Table of contents
TOC
Collapse the table of content
Expand the table of content

Policy CSP - ADMX-backed policies

Last Updated: 2/23/2017
Warning

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies.

Table of ADMX-backed policies for Windows 10, version 1703.

Important

To navigate the table horizontally, click on the table and then use the left and right scroll keys on your keyboard or use the scroll bar at the bottom of the table.

MDM CSP setting path/nameGP english nameGP english category pathGP nameGP ADMX file name
ActiveXControls/ApprovedInstallationSitesApproved Installation Sites for ActiveX ControlsWindows Components/ActiveX Installer ServiceApprovedActiveXInstallSitesActiveXInstallService.admx
AppVirtualization/AllowAppVClientEnable App-V ClientSystem/App-VEnableAppVappv.admx
AppVirtualization/AllowDynamicVirtualizationEnable Dynamic VirtualizationSystem/App-V/VirtualizationVirtualization_JITVEnableappv.admx
AppVirtualization/AllowPackageCleanupEnable automatic cleanup of unused appv packagesSystem/App-V/Package ManagementPackageManagement_AutoCleanupEnableappv.admx
AppVirtualization/AllowPackageScriptsEnable Package ScriptsSystem/App-V/ScriptingScripting_Enable_Package_Scriptsappv.admx
AppVirtualization/AllowPublishingRefreshUXEnable Publishing Refresh UXSystem/App-V/PublishingEnable_Publishing_Refresh_UXappv.admx
AppVirtualization/AllowReportingServerReporting ServerSystem/App-V/ReportingReporting_Server_Policyappv.admx
AppVirtualization/AllowRoamingFileExclusionsRoaming File ExclusionsSystem/App-V/IntegrationIntegration_Roaming_File_Exclusionsappv.admx
AppVirtualization/AllowRoamingRegistryExclusionsRoaming Registry ExclusionsSystem/App-V/IntegrationIntegration_Roaming_Registry_Exclusionsappv.admx
AppVirtualization/AllowStreamingAutoloadSpecify what to load in background (aka AutoLoad)System/App-V/StreamingSteaming_Autoloadappv.admx
AppVirtualization/ClientCoexistenceAllowMigrationmodeEnable Migration ModeSystem/App-V/Client CoexistenceClient_Coexistence_Enable_Migration_modeappv.admx
AppVirtualization/IntegrationAllowRootGlobalIntegration Root UserSystem/App-V/IntegrationIntegration_Root_Userappv.admx
AppVirtualization/IntegrationAllowRootUserIntegration Root GlobalSystem/App-V/IntegrationIntegration_Root_Globalappv.admx
AppVirtualization/PublishingAllowServer1Publishing Server 1 SettingsSystem/App-V/PublishingPublishing_Server1_Policyappv.admx
AppVirtualization/PublishingAllowServer2Publishing Server 2 SettingsSystem/App-V/PublishingPublishing_Server2_Policyappv.admx
AppVirtualization/PublishingAllowServer3Publishing Server 3 SettingsSystem/App-V/PublishingPublishing_Server3_Policyappv.admx
AppVirtualization/PublishingAllowServer4Publishing Server 4 SettingsSystem/App-V/PublishingPublishing_Server4_Policyappv.admx
AppVirtualization/PublishingAllowServer5Publishing Server 5 SettingsSystem/App-V/PublishingPublishing_Server5_Policyappv.admx
AppVirtualization/StreamingAllowCertificateFilterForClient_SSLCertificate Filter For Client SSLSystem/App-V/StreamingStreaming_Certificate_Filter_For_Client_SSLappv.admx
AppVirtualization/StreamingAllowHighCostLaunchAllow First Time Application Launches if on a High Cost Windows 8 Metered ConnectionSystem/App-V/StreamingStreaming_Allow_High_Cost_Launchappv.admx
AppVirtualization/StreamingAllowLocationProviderLocation ProviderSystem/App-V/StreamingStreaming_Location_Providerappv.admx
AppVirtualization/StreamingAllowPackageInstallationRootPackage Installation RootSystem/App-V/StreamingStreaming_Package_Installation_Rootappv.admx
AppVirtualization/StreamingAllowPackageSourceRootPackage Source RootSystem/App-V/StreamingStreaming_Package_Source_Rootappv.admx
AppVirtualization/StreamingAllowReestablishmentIntervalReestablishment IntervalSystem/App-V/StreamingStreaming_Reestablishment_Intervalappv.admx
AppVirtualization/StreamingAllowReestablishmentRetriesReestablishment RetriesSystem/App-V/StreamingStreaming_Reestablishment_Retriesappv.admx
AppVirtualization/StreamingSharedContentStoreModeShared Content Store (SCS) modeSystem/App-V/StreamingStreaming_Shared_Content_Store_Modeappv.admx
AppVirtualization/StreamingSupportBranchCacheEnable Support for BranchCacheSystem/App-V/StreamingStreaming_Support_Branch_Cacheappv.admx
AppVirtualization/StreamingVerifyCertificateRevocationListVerify certificate revocation listSystem/App-V/StreamingStreaming_Verify_Certificate_Revocation_Listappv.admx
AppVirtualization/VirtualComponentsAllowListVirtual Component Process Allow ListSystem/App-V/VirtualizationVirtualization_JITVAllowListappv.admx
AttachmentManager/DoNotPreserveZoneInformationDo not preserve zone information in file attachmentsWindows Components/Attachment ManagerAM_MarkZoneOnSavedAtttachmentsAttachmentManager.admx
AttachmentManager/HideZoneInfoMechanismHide mechanisms to remove zone informationWindows Components/Attachment ManagerAM_RemoveZoneInfoAttachmentManager.admx
AttachmentManager/NotifyAntivirusProgramsNotify antivirus programs when opening attachmentsWindows Components/Attachment ManagerAM_CallIOfficeAntiVirusAttachmentManager.admx
Autoplay/DisallowAutoplayForNonVolumeDevicesDisallow Autoplay for non-volume devicesWindows Components/AutoPlay PoliciesNoAutoplayfornonVolumeAutoPlay.admx
Autoplay/SetDefaultAutoRunBehaviorSet the default behavior for AutoRunWindows Components/AutoPlay PoliciesNoAutorunAutoPlay.admx
Autoplay/TurnOffAutoPlayTurn off AutoplayWindows Components/AutoPlay PoliciesAutorunAutoPlay.admx
BitLocker/BitEncryptionMethodByDriveTypeChoose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)Windows Components/BitLocker Drive EncryptionEncryptionMethodWithXts_NameVolumeEncryption.admx
BitLocker/FixedDrivesRecoveryOptionsChoose how BitLocker-protected fixed drives can be recoveredWindows Components/BitLocker Drive Encryption/Fixed Data DrivesFDVRecoveryUsage_NameVolumeEncryption.admx
BitLocker/FixedDrivesRequireEncryptionDeny write access to fixed drives not protected by BitLockerWindows Components/BitLocker Drive Encryption/Fixed Data DrivesFDVDenyWriteAccess_NameVolumeEncryption.admx
BitLocker/RemovableDrivesRequireEncryptionDeny write access to removable drives not protected by BitLockerWindows Components/BitLocker Drive Encryption/Removable Data DrivesRDVDenyWriteAccess_NameVolumeEncryption.admx
BitLocker/SystemDrivesMinimumPINLengthConfigure minimum PIN length for startupWindows Components/BitLocker Drive Encryption/Operating System DrivesMinimumPINLength_NameVolumeEncryption.admx
BitLocker/SystemDrivesRecoveryMessageConfigure pre-boot recovery message and URLWindows Components/BitLocker Drive Encryption/Operating System DrivesPrebootRecoveryInfo_NameVolumeEncryption.admx
BitLocker/SystemDrivesRecoveryOptionsChoose how BitLocker-protected operating system drives can be recoveredWindows Components/BitLocker Drive Encryption/Operating System DrivesOSRecoveryUsage_NameVolumeEncryption.admx
BitLocker/SystemDrivesRequireStartupAuthenticationRequire additional authentication at startupWindows Components/BitLocker Drive Encryption/Operating System DrivesConfigureAdvancedStartup_NameVolumeEncryption.admx
Connectivity/HardenedUNCPathsHardened UNC PathsNetwork/Network ProviderPol_HardenedPathsNetworkProvider.admx
CredentialProviders/AllowPINLogonTurn on convenience PIN sign-inSystem/LogonAllowDomainPINLogonCredentialProviders.admx
CredentialProviders/BlockPicturePasswordTurn off picture password sign-inSystem/LogonBlockDomainPicturePasswordCredentialProviders.admx
CredentialsUI/DisablePasswordRevealDo not display the password reveal buttonWindows Components/Credential User InterfaceDisablePasswordRevealCredUI.admx
CredentialsUI/EnumerateAdministratorsEnumerate administrator accounts on elevationWindows Components/Credential User InterfaceEnumerateAdministratorsCredUI.admx
DataUsage/SetCost3GSet 3G CostNetwork/WWAN Service/WWAN Media CostSetCost3Gwwansvc.admx
DataUsage/SetCost4GSet 4G CostNetwork/WWAN Service/WWAN Media CostSetCost4Gwwansvc.admx
