четверг, 19 марта 2009 г.

Improving the Education Experience with Internet Explorer 8

Original: Improving the Education Experience with Internet Explorer 8

Thinking back, I think we can all remember a time sitting in our high school computer labs, clamoring away on the keyboard trying to finish some assignment our Computer Studies teacher, Mr. Smith for the example I'm going to use in this post, had assigned. Something that I always found amazing was how the high school IT Administrators, usually also Mr. Smith, would be able to manage such an environment on a relatively tiny budget.

Today's large corporations can afford fairly specialized IT Pro staff. However, my post today will be focusing on small IT Pro shops and providing guidance on how to customize and deploy Internet Explorer 8. In particular, I will be using the example of how Mr. Smith can use IE8 to improve the education experience of his students.

Customizing Internet Explorer 8

Though, there are many ways to configure IE on your existing machines, this post will focus on Internet Explorer Administration Kit (IEAK) and Group Policy.

IEAK allows you to deploy customized packages and manage IE settings post deployment. For instance, Mr. Smith could use IEAK to create a custom IE package for his students that has school related favorites, search providers, home pages, Web Slices, Accelerators, and more. IEAK allows you to choose preferred defaults; the end-user can still overwrite these defaults. IEAK8 is available for everyone to try. To learn more about the IEAK, check out my interview on Technet Edge.

Group Policy on the other hand can be used to lock down features or settings that a user cannot overwrite, as they are always written to a secure tree in the registry. If you use an Active Directory environment, Group Policy provides a wide set of policy settings to manage IE8 after you have deployed it to your users' computers (For more information on Active Directory and how to set it up, read this TechNet article.) Furthermore, Group Policy allows you to create IE (and other software) configurations as a part of Group Policy objects (GPOs). The GPOs are linked to hierarchical Active Directory containers such as sites, domains, or organizational units. A client-side extension ensures that your policies are applied and refreshed regularly. You can always configure different policies for different sets of users based on their needs. We have added approximately 140 new Group Policies

Now, let's assume Mr. Smith has the following resources at Acme High School, the school where he works:

  • Acme High School library website
  • Acme High School online grade tracking website
  • Acme High School assignments website
  • Acme High School exam schedule website
  • Acme High School gym schedule website

With IEAK8 and group policy, Mr. Smith can join these resources to provide a convenient and seamless experience for his students. Let's assume that Mr. Smith would like to make customizations in the following areas:

  • Home pages
  • Accelerators
  • Web Slices
  • Search Providers
  • Security Settings
  • InPrivate Browsing
  • Compatibility View
  • Performance

IEAK comes in three licensing modes: Corporate, Internet Content Provider (ICP) and Internet Service Provider (ISP) modes. Each of these modes has varying degrees of customizability; the What Internet Explorer Administration Kit Can Do For You article describes the different licensing modes.

In Mr. Smith's case, as he is distributing the customized IE internally he can use the IEAK corporate license mode.

Home Pages.

Customized home pages are a perfect way to draw student's attention to important school information as they open their browsers. Mr. Smith can use the Important URLs – Home page and Support dialog of the IEAK8 to add home pages like Acme High School site, Acme High Grades site, Acme High Gym schedule.

IEAK page to set important urls such as homepage and support

To add homepages, simply click on the Add button and provide the relevant URLs. IEAK gives the option to retain previous home pages in the upgrade scenario; in this case, Mr. Smith has chosen to ignore that option.

Instead of providing default home pages, what if Mr. Smith wanted to lock down the home pages to ensure that your students always checked the latest updates on their class websites? He can use the Disable changing home page settings and the Disable changing secondary home page settings group policy to accomplish this. Furthermore, the Mr. Smith can use the Configure new tab page default behavior group policy to ensure that a new tab always opens the home page.

Policy Name

Policy Path

Disable changing home page settings

Windows Components\Internet Explorer

Disable changing secondary home page settings

Windows Components\Internet Explorer

Configure new tab page default behavior

Windows Components\Internet Explorer

The following screenshot is an example of the Acme High School branded home pages that Mr. Smith could add through IEAK or Group Policy:

IE Chrome showing the Acme High school favorites group

Accelerators.

One of the new exciting features of IE8 are Accelerators. Accelerators can help students increase efficiency in navigation and can be used to promote the school resources. Mr. Smith may be interested in creating Accelerators for Acme High School email, Searching with Acme High School Library Database and Translating Spanish for Spanish 101, as examples. Instructions for creating the required Accelerator XML file can be found in the OpenService Accelerators Developer Guide.

In IEAK8, Mr. Smith can use the Accelerators dialog to import or add Accelerators.

IEAK page to customize Accelerators

The Import button will import Accelerators that are currently installed on Mr. Smith's local IE8. This makes it easy for him to import his favorite Accelerators. To add Accelerators, Mr. Smith needs to click on the Add button and simply point to the Accelerator XML file. Setting an Accelerator as the default for that category allows it to appear in the main Accelerator drop down.

Group Policy gives a few options to configure Accelerators. The Deploy non-default Accelerators and Deploy default Accelerators allows Mr. Smith to append Accelerators to the user's existing Accelerators (Non-default Accelerators are Accelerators that are found in the spill way full Accelerators menu). The user cannot delete these Accelerators but can continue to add additional Accelerators.

