Security Zones: Do not allow users to change policies

advertisement
Make proxy settings per-machine (rather than per-user)
Applies proxy settings to all users of the same computer.
If you enable this policy, users cannot set user-specific proxy settings. They must use the
zones created for all users of the computer.
If you disable this policy or do not configure it, users of the same computer can establish their
own proxy settings.
This policy is intended to ensure that proxy settings apply uniformly to the same computer
and do not vary from user to user.
Go to GPS
Prevent setting of the code download path for each
machine
This policy setting prevents the setting of the code download path for each machine. The
Internet Component Download service exposes a function that is called by an application to
download, verify, and install code for an OLE component. Using this setting, the user can set
the code download path.
If you enable this policy setting, the user cannot specify the download path for the code. You
must specify the download path.
If you disable or do not configure this policy setting, the user can specify the download path
for the code.
=== Presentation information ===
PathCODEBASE
=== Detailed values: ===
text: Id: Path; ValueName: CodeBaseSearchPath
Go to GPS
Prevent the configuration of cipher strength update
information URLs
This policy setting prevents the configuration of cipher strength update information URLs.
When you log on to secure pages, access cannot be granted unless your Internet browser
connects with a prespecified encryption. To ensure that your browser meets this requirement,
this policy setting allows you to specify the URL to update your browser security setting.
If you enable this policy setting, the user will not be able to configure the cipher strength
update information URL. You must specify the cipher strength update information URL.
If you disable or do not configure this policy setting, the user can configure the cipher
strength update information URL.
=== Presentation information ===
Cipher Strength Update Information
URL:http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=128bit
=== Detailed values: ===
text: Id: HelpAbout128Link; ValueName: IEAKUpdateUrl
Go to GPS
Restrict potentially unsafe HTML Help functions to
specified folders
With this policy, you can restrict certain HTML Help commands to function only in HTML
Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable
these commands on the entire system. It is strongly recommended that only folders requiring
administrative privileges be added to this policy.
The "Shortcut" command is used to add a link to a Help topic, and runs executables that are
external to the Help file. The "WinHelp" command is used to add a link to a Help topic, and
runs a WinHLP32.exe Help (.hlp) file.
When this policy is disabled, or not configured, these commands are fully functional for all
Help files.
When this policy is enabled, the commands will function only for .chm files in the specified
folders and their subfolders.
To restrict the commands to one or more folders, enable the policy and enter the desired
folders in the text box on the settings tab of the Policy Properties dialog box. Use a semicolon
to separate folders. For example, to restrict the commands to only .chm files in the
%windir%\help folder and D:\somefolder, add the following string to the edit box:
"%windir%\help;D:\somefolder".
To disallow the "Shortcut" and "WinHelp" commands on the entire local system, enable the
policy and leave the text box on the settings tab of the Policy Properties dialog box blank.
Note: An environment variable may be used, (for example, %windir%), so long as it is
defined on the system. For example, %programfiles% is not defined on some early versions of
Windows.
Note: Only folders on the local computer can be specified in this policy. You cannot use this
policy to enable the "Shortcut" and "WinHelp" commands for .chm files that are stored on
mapped drives or accessed using UNC paths.
For additional options, see the "Restrict these programs from being launched from Help"
policy.
=== Presentation information ===
Enter folder names separated by semi-colons:
Example: %windir%\Help;%windir%\pchealth;%programfiles%
=== Detailed values: ===
text: Id: HelpQualifiedRootDir_Edit; ValueName: HelpQualifiedRootDir
Go to GPS
Security Zones: Do not allow users to add/delete sites
Prevents users from adding or removing sites from security zones. A security zone is a group
of Web sites with the same security level.
If you enable this policy, the site management settings for security zones are disabled. (To see
the site management settings for security zones, in the Internet Options dialog box, click the
Security tab, and then click the Sites button.)
If you disable this policy or do not configure it, users can add Web sites to or remove sites
from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet
zone.
This policy prevents users from changing site management settings for security zones
established by the administrator.
Note: The "Disable the Security page" policy (located in \User Configuration\Administrative
Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes
the Security tab from the interface, takes precedence over this policy. If it is enabled, this
policy is ignored.
Also, see the "Security zones: Use only machine settings" policy.
Go to GPS
Security Zones: Do not allow users to change policies
Prevents users from changing security zone settings. A security zone is a group of Web sites
with the same security level.
If you enable this policy, the Custom Level button and security-level slider on the Security tab
in the Internet Options dialog box are disabled.
If you disable this policy or do not configure it, users can change the settings for security
zones.
This policy prevents users from changing security zone settings established by the
administrator.
Note: The "Disable the Security page" policy (located in \User Configuration\Administrative
Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes
the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If
it is enabled, this policy is ignored.
Also, see the "Security zones: Use only machine settings" policy.
Go to GPS
Security Zones: Use only machine settings
Applies security zone information to all users of the same computer. A security zone is a
group of Web sites with the same security level.
If you enable this policy, changes that the user makes to a security zone will apply to all users
of that computer.
If you disable this policy or do not configure it, users of the same computer can establish their
own security zone settings.
This policy is intended to ensure that security zone settings apply uniformly to the same
computer and do not vary from user to user.
Also, see the "Security zones: Do not allow users to change policies" policy.
Go to GPS
Turn off changing the URL to be displayed for checking
updates to Internet Explorer and Internet To
This policy setting allows checking for updates for Internet Explorer from the specified URL,
included by default in Internet Explorer.
If you enable this policy setting, users will not be able to change the URL to be displayed for
checking updates to Internet Explorer and Internet Tools. You must specify the URL to be
displayed for checking updates to Internet Explorer and Internet Tools.
If you disable or do not configure this policy setting, users will be able to change the URL to
be displayed for checking updates to Internet Explorer and Internet Tools.
=== Presentation information ===
URL to be displayed for
updates:http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update
=== Detailed values: ===
text: Id: UpdatePage; ValueName: Update_Check_Page
Go to GPS
Turn off configuring the update check interval (in days)
This setting specifies the update check interval. The default value is 30 days.
If you enable this policy setting, the user will not be able to configure the update check
interval. You have to specify the update check interval.
If you disable or do not configure this policy setting, the user will have the freedom to
configure the update check interval.
=== Presentation information ===
Update check interval (in days):
=== Detailed values: ===
decimal: Id: UpdateInterval; ValueName: Update_Check_Interval
Go to GPS
Turn off Data Execution Prevention
This policy setting allows you to turn off the Data Execution Prevention feature for Internet
Explorer on Windows Server 2008, Windows Vista SP1 and Windows XP SP3.
If you enable this policy setting, Internet Explorer will not opt-in to Data Execution
Prevention on platforms that support the SetProcessDEPPolicy API.
If you disable or do not configure this policy, Internet Explorer will use the
SetProcessDEPPolicy API to turn on Data Execution Prevention protection on platforms that
support the API.
This policy has no effect if Windows has been configured to enable Data Execution
Prevention.
Go to GPS
Download