Month: August 2018

Internet Explorer Tracking Protection

Internet Explorer Tracking Protection

One of the most overlooked features of Internet Explorer, is the Tracking Protection feature. Tracking Protection is a feature that prevents websites from tracking your browsing behavior. You know if you for instance search for, let’s sat a new Synology NAS box in Google. Suddenly a lot of NAS related adds appear in your Facebook feed and on various other add-driven sites. That’s basically tracking, someone somewhere now knows that you are in the market looking for a new NAS.

However Tracking Protection also prevents all adds, flash content and the likes from being loaded when accessing a website. This means that in most cases the websites will be loading faster and not consume as many system ressources.

In this blog I will cover how to enable Tracking Protection and why I recommend doing this, especially in a multiuser scenario.

Up until a few years ago my preferred browser was Internet Explorer. Actually, besides the good old days with Netscape Navigator, I have always used Internet Explorer when browsing the internet. I am not trying to start yet another browser war here, but the alternatives like Google Chrome, Mozilla Firefox or Opera never really said me much, I had gotten used to working with Internet Explorer and liked, and still likes, the way it works.

However as Windows 10 was released we received a new browser called Edge. Edge is supposed to be the successor of Internet Explorer and at least for my part, that is the case, but according the various sites here and here, it doesn’t look like Edge is getting favoured by many people, it’s still Google Chrome that’s topping the lists as the most preferred browser.

Even though Google Chrome may be the most preferred browser, this is usually not the case in multiuser setup like Citrix XenApp or Microsoft RDS, as we would like to provide a secure and consistent user experience, that includes the browsing experience as well. We can, via group policy, lock almost everything in Internet Explorer down, which gives us total control of what parts of Internet Explorer the user can access and/or configure. Any Internet Explorer security updates, or just regular feature updates, are all maintained either via the Microsoft Update site or via an internal Windows Server Update Service (WSUS) server, which means that during our regular Windows operating system maintenance we get updates for Internet Explorer as awell as any other relevant Microsoft software.

So how does it work?

How to configure Tracking Protection manually:

First we need to enable Tracking Protection in Internet Explorer:

Click – Tools -> Internet Options – Programs

Click – Manage add-ons

Click – Get a Tracking Protection List online…

This should bring you to this site – http://iegallery.com/da/trackingprotectionlists/ (Or a smilar looking URL based on your region)

That site errors out, way to go Microsoft!

This has been an issue for at least 6 months, maybe more, and it doesn’t look like Microsoft is going to fix it anytime soon.

So what we need to do instead, is to go to this URL – https://www.microsoft.com/en-us/iegallery

Scroll down to the Tracking Protection Lists section and select EasyList Standard, EasyList and Stop Google Tracking, by clicking add on each list.

This adds the lists to Internet Explorer and your Tracking Protection configuration, should now look like this

Your browsing experience should now be significantly faster than before the activation of Tracking Protection and also consume less system ressources.

I have created 2 short videos in which I demonstrate how the browsing experience is in Internet Explorer with and without Tracking Protection enabled. The demonstration is done in Citrix XenApp 7.18 on Windows Server 2016 in Internet Explorer 11with the latest Microsoft Updates. I have used http://www.cnn.com for demonstration purposes, however you will probably notice the same behavior with pretty much any other site.

Tracking Protection disabled:

Tracking Protection enabled:

Have a look at the CPU usage in the first video where Tracking Protection is disabled. When the site just sits there doing nothing, the CPU usage is somewhere between 40% and 70%. This is huge if you have multiple users on a Session Host server, imagine 10 users just loading this page and let it sit doing nothing.

In the second video, where Tracking Protection is enabled the CPU usage is loking a lot better some where between 5% and 15% when the site just sits there doing nothing. Also 37 services have been bloked on this particular website. As I scroll up and down, CPU usage spikes does occur because of the change in content on the site, this is normal behaviour and will occur both with and without Tracking Protection.

How to configure Tracking Protection via Group Policy:

So now you may be asking “Now I have the Tracking Protection enabled on my local Internet Explorer browser, how do I enable it for every user in my environment?”. The answer to that question is: “Via Group Policy and Group Policy Preferences, of course :)”

Once Tracking Protection has been enabled a few things happen in the file system and registry.

In the file system:

  • In the user’s profile 3 so called TPL files gets downloaded, these files contains the EasyList, EasyPrivacy and Stop Google Tracking lists.
  • The TPL files can be found here  – %LOCALAPPDATA%\Microsoft\Internet Explorer\Tracking Protection and looks like this:
  • Copy the TPL files to a central location like NETLOGON or a share where users have read access.

In the registry:

  • In the user’s registry 3 registry keys and a few values within these keys are created.
  • The registry key names corresponds with the above TPL GUID like names, and looks like this:
  • The full path the the above keys is – HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Safety\PrivacIE\Lists
  • So, as you see, 3 registry keys are created with names that corresponds with the names of the TPL files.
  • Export the 3 keys to a REG file and in each key, change the “Path” value to %LOCALAPPDATA%\Microsoft\Internet Explorer\Tracking Protection\nameofTPLfilehere.tpl

GPO Configuration:

  • Create a new GPO
  • Under User Configuration configure Group Policy Preferences registry items like shown below:
  • For each of the 3 registry keys modify the Path value, so that it looks like this:
  • %<LOCALAPPDATA>%\Microsoft\Internet Explorer\Tracking Protection\nameofTPLfilehere.tpl
  • This makes sure that the Group Policy engine resolves the %LOCALAPPDATA% correctly, and thereby configures the correct path to the TPL file.
  • You will also have to add this registry value:
  • This enables the Tracking Protection filtering feature.

You may have noticed the Tracking Protection Exceptions group I have in the GPO. The Tracking Protection Exceptions list enables you to configure specific URLs where you don’t want Tracking Protection to be active. This might be internal URLs like an intranet site or some other internal web based application, where Tracking Protection could be messing with the general functionallity of the web site.

To configure a list of exceptions add this to your GPO:

  • Here, as an example, I have the http://intranet.company.local URL you may add as many URLs you want here.

As this GPO configures user settings, it can be applied to both Windows client operating systems and Windows server operating systems. I have tested this specific configuration on Windows 7 and later and on Windows Server 2008 R2 and later, however only with Internet Explorer 11.

This concludes my guide on how to enable and configure Internet Explorer Tracking Protection. Feel free to comment.