Desktop/PreventUserRedirectionOfProfileFoldersProhibit User from manually redirecting Profile FoldersDesktopDisablePersonalDirChangedesktop.admx
DeviceInstallation/PreventInstallationOfMatchingDeviceIDsPrevent installation of devices that match any of these device IDsSystem/Device Installation/Device Installation RestrictionsDeviceInstall_IDs_DenyDeviceInstallation.admx
DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClassesPrevent installation of devices using drivers that match these device setup classesSystem/Device Installation/Device Installation RestrictionsDeviceInstall_Classes_DenyDeviceInstallation.admx
DeviceLock/PreventLockScreenSlideShowPrevent enabling lock screen slide showControl Panel/PersonalizationCPL_Personalization_NoLockScreenSlideshowControlPanelDisplay.admx
ErrorReporting/CustomizeConsentSettingsCustomize consent settingsWindows Components/Windows Error Reporting/ConsentWerConsentCustomize_2ErrorReporting.admx
ErrorReporting/DisableWindowsErrorReportingDisable Windows Error ReportingWindows Components/Windows Error ReportingWerDisable_2ErrorReporting.admx
ErrorReporting/DisplayErrorNotificationDisplay Error NotificationWindows Components/Windows Error ReportingPCH_ShowUIErrorReporting.admx
ErrorReporting/DoNotSendAdditionalDataDo not send additional dataWindows Components/Windows Error ReportingWerNoSecondLevelData_2ErrorReporting.admx
ErrorReporting/PreventCriticalErrorDisplayPrevent display of the user interface for critical errorsWindows Components/Windows Error ReportingWerDoNotShowUIErrorReporting.admx
EventLogService/ControlEventLogBehaviorControl Event Log behavior when the log file reaches its maximum sizeWindows Components/Event Log Service/ApplicationChannel_Log_Retention_1EventLog.admx
EventLogService/SpecifyMaximumFileSizeApplicationLogSpecify the maximum log file size (KB)Windows Components/Event Log Service/ApplicationChannel_LogMaxSize_1EventLog.admx
EventLogService/SpecifyMaximumFileSizeSecurityLogSpecify the maximum log file size (KB)Windows Components/Event Log Service/SecurityChannel_LogMaxSize_2EventLog.admx
EventLogService/SpecifyMaximumFileSizeSystemLogSpecify the maximum log file size (KB)Windows Components/Event Log Service/SystemChannel_LogMaxSize_4EventLog.admx
InternetExplorer/AddSearchProviderAdd a specific list of search providers to the user's list of search providersWindows Components/Internet ExplorerAddSearchProviderinetres.admx
InternetExplorer/AllowActiveXFilteringTurn on ActiveX FilteringWindows Components/Internet ExplorerTurnOnActiveXFilteringinetres.admx
InternetExplorer/AllowAddOnListAdd-on ListWindows Components/Internet Explorer/Security Features/Add-on ManagementAddonManagement_AddOnListinetres.admx
InternetExplorer/AllowEnhancedProtectedModeTurn on Enhanced Protected ModeWindows Components/Internet Explorer/Internet Control Panel/Advanced PageAdvanced_EnableEnhancedProtectedModeinetres.admx
InternetExplorer/AllowEnterpriseModeFromToolsMenuLet users turn on and use Enterprise Mode from the Tools menuWindows Components/Internet ExplorerEnterpriseModeEnableinetres.admx
InternetExplorer/AllowEnterpriseModeSiteListUse the Enterprise Mode IE website listWindows Components/Internet ExplorerEnterpriseModeSiteListinetres.admx
InternetExplorer/AllowInternetExplorer7PolicyListUse Policy List of Internet Explorer 7 sitesWindows Components/Internet Explorer/Compatibility ViewCompatView_UsePolicyListinetres.admx
InternetExplorer/AllowInternetExplorerStandardsModeTurn on Internet Explorer Standards Mode for local intranetWindows Components/Internet Explorer/Compatibility ViewCompatView_IntranetSitesinetres.admx
InternetExplorer/AllowInternetZoneTemplateInternet Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyInternetZoneTemplateinetres.admx
InternetExplorer/AllowIntranetZoneTemplateIntranet Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyIntranetZoneTemplateinetres.admx
InternetExplorer/AllowLocalMachineZoneTemplateLocal Machine Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyLocalMachineZoneTemplateinetres.admx
InternetExplorer/AllowLockedDownInternetZoneTemplateLocked-Down Internet Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyInternetZoneLockdownTemplateinetres.admx
InternetExplorer/AllowLockedDownIntranetZoneTemplateLocked-Down Intranet Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyIntranetZoneLockdownTemplateinetres.admx
InternetExplorer/AllowLockedDownLocalMachineZoneTemplateLocked-Down Local Machine Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyLocalMachineZoneLockdownTemplateinetres.admx
InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplateLocked-Down Restricted Sites Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyRestrictedSitesZoneLockdownTemplateinetres.admx
InternetExplorer/AllowOneWordEntryGo to an intranet site for a one-word entry in the Address barWindows Components/Internet Explorer/Internet Settings/Advanced settings/BrowsingUseIntranetSiteForOneWordEntryinetres.admx
InternetExplorer/AllowSiteToZoneAssignmentListSite to Zone Assignment ListWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_Zonemapsinetres.admx
InternetExplorer/AllowSuggestedSitesTurn on Suggested SitesWindows Components/Internet ExplorerEnableSuggestedSitesinetres.admx
InternetExplorer/AllowTrustedSitesZoneTemplateTrusted Sites Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyTrustedSitesZoneTemplateinetres.admx
InternetExplorer/AllowsLockedDownTrustedSiteZoneTemplateLocked-Down Trusted Sites Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyTrustedSitesZoneLockdownTemplateinetres.admx
InternetExplorer/AllowsRestrictedSitesZoneTemplateRestricted Sites Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyRestrictedSitesZoneTemplateinetres.admx
InternetExplorer/DisableAdobeFlashTurn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objectsWindows Components/Internet Explorer/Security Features/Add-on ManagementDisableFlashInIEinetres.admx
InternetExplorer/DisableBypassOfSmartScreenWarningsPrevent bypassing SmartScreen Filter warningsWindows Components/Internet ExplorerDisableSafetyFilterOverrideinetres.admx
InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFilesPrevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the InternetWindows Components/Internet ExplorerDisableSafetyFilterOverrideForAppRepUnknowninetres.admx
InternetExplorer/DisableCustomerExperienceImprovementProgramParticipationPrevent participation in the Customer Experience Improvement ProgramWindows Components/Internet ExplorerSQM_DisableCEIPinetres.admx
InternetExplorer/DisableEnclosureDownloadingPrevent downloading of enclosuresWindows Components/RSS FeedsDisable_Downloading_of_Enclosuresinetres.admx
InternetExplorer/DisableEncryptionSupportTurn off encryption supportWindows Components/Internet Explorer/Internet Control Panel/Advanced PageAdvanced_SetWinInetProtocolsinetres.admx
InternetExplorer/DisableFirstRunWizardPrevent running First Run wizardWindows Components/Internet ExplorerNoFirstRunCustomiseinetres.admx
InternetExplorer/DisableFlipAheadFeatureTurn off the flip ahead with page prediction featureWindows Components/Internet Explorer/Internet Control Panel/Advanced PageAdvanced_DisableFlipAheadinetres.admx
InternetExplorer/DisableHomePageChangeDisable changing home page settingsWindows Components/Internet ExplorerRestrictHomePageinetres.admx
InternetExplorer/DisableProxyChangePrevent changing proxy settingsWindows Components/Internet ExplorerRestrictProxyinetres.admx
InternetExplorer/DisableSearchProviderChangePrevent changing the default search providerWindows Components/Internet ExplorerNoSearchProviderinetres.admx
InternetExplorer/DisableSecondaryHomePageChangeDisable changing secondary home page settingsWindows Components/Internet ExplorerSecondaryHomePagesinetres.admx
InternetExplorer/DisableUpdateCheckDisable Periodic Check for Internet Explorer software updatesWindows Components/Internet ExplorerNoUpdateCheckinetres.admx
