The article shows how to configure GPO proxy settings for Internet Explorer 11 browser using Active Directory Group Policies. In earlier versions of Internet Explorer (6, 7 and 9) to configure Internet Explorer settings you needed to use the following setting in the Group Policy Editor console: User configuration -> Policies -> Windows Settings -> Internet Explorer Maintenance.
However, in Internet Explorer 10 (presented in Windows Server 2012 and Windows 8), developers have removed the Internet Explorer Maintenance (IEM) section from Group Policy Editor. Moreover, this section also disappears in Windows 7/Windows Server 2008 R2 after Internet Explorer 10 or 11 installs. And even if on a computer with IE 10 or 11 continue to apply the old policy with IEM, it will not work.
Tip. In January 2016 it was announced that support ends for all old versions of Internet Explorer. Thus, Internet Explorer 11 has become the only supported version in the IE family. This means, that you must upgrade IE on all computers up to 11.
Config GPO Proxy Settings for IE 11
Now, it is necessary to use a new way to manage IE settings: Group Policy Preferences (GPP) or Internet Explorer Administration Kit 11 (IEAK 11). As claimed by Microsoft, it is more flexible and convenient. To configure IE 11 proxy settings via GPO, perform the following actions:
- Open Group Policy Management Console on a computer with Windows 8/10/Server 2012/R2 and create new (or edit existing) GPO. Expand the following section: User Configuration > Preferences > Control Panel Settings > Internet Settings. Right click and select New > Internet Explorer 10 (this policy will also be applied for the IE 11 and above).
- On the windows with the IE settings, go to the Connections tab and press LAN Settings button.
- Tick the checkbox “Use a proxy server for your LAN” and specify the Address and Port of your proxy server (for example 192.168.1.11, port 3128). To enable this option, press F6 button (underline for that setting will change the color from red to green). To disable setting press F7.
Tip. The green underscore for the IE parameter means that this policy is enabled and will be applied through Group Policy. Red underlining means that the setting is configured, but disabled for users’ computers. To enable all setting on the current tab, press F5. To disable all policies on this tab – use F8 key.
Note the Bypass Proxy Server for Local Addresses option. When this policy is enabled, local resources are always accessed directly, not through a proxy server. Windows automatically recognizes the address of the format http://theitbros as local and IE when accessing them bypasses the proxy. However, it is important to mention that the addresses of the format http://forum.theitbros.local or http://192.168.0.50 can’t be recognized by the system as local. In order to avoid using a proxy to access such resources, you need to configure exceptions for them using the policy Do not use proxy servers for addresses beginning with (see below).
- If you need to specify the list of address exceptions, click Advanced. In the field Do not use proxy servers for addresses beginning with: specify the list of IP addresses or domains. For example: 192.*;*.theitbros.com
- Press OK twice to save settings.
Note. This rule only works for Internet Explorer 10 and Internet Explorer 11. For earlier versions, you need to create separate rules.
It remains to link a GPO to desired Active Directory organization unit (OU) (in GPMC console right click on respective AD container, select Link an Existing GPO and find you IE proxy policy), update group policy setting on a client computers (gpupdate /force) and check proxy settings in IE.
Tip. To configure new IE policy from Windows Server 2008/R2, you need to download Administrative Templates for Internet Explorer and copy files Inetres.admx and Inetres.adml to the folder %SYSTEMROOT%\PolicyDefinitions\.
Also, you can configure IE proxy settings using the registry. Expand the GPP section User Configuration > Preferences > Registry and create 3 registry key in the following registry path:
- ProxyEnable (REG_DWORD) = 00000001
- ProxyServer(REG_SZ) = 192.168.1.11:3128
- ProxyOverride (REG_SZ) = 192.*;*.theitbros.com