Setting the value of this per-machine system policy to "1" enables nonadministrative users to use a Browse Dialog to locate sources of managed applications. Sources may include media, such as CD-ROM, URLs, and network locations. For more information, see Source Resiliency. The default on Windows Installer is that nonadministrative users cannot browse for new sources of managed applications. The only sources available are those that are already registered in the source list of the product. If this policy is set, a nonadministrative user may browse for new sources of assigned or published applications or applications being installed for all users. Setting AllowLockdownBrowse also enables nonadministrative users to run programs at LocalSystem privileges during an elevated installation.
The default setting is recommended to ensure a secure environment.
Setting this policy also enables nonadministrative users to run arbitrary programs at LocalSystem privileges if they have a Windows Installer package that installs or launches those programs.
DisableBrowse overrides AllowLockdownBrowse and prevents browsing even if AllowLockdownBrowse is set.
For information about the interaction of this policy with installation sources, see Managing Installation Sources.
Build date: 11/16/2013