Dirk Knop

Controlled upgrade

Preventing the automatic Internet Explorer 7 update

At the start of November, Microsoft intends to distribute Internet Explorer 7 as an automatic, urgent update for Windows XP and Server 2003. Those who want to keep control of the process may prefer to specify the date of the update themselves.

Internet Explorer 7 offers a whole series of improvements over its predecessors – especially with regard to security. However, such changes always give rise to compatibility issues. What happens when, for example, essential intranet applications fail to cope with new quirks?

It is simple to delay the update if an organisation utilises an update server such as WSUS or SMS. The administrator simply declines to release the update, preventing unwanted changes.

But even for computers which download their updates direct from Microsoft servers, it is possible to prevent the update from being installed without deactivating the important automatic update function. Microsoft has made available (following a Windows Genuine Advantage check) a blocking toolkit for administrators, with which they can block the automatic update to IE7 on local and remote computers and on computers in a single domain.

In principle it is simple to turn off automatic installation of IE7 – before installation, Microsoft checks the DoNotAllowIE70 DWORD entry in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\7.0

If the key is not preset or has a value other than 1, IE7 is installed as an urgent update. Before the installation, Windows does, however, ask the user whether or not he wishes to install the update. If DoNotAllowIE70 is set to 1, IE7 will be listed as an optional update only and will not be shovelled onto the computer as an automatic or express update. Naturally you can also generate this key with the DWORD without using the Microsoft toolkit.

The archive containing Microsoft's blocker toolkit includes a script, IE70Blocker.cmd, which creates or removes the registry key on the local or remote computer in the workgroup. If it is called with the switch /B, it blocks the automatic update. The /U switch reverts this status. If manipulation of registry entries is not blocked on computers within the workgroup, it is also possible to enter the name of a machine in the same workgroup in front of the switch in order to set the appropriate registry key remotely.

The archive also includes a template for Group Policies. This enables domain administrators to configure the automatic update to version 7 for particular computers or whole departments with just a few clicks.