues:

• What types of system policies and restrictions would you like to define and manage centrally? For example, do you want to limit access to a particular feature or specify settings in advance for a program?
• Do you want to use one set of standard system policies and restrictions for all users and computers, or do you want to create multiple policy files for groups of users? Different groups of users may have unique needs.
• What types of security settings do you want to implement? You can choose to lock down all the settings, to control the settings but make them available for roaming users to download, or to customize the settings while allowing users to modify them.

  You should consider the impact of these settings, especially if you have roaming users who share computers with other people. For example, what are the implications of removing icons from the desktop or not allowing users to change their security settings? Make sure that your users understand which features they can access.

• Do you want to store the policy files in a central location or on users' computers? You may want to store the file on a server so that roaming users can access the settings from computer to computer. This capability could be useful, for example, for a user who needs low security settings but who uses a computer that is operated by another person whose security settings are higher.