Policy Name

Policy Path

Deploy non-default Accelerators

Windows Components\Internet Explorer\Accelerators

Deploy default Accelerators

Windows Components\Internet Explorer\Accelerators

Turn off Accelerators

Windows Components\Internet Explorer\Accelerators

Use Policy Accelerators

Windows Components\Internet Explorer\Accelerators

Mr. Smith has the additional option to completely turn off Accelerators or limit their use to just policy Accelerators with the Turn off Accelerators and Use Policy Accelerators policies. With all Accelerator policies, you need to place the Accelerator XML file on a network location.

The following screenshot is an example of the Acme High School branded Accelerators that Mr. Smith could add through IEAK or Group Policy:

Accelerator menu showing Acme High School Accelerators

Web Slices.

Another new IE8 feature is Web Slices. With Web Slices students wouldn't need to go back to the same websites again and again for updates on Grades, Exam schedules, Gym times or trip information – those updates would come to them. In order to create a Web Slice, please refer to the Web Slice Format Specification documentation.

Web Slices can be added from the Favorites, Favorites Bar and Feeds dialog of the IEAK8. To add a Web Slice, click on the Favorites Bar and select Add URL. Give the Web Slice a name and provide the Web Slice URL, as shown below and you're done.

IEAK page to customize favorites, feeds and the Favorites bar

Details view to add a Web Slice

Mr. Smith can also ensure that his students won't be deleting the Web Slices that he adds by enabling the Turn off addition and removal of feeds and Web Slices Group Policy.

Policy Name

Policy Path

Turn off addition and removal of feeds and Web Slices

Windows Components\RSS Feeds

Search Providers.

The Search Provider box is another area of customization that would help students use valuable resources, like searching the Acme School Library database, encyclopedia, or even local newspapers. For information on creating search providers, please refer to the Search Provider Extensibility in Internet Explorer documentation.

Search Providers can be added in the Search Providers dialog of IEAK8. Clicking on the Import button will, as is the case with Accelerators, import Search Providers that are already on Mr. Smith's local box. In IEAK8, we have added support for Suggests URL and Accelerator preview URL to give a rich visual search experience.

IEAK page to customize search providersIEAK details view to customize search providers

You can also add Search Providers through the Restrict search providers to a specific list of providers Group Policy. In order to use this policy, you need to create a custom Administrative Template file. Custom Administrative Template files can be created by program developers or IT professionals to extend the use of registry-based policy settings to new programs and components. To learn how to create a custom Administrative Template file to add search providers, please see this article.

The following screenshot is an example of the Acme High School branded Search Providers that Mr. Smith could add through IEAK or Group Policy:

Search box drop down menu showing Acme customized search providers

Security Settings

In order to protect his students and the school resources, Mr. Smith would be very interested in locking down the security settings of his school computers.

Internet Explorer 8 security zones enable you to divide the Internet and intranet into four groups of trusted and untrusted areas, and to designate the particular safe and unsafe areas that specific Web content belongs to. This Web content can be any item, from an HTML or graphics file to a Microsoft ActiveX® control, a Java applet, or an executable program. 
Mr. Smith can assign sites to particular zones using the Site to Zone Assignment Group Policy. After establishing zones of trust, he can set browser security levels for each zone, by using the Zone Template Group Policies found under the Security Page node, Windows Components\Internet Explorer\Internet Control Panel\Security Page. In this manner, he can control settings for ActiveX controls, downloading and installation, scripting, cookie management, password authentication, cross-frame security, and Microsoft virtual machine (VM) capabilities.

For the template policies, it is recommended to configure them in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

By enabling the SmartScreen Filter, Mr. Smith can help protect users from malicious sites that conduct phishing attacks or attempt to download malicious software. By configuring the "Prevent bypass" setting, he can prevent users from inadvertently ignoring SmartScreen warnings for known-malicious sites.

Policy setting name

Policy path

Prevent Bypassing SmartScreen Filter Warnings

Windows Components\Internet Explorer

Turn off Managing SmartScreen Filter

Windows Components\Internet Explorer

Use SmartScreen Filter

Windows Components\Internet Explorer\Internet Control Panel\Security Page\[Per Zone]

Malicious or defective add-ons can cause browser performance or security problems. Mr. Smith can configure Group Policies to restrict which add-ons may be installed or run.

Policy setting name

Policy path

Allow third-party browser extensions

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Add-on List

Windows Components\Internet Explorer\Security Features\Add-on Management

Deny all add-ons unless specifically allowed in the Add-on List

Windows Components\Internet Explorer\Security Features\Add-on Management

All Processes

Windows Components\Internet Explorer\Security Features\Add-on Management

Process List

Windows Components\Internet Explorer\Security Features\Add-on Management

Do not allow users to enable or disable add-ons

Windows Components\Internet Explorer

For more information on recommended Group Policy settings for high security, please take a look at the IE8 Deployment Guide recommended security settings section.