InternetExplorer/DoNotAllowUsersToAddSitesSecurity Zones: Do not allow users to add/delete sitesWindows Components/Internet ExplorerSecurity_zones_map_editinetres.admx
InternetExplorer/DoNotAllowUsersToChangePoliciesSecurity Zones: Do not allow users to change policiesWindows Components/Internet ExplorerSecurity_options_editinetres.admx
InternetExplorer/DoNotBlockOutdatedActiveXControlsTurn off blocking of outdated ActiveX controls for Internet ExplorerWindows Components/Internet Explorer/Security Features/Add-on ManagementVerMgmtDisableinetres.admx
InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomainsTurn off blocking of outdated ActiveX controls for Internet Explorer on specific domainsWindows Components/Internet Explorer/Security Features/Add-on ManagementVerMgmtDomainAllowlistinetres.admx
InternetExplorer/IncludeAllLocalSitesIntranet Sites: Include all local (intranet) sites not listed in other zonesWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_IncludeUnspecifiedLocalSitesinetres.admx
InternetExplorer/IncludeAllNetworkPathsIntranet Sites: Include all network paths (UNCs)Windows Components/Internet Explorer/Internet Control Panel/Security PageIZ_UNCAsIntranetinetres.admx
InternetExplorer/InternetZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyAccessDataSourcesAcrossDomains_1inetres.admx
InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyNotificationBarActiveXURLaction_1inetres.admx
InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyNotificationBarDownloadURLaction_1inetres.admx
InternetExplorer/InternetZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyFontDownload_1inetres.admx
InternetExplorer/InternetZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyZoneElevationURLaction_1inetres.admx
InternetExplorer/InternetZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_1inetres.admx
InternetExplorer/InternetZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_Policy_AllowScriptlets_1inetres.admx
InternetExplorer/InternetZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_Policy_Phishing_1inetres.admx
InternetExplorer/InternetZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyUserdataPersistence_1inetres.admx
InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyScriptActiveXNotMarkedSafe_1inetres.admx
InternetExplorer/InternetZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyNavigateSubframesAcrossDomains_1inetres.admx
InternetExplorer/IntranetZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyAccessDataSourcesAcrossDomains_3inetres.admx
InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyNotificationBarActiveXURLaction_3inetres.admx
InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyNotificationBarDownloadURLaction_3inetres.admx
InternetExplorer/IntranetZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyFontDownload_3inetres.admx
InternetExplorer/IntranetZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyZoneElevationURLaction_3inetres.admx
InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_3inetres.admx
InternetExplorer/IntranetZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_Policy_AllowScriptlets_3inetres.admx
InternetExplorer/IntranetZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_Policy_Phishing_3inetres.admx
InternetExplorer/IntranetZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyUserdataPersistence_3inetres.admx
InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyScriptActiveXNotMarkedSafe_3inetres.admx
InternetExplorer/IntranetZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyNavigateSubframesAcrossDomains_3inetres.admx
InternetExplorer/LocalMachineZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyAccessDataSourcesAcrossDomains_9inetres.admx
InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyNotificationBarActiveXURLaction_9inetres.admx
InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyNotificationBarDownloadURLaction_9inetres.admx
InternetExplorer/LocalMachineZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyFontDownload_9inetres.admx
InternetExplorer/LocalMachineZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyZoneElevationURLaction_9inetres.admx
InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_9inetres.admx
InternetExplorer/LocalMachineZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_Policy_AllowScriptlets_9inetres.admx
InternetExplorer/LocalMachineZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_Policy_Phishing_9inetres.admx
InternetExplorer/LocalMachineZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyUserdataPersistence_9inetres.admx
InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyScriptActiveXNotMarkedSafe_9inetres.admx
InternetExplorer/LocalMachineZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyNavigateSubframesAcrossDomains_9inetres.admx
InternetExplorer/LockedDownInternetZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyAccessDataSourcesAcrossDomains_2inetres.admx
InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyNotificationBarActiveXURLaction_2inetres.admx
InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyNotificationBarDownloadURLaction_2inetres.admx
InternetExplorer/LockedDownInternetZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyFontDownload_2inetres.admx
InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyZoneElevationURLaction_2inetres.admx
InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_2inetres.admx
InternetExplorer/LockedDownInternetZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_Policy_AllowScriptlets_2inetres.admx
InternetExplorer/LockedDownInternetZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_Policy_Phishing_2inetres.admx
InternetExplorer/LockedDownInternetZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyUserdataPersistence_2inetres.admx
InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyScriptActiveXNotMarkedSafe_2inetres.admx
InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyNavigateSubframesAcrossDomains_2inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyAccessDataSourcesAcrossDomains_4inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyNotificationBarActiveXURLaction_4inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyNotificationBarDownloadURLaction_4inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyFontDownload_4inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyZoneElevationURLaction_4inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_4inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_Policy_AllowScriptlets_4inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_Policy_Phishing_4inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyUserdataPersistence_4inetres.admx
InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyScriptActiveXNotMarkedSafe_4inetres.admx
InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyNavigateSubframesAcrossDomains_4inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyAccessDataSourcesAcrossDomains_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyNotificationBarActiveXURLaction_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyNotificationBarDownloadURLaction_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyFontDownload_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyZoneElevationURLaction_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_Policy_AllowScriptlets_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_Policy_Phishing_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyUserdataPersistence_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyScriptActiveXNotMarkedSafe_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyNavigateSubframesAcrossDomains_10inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyAccessDataSourcesAcrossDomains_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyNotificationBarActiveXURLaction_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyNotificationBarDownloadURLaction_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyFontDownload_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyZoneElevationURLaction_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_Policy_AllowScriptlets_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_Policy_Phishing_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyUserdataPersistence_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyScriptActiveXNotMarkedSafe_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyNavigateSubframesAcrossDomains_8inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyAccessDataSourcesAcrossDomains_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyNotificationBarActiveXURLaction_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyNotificationBarDownloadURLaction_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyFontDownload_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyZoneElevationURLaction_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_Policy_AllowScriptlets_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_Policy_Phishing_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyUserdataPersistence_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyScriptActiveXNotMarkedSafe_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyNavigateSubframesAcrossDomains_6inetres.admx
InternetExplorer/RestrictedSitesZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyAccessDataSourcesAcrossDomains_7inetres.admx
InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyNotificationBarActiveXURLaction_7inetres.admx
InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyNotificationBarDownloadURLaction_7inetres.admx
InternetExplorer/RestrictedSitesZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyFontDownload_7inetres.admx
InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyZoneElevationURLaction_7inetres.admx
InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_7inetres.admx
InternetExplorer/RestrictedSitesZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_Policy_AllowScriptlets_7inetres.admx
InternetExplorer/RestrictedSitesZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_Policy_Phishing_7inetres.admx
InternetExplorer/RestrictedSitesZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyUserdataPersistence_7inetres.admx
InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyScriptActiveXNotMarkedSafe_7inetres.admx
InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyNavigateSubframesAcrossDomains_7inetres.admx
InternetExplorer/SearchProviderListRestrict search providers to a specific listWindows Components/Internet ExplorerSpecificSearchProviderinetres.admx
InternetExplorer/TrustedSitesZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyAccessDataSourcesAcrossDomains_5inetres.admx
InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyNotificationBarActiveXURLaction_5inetres.admx
InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyNotificationBarDownloadURLaction_5inetres.admx
InternetExplorer/TrustedSitesZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyFontDownload_5inetres.admx
InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyZoneElevationURLaction_5inetres.admx
InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_5inetres.admx
InternetExplorer/TrustedSitesZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_Policy_AllowScriptlets_5inetres.admx
InternetExplorer/TrustedSitesZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_Policy_Phishing_5inetres.admx
InternetExplorer/TrustedSitesZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyUserdataPersistence_5inetres.admx
InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyScriptActiveXNotMarkedSafe_5inetres.admx
InternetExplorer/TrustedSitesZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyNavigateSubframesAcrossDomains_5inetres.admx
Kerberos/AllowForestSearchFolderUse forest search orderSystem/KerberosForestSearchKerberos.admx
Kerberos/KerberosClientSupportsClaimsCompoundArmorKerberos client support for claims, compound authentication and Kerberos armoringSystem/KerberosEnableCbacAndArmorKerberos.admx
Kerberos/RequireKerberosArmoringFail authentication requests when Kerberos armoring is not availableSystem/KerberosClientRequireFastKerberos.admx
Kerberos/RequireStrictKDCValidationRequire strict KDC validationSystem/KerberosValidateKDCKerberos.admx
Kerberos/SetMaximumContextTokenSizeSet maximum Kerberos SSPI context token buffer sizeSystem/KerberosMaxTokenSizeKerberos.admx
Power/AllowStandbyWhenSleepingPluggedInAllow standby states (S1-S3) when sleeping (plugged in)System/Power Management/Sleep SettingsAllowStandbyStatesAC_2Power.admx
Power/RequirePasswordWhenComputerWakesOnBatteryRequire a password when a computer wakes (on battery)System/Power Management/Sleep SettingsDCPromptForPasswordOnResume_2Power.admx
Power/RequirePasswordWhenComputerWakesPluggedInRequire a password when a computer wakes (plugged in)System/Power Management/Sleep SettingsACPromptForPasswordOnResume_2Power.admx
Printers/PointAndPrintRestrictionsPoint and Print RestrictionsControl Panel/PrintersPointAndPrint_RestrictionsPrinting.admx
Printers/PointAndPrintRestrictionsPoint and Print RestrictionsPrintersPointAndPrint_Restrictions_Win7Printing.admx
Printers/PublishPrintersAllow printers to be publishedPrintersPublishPrintersPrinting2.admx
RemoteAssistance/CustomizeWarningMessagesCustomize warning messagesSystem/Remote AssistanceRA_OptionsRemoteAssistance.admx
RemoteAssistance/SessionLoggingTurn on session loggingSystem/Remote AssistanceRA_LoggingRemoteAssistance.admx
RemoteAssistance/SolicitedRemoteAssistanceConfigure Solicited Remote AssistanceSystem/Remote AssistanceRA_SolicitRemoteAssistance.admx
RemoteAssistance/UnsolicitedRemoteAssitanceConfigure Offer Remote AssistanceSystem/Remote AssistanceRA_UnsolicitRemoteAssistance.admx
RemoteDesktopServices/AllowUsersToConnectRemotelyAllow users to connect remotely by using Remote Desktop ServicesWindows Components/Remote Desktop Services/Remote Desktop Session Host/ConnectionsTS_DISABLE_CONNECTIONSTerminalServer.admx
RemoteDesktopServices/ClientConnectionEncryptionLevelSet client connection encryption levelWindows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityTS_ENCRYPTION_POLICYTerminalServer.admx
RemoteDesktopServices/DoNotAllowDriveRedirectionDo not allow drive redirectionWindows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource RedirectionTS_CLIENT_DRIVE_MTerminalServer.admx
RemoteDesktopServices/DoNotAllowPasswordSavingDo not allow passwords to be savedWindows Components/Remote Desktop Services/Remote Desktop Connection ClientTS_CLIENT_DISABLE_PASSWORD_SAVING_2TerminalServer.admx
RemoteDesktopServices/PromptForPasswordUponConnectionAlways prompt for password upon connectionWindows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityTS_PASSWORDTerminalServer.admx
RemoteDesktopServices/RequireSecureRPCCommunicationRequire secure RPC communicationWindows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityTS_RPC_ENCRYPTIONTerminalServer.admx
RemoteProcedureCall/RPCEndpointMapperClientAuthenticationEnable RPC Endpoint Mapper Client AuthenticationSystem/Remote Procedure CallRpcEnableAuthEpResolutionRPC.admx
RemoteProcedureCall/RestrictUnauthenticatedRPCClientsRestrict Unauthenticated RPC clientsSystem/Remote Procedure CallRpcRestrictRemoteClientsRPC.admx
Storage/EnhancedStorageDevicesDo not allow Windows to activate Enhanced Storage devicesSystem/Enhanced Storage AccessTCGSecurityActivationDisabledEnhancedStorage.admx
System/BootStartDriverInitializationBoot-Start Driver Initialization PolicySystem/Early Launch AntimalwarePOL_DriverLoadPolicy_NameEarlyLaunchAM.admx
System/DisableSystemRestoreTurn off System RestoreSystem/System RestoreSR_DisableSRSystemRestore.admx
WindowsLogon/DisableLockScreenAppNotificationsTurn off app notifications on the lock screenSystem/LogonDisableLockScreenAppNotificationsLogon.admx
WindowsLogon/DontDisplayNetworkSelectionUIDo not display network selection UISystem/LogonDontDisplayNetworkSelectionUILogon.admx

