Hello everyone. Today I´m going to show you how to use AppLocker to block old versions of Internet Explorer from Execution. The requirement I had to fulfill was to make sure that Internet Explorer versions below 9 will not be able to run. Here is how you can do this:
Open up your Group Policy Management Editor.
Now go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services and look for the service Application Identity. This service is needed to identify your application. When this service is not running your Allow and Deny rules will not apply.
Select Automatic to start this service automatically when the system is started.
Next go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker -> Executable Rules.
Now click on Create New Rule…
This will open up a wizard. The first thing you need to do is to choose Deny and leave Everyone filled in in the text box (Because we want to deny everyone the right to start old Internet Explorer versions).
Next choose Publisher.
Now click on Browse… and go to C:\Program Files\Internet Explorer and choose iexplore.exe. (By the way: You can also go to C:\Program Files (x86)\Internet Explorer and choose iexplore.exe. It does not matter. The rule we are defining will block the 32bit version as well as the 64bit version from Execution.)
Next check Use custom values and go to File version: enter 220.127.116.11 into the text box and choose And below.
On the next page you have the choice to add Exceptions if you want to add some. But we will simply add none and click on Next.
Now you can enter a Name and a Description for your Rule.
Now your Rule is finished. If you are asked if you want to create the Default rules click on Yes.
If a user with a Internet Explorer version below 9 wants to start it he/she will receive the following error message:
A user with a higher Internet Explorer version will see no difference at all as you can see:
Well that´s it. Pretty simple, right? This way you can prevent security issues caused by old Internet Explorer versions. I hope my post was useful for you. See you next time.