Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Site restrictions are common in business networks. Mangers and entrepreneurs want to limit potential distractions and Microsoft offers a range of solutions to achieve the objective. An usual practice is to adopt a proxy server but you can enforce site restrictions on Internet Explorer – even the latest versions – using a simple Active Directory Group Policy.

In this tutorial we’ll take advantage of the Content Advisor functionalities of Internet Explorer, a feature Microsoft hid in IE 10 and IE 11.

The first step is to download and install the Internet Explorer Administration Kit (IEAK). We’ll use it to create a configuration executable for IE.

Run IEAK:

Choose a shared folder (accessible by the restricted users) where to save the package:

Select the target platform:

Select the target language:

Check Configuration-only package:

Clear All then check Security Zones and Content Ratings:

Synchronize your version of IE with the latest available and click Next:

Check Import the current Content Ratings settings then click Modify Settings:

We’re now in the Content Advisor configurator. Unrestrict all the ICRA3 categories:

In the Approved Sites tab you can restrict the sites. Specify a domain and click Never, it will appear in the list below:

In the General tab check Users can see websites that have no ratings then click Create password:

Specify the supervisor password:

You’re ready to generate the .msi package:

The executable is ready, now we need to install it on the client machines. Open the Group Policy Management panel and create a new policy:

Configure the Security Filter:

From the Settings tab right-click on User Configuration and select Edit:

Add a new software package:

Select the .msi file:

Choose the deployment method:

The Group Policy is ready:

Activate the Group Policy:

After a reboot the client machines won’t be able to access Facebook, Twitter and Pinterest: