The IE Team at Microsoft released Microsoft Internet Explorer 7 for Windows XP with ServicePack 2 today and as we all know (for quite some time now) Microsoft will distribute it as a high priority update through Automatic Updates and will make it available on the Windows Update Website.

What this means

This means that after the Internet Explorer guys build the localized versions and optimize a version for Microsoft Windows Server 2003 you'll get Microsoft Internet Explorer delivered to your (and your customers) desktops and servers without any hassle and in your preferred language. If your customers use Windows XP with Service Pack 2 in the English language you'll see Internet Explorer 7 touching your desktops soon.

Since this version of Microsoft Internet Explorer delivers better performance, more features and of course a newly designed interface (this sounds almost like a version 2.0 release, doesn't it?) this is good news, right?

Well…

As the final version of Internet Explorer 7 is available and a couple of guys got their hands on it we're bound to see a lot of reviews showing us the dark side of Internet Explorer.

You have a choice

If you don't want Microsoft Internet Explorer 7 automatically delivered to your Microsoft Windows XP and Microsoft Windows Server 2003 boxes, or you want a wait a little for Internet Explorer 7.0 with ServicePack 1 or just don't want your users to go to the Internet anyway you can choose not to automatically deploy Internet Explorer 7.

Microsoft developed the Toolkit to Disable Automatic Delivery of Internet Explorer 7 if you as an Admin do not want to have the IE7 delivered through Automatic Updates. With this tool you will be able to block the deployment of IE7 through Automatic Updates.

The approaches below to block the deployment through Automatic Updates do not prevent users from manually downloading Microsoft Internet Explorer 7 or even installing it. (Although being a user instead of a Power User or Administrator might prevent the latter) Use different approaches to tackle this problem.

How not to deploy Internet Explorer 7

How to block Internet Explorer 7 depends on your preferred approach:

Through the Graphical User Interface (GUI)

If you are a an administrator of your machine and as soon as the Internet Explorer setup is downloaded you will have three options:

• Install: The installation procedure will start after the genuine windows check and the homepage, favorites and search settings will be kept.
• Do not Install: You will not be asked again to install IE7, however if you have admin privileges you can always use the optional update to install IE 7 afterwards.
• Ask again later: The installation process will be canceled and the Automatic Updates will ask you again after 24 Hours.

Through the registry

The script in the Toolkit to Disable Automatic Delivery of Internet Explorer 7 creates a registry key and sets the associated value to block or unblock (depending on the command-line option used) automatic delivery of Internet Explorer 7 on either the local machine or a remote target machine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\7.0\DoNotAllowIE70

• When the key value name is not defined, distribution is not blocked.
• When the key value name is set to 0, distribution is not blocked.
• When the key value name is set to 1, distribution is blocked.

Through scripting

The Toolkit to Disable Automatic Delivery of Internet Explorer 7 comes with ie70blocker.cmd. You can use the handy script to disable the delivery of Internet Explorer 7 through a machine startup script or perhaps a user logon script (if in the unlikely case you allow your users to be local administrators)

The script has the following command-line syntax:
IE70Blocker.cmd [<machine name>] [/B] [/U] [/H]

Using the /H or /? switch will help you further in your scripting quest. Don't worry if you mess up: the script can be run multiple times on the same machine without any problem.

Through Group Policies

Again, the Toolkit to Disable Automatic Delivery of Internet Explorer 7 comes to your rescue. It contains a custom *.adm file with which all of you know your way around. If not I suggest you have a little chat with Darren Mar-elia or other Group Policy gods.

Interesting to note however is that Microsoft introduced a new container within Administrative Templates for the Computer Configuration called "Automatic Updates Blockers" underneath the Windows Update container. We might expect further use for this container…

Through (W)SUS and SMS

The only real option when you don't want your users to gain access to Microsoft Windows Updates without your approval is to use Microsoft Software Update Services (SUS) up to December 6, to use Microsoft Windows Server Update Services (WSUS) or Systems Manager Services 2003 (SMS) Server.