Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Site restrictions are common in business networks. Mangers and entrepreneurs want to limit potential distractions and Microsoft offers a range of solutions to achieve the objective. An usual practice is to adopt a proxy server but you can enforce site restrictions on Internet Explorer – even the latest versions – using a simple Active Directory Group Policy.

In this tutorial we’ll take advantage of the Content Advisor functionalities of Internet Explorer, a feature Microsoft hid in IE 10 and IE 11.

The first step is to download and install the Internet Explorer Administration Kit (IEAK). We’ll use it to create a configuration executable for IE.

Run IEAK:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Choose a shared folder (accessible by the restricted users) where to save the package:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Select the target platform:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Select the target language:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Check Configuration-only package:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Clear All then check Security Zones and Content Ratings:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Synchronize your version of IE with the latest available and click Next:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Check Import the current Content Ratings settings then click Modify Settings:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

We’re now in the Content Advisor configurator. Unrestrict all the ICRA3 categories:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

In the Approved Sites tab you can restrict the sites. Specify a domain and click Never, it will appear in the list below:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

In the General tab check Users can see websites that have no ratings then click Create password:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Specify the supervisor password:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

You’re ready to generate the .msi package:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

The executable is ready, now we need to install it on the client machines. Open the Group Policy Management panel and create a new policy:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Configure the Security Filter:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

From the Settings tab right-click on User Configuration and select Edit:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Add a new software package:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Select the .msi file:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Choose the deployment method:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

The Group Policy is ready:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Activate the Group Policy:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

After a reboot the client machines won’t be able to access Facebook, Twitter and Pinterest:

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Read related articles