List of <AreaName>/<PolicyName>

ActiveXControls/ApprovedInstallationSites

This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.

If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL.

If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.

Note: Wild card characters cannot be used when specifying the host URLs.

AppVirtualization/AllowAppVClient

This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.

AppVirtualization/AllowDynamicVirtualization

Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.

AppVirtualization/AllowPackageScripts

Enables scripts defined in the package manifest of configuration files that should run.

AppVirtualization/AllowPublishingRefreshUX

Enables a UX to display to the user when a publishing refresh is performed on the client.

AppVirtualization/AllowReportingServer

Reporting Server URL: Displays the URL of reporting server.

Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM.

Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load.

Repeat reporting for every (days): The periodical interval in days for sending the reporting data.

Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again.

Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections.

AppVirtualization/AllowRoamingFileExclusions

Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.

AppVirtualization/AllowRoamingRegistryExclusions

Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.

AppVirtualization/AllowStreamingAutoload

Specifies how new packages should be loaded automatically by App-V on a specific computer.

AppVirtualization/ClientCoexistenceAllowMigrationmode

Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.

AppVirtualization/IntegrationAllowRootGlobal

Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.

AppVirtualization/IntegrationAllowRootUser

Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.

AppVirtualization/PublishingAllowServer1

Publishing Server Display Name: Displays the name of publishing server.

Publishing Server URL: Displays the URL of publishing server.

Global Publishing Refresh: Enables global publishing refresh (Boolean).

Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).

Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.

Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).

User Publishing Refresh: Enables user publishing refresh (Boolean).

User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).

User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.

User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).

AppVirtualization/PublishingAllowServer2

Publishing Server Display Name: Displays the name of publishing server.

Publishing Server URL: Displays the URL of publishing server.

Global Publishing Refresh: Enables global publishing refresh (Boolean).

Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).

Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.

Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).

User Publishing Refresh: Enables user publishing refresh (Boolean).

User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).

User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.

User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).

AppVirtualization/PublishingAllowServer3

Publishing Server Display Name: Displays the name of publishing server.

Publishing Server URL: Displays the URL of publishing server.

Global Publishing Refresh: Enables global publishing refresh (Boolean).

Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).

Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.

Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).

User Publishing Refresh: Enables user publishing refresh (Boolean).

User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).

User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.

User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).

AppVirtualization/PublishingAllowServer4

Publishing Server Display Name: Displays the name of publishing server.

Publishing Server URL: Displays the URL of publishing server.

Global Publishing Refresh: Enables global publishing refresh (Boolean).

Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).

Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.

Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).

User Publishing Refresh: Enables user publishing refresh (Boolean).

User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).

User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.

User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).

AppVirtualization/PublishingAllowServer5

Publishing Server Display Name: Displays the name of publishing server.

Publishing Server URL: Displays the URL of publishing server.

Global Publishing Refresh: Enables global publishing refresh (Boolean).

Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).

Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.

Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).

User Publishing Refresh: Enables user publishing refresh (Boolean).

User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).

User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.

User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).

AppVirtualization/StreamingAllowCertificateFilterForClient_SSL

Specifies the path to a valid certificate in the certificate store.

AppVirtualization/StreamingAllowHighCostLaunch

This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).

AppVirtualization/StreamingAllowLocationProvider

Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.

AppVirtualization/StreamingAllowPackageInstallationRoot

Specifies directory where all new applications and updates will be installed.

AppVirtualization/StreamingAllowPackageSourceRoot

Overrides source location for downloading package content.

AppVirtualization/StreamingAllowReestablishmentInterval

Specifies the number of seconds between attempts to reestablish a dropped session.

AppVirtualization/StreamingAllowReestablishmentRetries

Specifies the number of times to retry a dropped session.

AppVirtualization/StreamingSharedContentStoreMode

Specifies that streamed package contents will be not be saved to the local hard disk.

AppVirtualization/StreamingSupportBranchCache

If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache

AppVirtualization/StreamingVerifyCertificateRevocationList

Verifies Server certificate revocation status before streaming using HTTPS.

AppVirtualization/VirtualComponentsAllowList

Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.

AttachmentManager/DoNotPreserveZoneInformation

This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.

If you enable this policy setting, Windows does not mark file attachments with their zone information.

If you disable this policy setting, Windows marks file attachments with their zone information.

If you do not configure this policy setting, Windows marks file attachments with their zone information.

AttachmentManager/HideZoneInfoMechanism

This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.

If you enable this policy setting, Windows hides the check box and Unblock button.

If you disable this policy setting, Windows shows the check box and Unblock button.

If you do not configure this policy setting, Windows hides the check box and Unblock button.

AttachmentManager/NotifyAntivirusPrograms

This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.

If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.

If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.

If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.

Autoplay/DisallowAutoplayForNonVolumeDevices

This policy setting disallows AutoPlay for MTP devices like cameras or phones.

If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones.

If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.

Autoplay/SetDefaultAutoRunBehavior

This policy setting sets the default behavior for Autorun commands.

Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.

Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention.

This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog.

If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to:

a) Completely disable autorun commands, or

b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command.

If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.

Autoplay/TurnOffAutoPlay

This policy setting allows you to turn off the Autoplay feature.

Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.

Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives.

Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices.

If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives.

This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default.

If you disable or do not configure this policy setting, AutoPlay is enabled.

Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.

BitLocker/BitEncryptionMethodByDriveType

This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.

If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511).

If you disable or do not configure this policy setting, BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the "Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)" and "Choose drive encryption method and cipher strength" policy settings (in that order), if they are set. If none of the policies are set, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by the setup script.

BitLocker/FixedDrivesRecoveryOptions

This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.

The "Allow data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.

In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS.

Select the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

Note: If the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box is selected, a recovery password is automatically generated.

If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.

If this policy setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS

BitLocker/FixedDrivesRequireEncryption

This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.

If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.

BitLocker/RemovableDrivesRequireEncryption

This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting.

If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.

Note: This policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled this policy setting will be ignored.

BitLocker/SystemDrivesMinimumPINLength

This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.

If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.

If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 4 and 20 digits.

BitLocker/SystemDrivesRecoveryMessage

This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.

If you select the "Use default recovery message and URL" option, the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and select the "Use default recovery message and URL" option.

If you select the "Use custom recovery message" option, the message you type in the "Custom recovery message option" text box will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.

If you select the "Use custom recovery URL" option, the URL you type in the "Custom recovery URL option" text box will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.

Note: Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.

BitLocker/SystemDrivesRecoveryOptions

This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.

The "Allow certificate-based data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.

In "Save BitLocker recovery information to Active Directory Domain Services", choose which BitLocker recovery information to store in AD DS for operating system drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS.

Select the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

Note: If the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box is selected, a recovery password is automatically generated.

If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.

If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

BitLocker/SystemDrivesRequireStartupAuthentication

This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.

Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.

If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.

On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number (PIN), or both.

If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.

If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.

Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.

Connectivity/HardenedUNCPaths

This policy setting configures secure access to UNC paths.

If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.

CredentialProviders/AllowPINLogon

This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Windows Hello PIN, which has stronger security properties. To configure Windows Hello for Business, use the policies under Computer configuration\Administrative Templates\Windows Components\Windows Hello for Business.

If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.

If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.

Note that the user's domain password will be cached in the system vault when using this feature.

CredentialProviders/BlockPicturePassword

This policy setting allows you to control whether a domain user can sign in using a picture password.

If you enable this policy setting, a domain user can't set up or sign in with a picture password.

If you disable or don't configure this policy setting, a domain user can set up and use a picture password.

Note that the user's domain password will be cached in the system vault when using this feature.

CredentialsUI/DisablePasswordReveal

This policy setting allows you to configure the display of the password reveal button in password entry user experiences.

If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.

If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.

By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.

The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.

CredentialsUI/EnumerateAdministrators

This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.

If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.

If you disable this policy setting, users will always be required to type a user name and password to elevate.

DataUsage/SetCost3G

This policy setting configures the cost of 3G connections on the local machine.

If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:

- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.

- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.

- Variable: This connection is costed on a per byte basis.

If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.

DataUsage/SetCost4G

This policy setting configures the cost of 4G connections on the local machine.

If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:

- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.

- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.

- Variable: This connection is costed on a per byte basis.

If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.

Desktop/PreventUserRedirectionOfProfileFolders

Prevents users from changing the path to their profile folders.

By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box.

If you enable this setting, users are unable to type a new location in the Target box.

DeviceInstallation/PreventInstallationOfMatchingDeviceIDs

This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.

DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses

This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.

DeviceLock/PreventLockScreenSlideShow

Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.

By default, users can enable a slide show that will run after they lock the machine.

If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start.

ErrorReporting/CustomizeConsentSettings

This policy setting determines the consent behavior of Windows Error Reporting for specific event types.

If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.

- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.

- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.

- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.

- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft.

- 4 (Send all data): Any data requested by Microsoft is sent automatically.

If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.

ErrorReporting/DisableWindowsErrorReporting

This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.

If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.

If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.

ErrorReporting/DisplayErrorNotification

This policy setting controls whether users are shown an error dialog box that lets them report an error.

If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.

If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users.

If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server.

See also the Configure Error Reporting policy setting.

ErrorReporting/DoNotSendAdditionalData

This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.

If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.

If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.

ErrorReporting/PreventCriticalErrorDisplay

This policy setting prevents the display of the user interface for critical errors.

If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.

If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.

EventLogService/ControlEventLogBehavior

This policy setting controls Event Log behavior when the log file reaches its maximum size.

If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.

If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.

Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.

EventLogService/SpecifyMaximumFileSizeApplicationLog

This policy setting specifies the maximum size of the log file in kilobytes.

If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.

If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.

EventLogService/SpecifyMaximumFileSizeSecurityLog

This policy setting specifies the maximum size of the log file in kilobytes.

If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.

If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.

EventLogService/SpecifyMaximumFileSizeSystemLog

This policy setting specifies the maximum size of the log file in kilobytes.

If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.

If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.

InternetExplorer/AddSearchProvider

This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.

If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.

If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.

InternetExplorer/AllowActiveXFiltering

This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.

If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions.

If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.

InternetExplorer/AllowAddOnList

This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.

This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied.

If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:

Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.

Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.

If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.

InternetExplorer/AllowEnhancedProtectedMode

Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.

If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.

If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.

If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.

InternetExplorer/AllowEnterpriseModeFromToolsMenu

This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.

If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.

If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.

InternetExplorer/AllowEnterpriseModeSiteList

This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.

If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.

If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.

InternetExplorer/AllowInternetExplorer7PolicyList

This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.

If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify.

If you disable or do not configure this policy setting, the user can add and remove sites from the list.

InternetExplorer/AllowInternetExplorerStandardsMode

This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.

If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box.

If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.

If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.

InternetExplorer/AllowInternetZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

InternetExplorer/AllowIntranetZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

InternetExplorer/AllowLocalMachineZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

InternetExplorer/AllowLockedDownInternetZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

InternetExplorer/AllowLockedDownIntranetZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

InternetExplorer/AllowLockedDownLocalMachineZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

InternetExplorer/AllowOneWordEntry

This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.

If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available.

If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.

InternetExplorer/AllowSiteToZoneAssignmentList

This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.

Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)

If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:

Valuename A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.

Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.

If you disable or do not configure this policy, users may choose their own site-to-zone assignments.

InternetExplorer/AllowSuggestedSites

This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.

If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions.

If you disable this policy setting, the entry points and functionality associated with this feature are turned off.

If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.

InternetExplorer/AllowTrustedSitesZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

InternetExplorer/AllowsLockedDownTrustedSiteZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

InternetExplorer/AllowsRestrictedSitesZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

InternetExplorer/DisableAdobeFlash

This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.

If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings.

If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box.

Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.

InternetExplorer/DisableBypassOfSmartScreenWarnings

This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious.

If you enable this policy setting, SmartScreen Filter warnings block the user.

If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.

InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles

This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet.

If you enable this policy setting, SmartScreen Filter warnings block the user.

If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.

InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation

This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).

If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.

If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.

If you do not configure this policy setting, the user can choose to participate in the CEIP.

InternetExplorer/DisableEnclosureDownloading

This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.

If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.

If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.

InternetExplorer/DisableEncryptionSupport

This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.

If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.

If you disable or do not configure this policy setting, the user can select which encryption method the browser supports.

Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.

InternetExplorer/DisableFirstRunWizard

This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

If you enable this policy setting, you must make one of the following choices:

Skip the First Run wizard, and go directly to the user's home page.

Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.

Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.

If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.

InternetExplorer/DisableFlipAheadFeature

This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.

Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop.

If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.

If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.

If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.

InternetExplorer/DisableHomePageChange

The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.

If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.

If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.

InternetExplorer/DisableProxyChange

This policy setting specifies if a user can change proxy settings.

If you enable this policy setting, the user will not be able to configure proxy settings.

If you disable or do not configure this policy setting, the user can configure proxy settings.

InternetExplorer/DisableSearchProviderChange

This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.

If you enable this policy setting, the user cannot change the default search provider.

If you disable or do not configure this policy setting, the user can change the default search provider.

InternetExplorer/DisableSecondaryHomePageChange

Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.

If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages.

If you disable or do not configure this policy setting, the user can add secondary home pages.

Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.

InternetExplorer/DisableUpdateCheck

Prevents Internet Explorer from checking whether a new version of the browser is available.

If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available.

If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available.

This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser.

InternetExplorer/DoNotAllowUsersToAddSites

Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.

If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.)

If you disable this policy or do not configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone.

This policy prevents users from changing site management settings for security zones established by the administrator.

Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored.

Also, see the "Security zones: Use only machine settings" policy.

InternetExplorer/DoNotAllowUsersToChangePolicies

Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.

If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.

If you disable this policy or do not configure it, users can change the settings for security zones.

This policy prevents users from changing security zone settings established by the administrator.

Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.

Also, see the "Security zones: Use only machine settings" policy.

InternetExplorer/DoNotBlockOutdatedActiveXControls

This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.

If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.

For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.

InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains

This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:

1. "domain.name.TLD". For example, if you want to include .contoso.com/, use "contoso.com"

2. "hostname". For example, if you want to include http://example, use "example"

3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm"

If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.

For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.

InternetExplorer/IncludeAllLocalSites

This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.

If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone.

If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone).

If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.

InternetExplorer/IncludeAllNetworkPaths

This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.

If you enable this policy setting, all network paths are mapped into the Intranet Zone.

If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).

If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.

InternetExplorer/InternetZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

InternetExplorer/InternetZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

InternetExplorer/InternetZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.

InternetExplorer/InternetZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

InternetExplorer/InternetZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

InternetExplorer/InternetZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

InternetExplorer/InternetZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

InternetExplorer/InternetZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

InternetExplorer/IntranetZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.

InternetExplorer/IntranetZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

InternetExplorer/IntranetZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.

InternetExplorer/IntranetZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

InternetExplorer/IntranetZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

InternetExplorer/IntranetZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

InternetExplorer/IntranetZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

InternetExplorer/LocalMachineZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.

InternetExplorer/LocalMachineZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

InternetExplorer/LocalMachineZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

InternetExplorer/LocalMachineZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

InternetExplorer/LocalMachineZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.

InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

InternetExplorer/LockedDownInternetZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

InternetExplorer/LockedDownInternetZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

InternetExplorer/LockedDownIntranetZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

InternetExplorer/LockedDownIntranetZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.

InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.

If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.

InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

InternetExplorer/RestrictedSitesZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.

InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

InternetExplorer/RestrictedSitesZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.

If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.

InternetExplorer/SearchProviderList

This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.

If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.

If you disable or do not configure this policy setting, the user can configure his or her list of search providers.

InternetExplorer/TrustedSitesZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.

InternetExplorer/TrustedSitesZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.

InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.

InternetExplorer/TrustedSitesZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

InternetExplorer/TrustedSitesZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

InternetExplorer/TrustedSitesZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.

InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

Kerberos/AllowForestSearchFolder

This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).

If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.

If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.

Kerberos/KerberosClientSupportsClaimsCompoundArmor

This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.

If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.

If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.

Kerberos/RequireKerberosArmoring

This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.

Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.

If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.

Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.

If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.

Kerberos/RequireStrictKDCValidation

This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.

If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.

If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.

Kerberos/SetMaximumContextTokenSize

This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.

The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.

If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.

If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.

Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.

Power/AllowStandbyWhenSleepingPluggedIn

This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.

If you enable this policy setting, Windows uses standby states to put the computer in a sleep state.

If you disable or do not configure this policy setting, the only sleep state a computer may enter is hibernate.

Power/RequirePasswordWhenComputerWakesOnBattery

This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.

If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.

If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.

Power/RequirePasswordWhenComputerWakesPluggedIn

This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.

If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.

If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.

Printers/PointAndPrintRestrictions

This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.

If you enable this policy setting:

-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.

-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.

If you do not configure this policy setting:

-Windows Vista client computers can point and print to any server.

-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.

-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.

-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.

If you disable this policy setting:

-Windows Vista client computers can create a printer connection to any server using Point and Print.

-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.

-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.

-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.

-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).

Printers/PointAndPrintRestrictions

This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.

If you enable this policy setting:

-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.

-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.

If you do not configure this policy setting:

-Windows Vista client computers can point and print to any server.

-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.

-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.

-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.

If you disable this policy setting:

-Windows Vista client computers can create a printer connection to any server using Point and Print.

-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.

-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.

-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.

-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).

Printers/PublishPrinters

Determines whether the computer's shared printers can be published in Active Directory.

If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.

If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available.

Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".

RemoteAssistance/CustomizeWarningMessages

This policy setting lets you customize warning messages.

The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.

The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer.

If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice.

If you disable this policy setting, the user sees the default warning message.

If you do not configure this policy setting, the user sees the default warning message.

RemoteAssistance/SessionLogging

This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.

If you enable this policy setting, log files are generated.

If you disable this policy setting, log files are not generated.

If you do not configure this setting, application-based settings are used.

RemoteAssistance/SolicitedRemoteAssistance

This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.

If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.

If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.

If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.

If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."

The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open.

The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported.

If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.

RemoteAssistance/UnsolicitedRemoteAssitance

This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.

If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.

If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.

If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.

If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance.

To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:

<Domain Name>&lt;User Name> or

<Domain Name>&lt;Group Name>

If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running.

Windows Vista and later

Enable the Remote Assistance exception for the domain profile. The exception must contain:

Port 135:TCP

%WINDIR%\System32\msra.exe

%WINDIR%\System32\raserver.exe

Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1)

Port 135:TCP

%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe

%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe

%WINDIR%\System32\Sessmgr.exe

For computers running Windows Server 2003 with Service Pack 1 (SP1)

Port 135:TCP

%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe

%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe

Allow Remote Desktop Exception

RemoteDesktopServices/AllowUsersToConnectRemotely

This policy setting allows you to configure remote access to computers by using Remote Desktop Services.

If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.

If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.

If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.

Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.

You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.

RemoteDesktopServices/ClientConnectionEncryptionLevel

Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.

If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:

* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.

* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.

* Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.

If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy.

Important

FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.

RemoteDesktopServices/DoNotAllowDriveRedirection

This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).

By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format <driveletter> on <computername>. You can use this policy setting to override this behavior.

If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.

If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.

If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.

RemoteDesktopServices/DoNotAllowPasswordSaving

Controls whether passwords can be saved on this computer from Remote Desktop Connection.

If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.

If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.

RemoteDesktopServices/PromptForPasswordUponConnection

This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.

You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.

By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.

If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.

If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.

If you do not configure this policy setting, automatic logon is not specified at the Group Policy level.

RemoteDesktopServices/RequireSecureRPCCommunication

Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.

You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.

If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.

If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.

If the status is set to Not Configured, unsecured communication is allowed.

Note: The RPC interface is used for administering and configuring Remote Desktop Services.

RemoteProcedureCall/RPCEndpointMapperClientAuthentication

This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.

If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.

If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service.

If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.

Note: This policy will not be applied until the system is rebooted.

RemoteProcedureCall/RestrictUnauthenticatedRPCClients

This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.

This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller.

If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.

If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.

If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.

-- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied.

-- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them.

-- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed.

Note: This policy setting will not be applied until the system is rebooted.

Storage/EnhancedStorageDevices

This policy setting configures whether or not Windows will activate an Enhanced Storage device.

If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices.

If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.

System/DisableSystemRestore

Allows you to disable System Restore.

This policy setting allows you to turn off System Restore.

System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.

If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.

If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.

Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.

WindowsLogon/DisableLockScreenAppNotifications

This policy setting allows you to prevent app notifications from appearing on the lock screen.

If you enable this policy setting, no app notifications are displayed on the lock screen.

If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.

WindowsLogon/DontDisplayNetworkSelectionUI

This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.

If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.

If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.

© 2017 Microsoft