Custom Components

What if Mr. Smith wants to install additional components as he is installing IE8? The Custom Components dialog of the IEAK8 is designed specifically for this purpose.

IEAK custom components dialog

On this dialog, Mr. Smith can add up to ten components that will be installed at the same time as Internet Explorer. These components could be course specific educational software, toolbars, or any software Mr. Smith wants to include on his environment. These components can be compressed cabinet (.cab) files or self-extracting executable (.exe) files.

Custom code that is downloaded over the Internet should be signed to let users know that they can trust the code before downloading it to their computers. The default settings in Internet Explorer 8 reject unsigned code.

When you add a component, you can specify when to install components in relation to the installation of Internet Explorer. To minimize the number of restarts, you can install the component before or after Internet Explorer in installed, or after the required system restart. Install before Internet Explorer option is usually used for batch files that configure user settings, while installing after Install after Internet Explorer option is usually used for software updates. Install after system restarts option should be used if the component contains system service packs or Java Virtual machine updates, as examples.

Customers often ask me about the other options on this dialog:

  • Command: If you specified a .cab file, you can also specify a command to extract the file.
  • GUID: Globally unique identifier (GUID) establishes a unique identity for programs, objects, and other items. If your program already has a GUID, type it in this box. If your program does not have a GUID, one is generated for you.
  • Parameter: You can specify command-line options to run with your custom program. For example, you might want to install your program silently, so that users do not see prompts during setup of your program or Internet Explorer.
  • Uninstall Key: Microsoft Update Setup compares this value to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ApplicationName to verify that the component installed correctly.
  • Version: Type the serial number that you want to assign to the custom Internet Explorer package you are creating. The correct format for this version number is xxxx,xxxx,xxxx,xxxx. The version is a number and does not include alphabetical characters.
  • Verify: Click Verify to determine whether the program was digitally signed.

InPrivate Browsing.

InPrivate Browsing allows users to not leave any traces of web browsing actions by preventing browsing history, temporary Internet files, form data, cookies and usernames/passwords from being stored or retained locally. Mr. Smith would most probably want to keep track of student's browsing habits and can turn off this feature entirely using the Turn off InPrivate Browsing Group Policy.

Policy Name

Policy Path

Turn off InPrivate Browsing

Windows Components\Internet Explorer\InPrivate

Compatibility View.

If the school network sites are all designed to be used in IE7 and Mr. Smith wants to save costs in testing all of his sites, he can use the Turn on Internet Explorer 7 Standards Mode group policy. Likewise, if all of his sites are tested for IE8, but he hasn't got around to a few, he can use the Use Policy List of Internet Explorer 8 sites group policy to determine the rendering mode on a per site basis.

Policy Name

Policy Path

Turn on Internet Explorer 7 Standards Mode

Windows Components\Internet Explorer\Compatibility View

Use Policy List of Internet Explorer 7 sites

Windows Components\Internet Explorer\Compatibility View


Performance

What if the computer lab had really old computers? Or maybe they are brand new and Mr. Smith wants to maximize performance? He can use the Set tab process growth group policy to configure how many processes you want per tab. The default setting will create the optimal number of tab processes based on the operating system and amount of physical memory.

He could also increase the maximum number of connections per server by using the connection scaling group policies.

Policy Name

Policy Path

Set tab process growth

Windows Components\Internet Explorer

Maximum number of connections per server (HTTP 1.0)

Windows Components\Internet Explorer\Security Features\AJAX

Maximum number of connections per server (HTTP 1.1)

Windows Components\Internet Explorer\Security Features\AJAX

Mixed Environment

Mr. Smith could have a mixed environment with some computers running IE7 and others running IE8. How would he go about configuring Group Policy? Mr. Smith does not need to create separate Group Policy Objects for each version of IE; the policies will apply to the version of IE that is supported. If a policy has changed behavior between IE versions, the explain text will be clear on the different behavior for each version. The Requirements field, in the policy explain text, describes the supported versions of IE.

Multiple Languages

Mr. Smith can build customized IE8 packages in 24 languages using the IEAK. The IEAK Wizard itself is localized in 24 languages. So if Mr. Dixon in France wants to build French IE8 packages using a French IEAK Wizard, he can do so. Please note that for Windows XP, the IEAK8 language needs to match the base OS language (except for English) in order to install the localized IEAK.

Deploying Internet Explorer 8

Mr. Smith has a few options to deploy his customized IE8 package. He can use IEAK to create either a full installation of IE as an .exe or .msi or a configuration-only package. The configuration-only package is a branding only package when IE8 is already installed.

Mr. Smith can use System Center Configuration Manager (SCCM) or Active Directory to deploy the customized IE package. As Mr. Smith already has an Active Directory environment, this is the recommended approach. To deploy applications in Active Directory environments, the application installer must be a Windows Installer package, which means that we need to use the .msi package rather than the .exe package. To use Active Directory to deploy software, read this KB article.

As this blog has described, even a small IT Pro shop like that of Mr. Smiths can use Internet Explorer 8 to help students fully realize all the resources that are available. I hope this information was useful and look forward to your feedback once you've had a chance to try it out.

Jatinder Mann
Program Manager

Комментариев нет: