Adblocking for Internet Explorer without an extension: Enterprise deployment
[Article last updated 2017-03-07]
Blocking advertising has multiple security and performance benefits to clients. Ads are especially dangerous to corporate computers, which often run outdated plugins that can be exploited by malvertising. Most people immediately jump to thinking they need Firefox or Chrome to do this. However, did you know Internet Explorer has adblocking built-in? The feature is called "Tracking Protection Lists," and while not as powerful as a full adblocking extension, it is very effective.
We will be using a subset of the EasyList adblocking list that Adblock Plus uses, so these rules are fully tested and maintained. This setting will be deployed via Group Policy Registry Preferences. We are doing this all with 100% native Microsoft functionality. Of course, Microsoft never bothered to tell anyone how to deploy it centrally, so I figured it out for you already.
Part 1: Get familiar with Tracking Protection
Before you deploy this to the enterprise, you should understand Tracking Protection Lists in Internet Explorer and use it yourself. The feature was added back in Internet Explorer 9 with some fanfare which quickly disappeared.
This section is just to teach you about the feature, it has no bearing on deployment.
Install EasyList Standard TPL
Gear icon > Manage add-ons > Tracking Protection > Get a Tracking Protection List online...
You will then be taken to https://www.microsoft.com/en-us/iegallery. Scroll down to "Tracking Protection List."
Click "Add" next to EasyList Standard.
Test on popular and internal sites
Go to various popular websites like cnet.com. Notice the blue warning icon in the left of the address bar. If you click this, you can turn off adblocking for that site should it cause issues.
Part 2: Deployment with Group Policy
Ultimately, the Tracking Protection List preferences are in the user registry, so we can easily add and remove them with user Group Policy Registry Preferences. Here's a list of the keys you need to deploy. Set all of them as Update and "Apply once and do not reapply."
- HKCU\Software\Microsoft\Internet Explorer\Safety\PrivacIE
- Name: FilteringMode
- Type: REG_DWORD
- Value: 0
- HKCU\Software\Microsoft\Internet Explorer\Safety\PrivacIE\Lists\{7C998372-3B89-46E6-9546-1945C711CD0C}
- Name: Enabled
- Type: REG_DWORD
- Value: 1
- HKCU\Software\Microsoft\Internet Explorer\Safety\PrivacIE\Lists\{7C998372-3B89-46E6-9546-1945C711CD0C}
- Name: Name
- Type: REG_SZ
- Value: EasyList
- HKCU\Software\Microsoft\Internet Explorer\Safety\PrivacIE\Lists\{7C998372-3B89-46E6-9546-1945C711CD0C}
- Name: Path
- Type: REG_SZ
- Value: %AppDataDir%\Local\Microsoft\Internet Explorer\Tracking Protection\{7C998372-3B89-46E6-9546-1945C711CD0C}.tpl
- (Note: AppDataDir is a legitimate variable that works in Group Policy)
- HKCU\Software\Microsoft\Internet Explorer\Safety\PrivacIE\Lists\{7C998372-3B89-46E6-9546-1945C711CD0C}
- Name: Url
- Type: REG_SZ
- Value: http://easylist-msie.adblockplus.org/easylist.tpl
Part 3: User experience
I'll assume you have assigned the Group Policy above to a test user and it has applied.
Once the user launches Internet Explorer, after a few seconds it will realize it's missing the LastUpdateTime registry key for the TPL we just added in the registry. Internet Explorer will then download the ~750KB file to the path specified above. The filtering will then be applied on subsequent page loads.
Internet Explorer will check for updated versions of the list every 4 days per the value in the EasyList file. If you want to reduce or increase this, make a TTL REG_DWORD value with the number of days between checks under the same key as above.
Please exercise proper change management processes while rolling this out to your company. It's possible one of the EasyList rules may block something legitimate in an internal or external corporate sites.
Sources
I discovered after I had written this that James Rankin also found out how to do this.
http://www.htguk.com/improving-citrix-xenapp-session/