Policy Settings for Windows Server 2003 (including SP1) and Windows XP (including SP2)

Transcription

1 Web 2 Policy Settings for (including SP1) and XP (including SP2) This document was written by Conan Kezema. and XP together introduce more than 270 new administrative template policy settings for you to use throughout your Active Directory environment. SP1 and XP SP2 add even more policies to help improve management and security throughout your environment. New Group Policy settings include some of the following categories: Application Compatibility Explorer Management and Security Firewall Terminal Services DNS Configuration Update Quality of Service (QoS) As you browse through the extensive list of policy settings, one of the problems you encounter is trying to figure out what each policy setting can do to make your network administration easier. To display a description of the policy setting, along with operating system or component compatibility information, click the Extended tab in the Group Policy Object Editor:

2 2 Web 2 Policy Settings for (including SP1) and This reference provides information about the new Administrative Template policy settings in and XP. I haven t included every policy setting in, but only those added since If you want a definitive list of all policy settings that can affect both 2000 and machines, you can download a spreadsheet from Microsoft at Microsoft s spreadsheet doesn t go into much detail beyond the Explain Text cell for each policy setting. Therefore, a combination of that document and this reference might be the most useful. Computer Configuration In the Computer Configuration section of the Group Policy Object Editor, you can configure policy settings that affect each computer in the SOM (Scope of Management) of a GPO. A SOM can be a site, a domain, or an OU, as described in Chapter 1. Once you configure a policy setting to apply to the computer, it does not matter who logs on to the computer; each configured policy setting still takes effect. Within the Administrative Templates are four main sections: Components System Network Printers The following sections list and explain the new and XP policy settings. Components The Components section contains categories to assist you in controlling the access and behavior of many built-in services or applications. and XP have added a number of categories, including Explorer, Application Compatibility, IIS Installation, and Terminal Services. To find these policy settings, open the Group Policy Object Editor and browse to Computer Configuration Administrative Templates Components. TABLE 2.1 Explorer Turn off Crash Detection provides the ability to manage the crash detection feature of Add-On Management. Explorer v6.0 in XP SP2 or enabled, a crash in Explorer will invoke Error Reporting. not configured or disabled, the crash detection feature for add-on Management will be enabled.

3 Components 3 TABLE 2.1 Explorer (continued) Do Not Allow Users To Enable Or Disable Add-Ons can be used to manage whether users have the ability to allow or deny add-ons through Add-On Manager. Explorer v6.0 in XP SP2 or enabled, users cannot enable or disable add-ons within Explorer. Note that if the add-on has been specifically entered into the Add-On List policy setting, the user may still manage the add-on through the Add- On Manager. If this policy setting is not configured or disabled, the appropriate controls in the Add- On Manager will be available to users. Turn Off Pop-Up Management provides the ability to manage pop-up management functionality in Explorer. Explorer v6.0 in XP SP2 or enabled, the Control Panel information relating to pop-up management will be grayed-out, and all other notifications and dialog boxes will be unavailable. If this policy setting is not configured or disabled, the pop-up management feature will be functional. Pop-Up Allow List provides the ability to manage a list of websites that will be allowed to open pop-up windows regardless of user settings. Explorer v6.0 in XP SP2 or enabled, you can enter a list of sites that will be allowed to open pop-up windows. If this policy setting is not configured, users will be able to view and edit their own list of sites. disabled, the list is deleted, and users cannot create their own list of sites.

4 4 Web 2 Policy Settings for (including SP1) and TABLE 2.2 Explorer/ Control Panel/Security Page Site to Zone Assignment List Intranet Sites: Include All Local (Intranet) Sites Not Listed In Other Zones provides the ability to assign specific websites to security zones. Each security zone has associated security settings that apply to all the sites assigned to the zone. provides the ability to specify that any local sites that are not specifically mapped into any security zone be forced into the local Intranet Zone. Explorer v6.0 in XP SP2 or Explorer v6.0 in XP SP2 or If you enable this policy setting, you can enter specific websites and assign related zone numbers to each site depending on security requirements. Explorer has four security zones that are numbered 1 4. These zones include: 1. Zone 2. Intranet Zone 3. Trusted Sites Zone 4. Restricted Sites Zone If this policy setting is disabled, any websites listed are deleted and no site-to-zone assignments are permitted. If this policy setting is not configured, users may choose their own site-to-zone assignments. enabled, local sites that are not explicitly assigned to other zones are considered to be in the Intranet Zone. If this policy setting is disabled, local sites that are not explicitly assigned to other zones will not become part of the Intranet Zone, which would automatically configure the site to be linked to the Zone. If this policy setting is not configured, users can choose whether to force local sites into the Intranet Zone.

5 Components 5 TABLE 2.2 Explorer/ Control Panel/Security Page (continued) Intranet Sites: Include All Sites That Bypass The Proxy Server provides the ability to control whether sites that bypass the proxy server are mapped to the local Intranet Zone. Explorer v6.0 in XP SP2 or enabled, sites that bypass the proxy server are automatically assigned to the local Intranet Zone. If this policy setting is disabled, sites that bypass the proxy server may not be mapped to the Intranet Zone depending upon other rules that may apply. If this policy setting is not configured, users can choose whether sites that bypass the proxy server are mapped to the local Intranet Zone. Intranet Sites: Include All Network Paths (UNCs) provides the ability to map network paths to the local Intranet Zone. Explorer v6.0 in XP SP2 or If you enable this policy setting, all network paths (UNCs) are automatically mapped to the local Intranet Zone. If this policy setting is disabled, network paths may not be mapped into the local Intranet Zone, depending upon other rules that may apply. If this policy setting is not configured, users can choose whether network paths are mapped to the Intranet Zone. Zone Template provides the ability to assign the Zone a specific security level. Explorer v6.0 in XP SP2 or enabled, you can assign one of the following security levels to the zone: Low, Medium Low, Medium, High If this policy setting is not configured or disabled, no security level is configured.

6 6 Web 2 Policy Settings for (including SP1) and TABLE 2.2 Explorer/ Control Panel/Security Page (continued) Intranet Zone Template provides the ability to assign the Intranet Zone a specific security level. Explorer v6.0 in XP SP2 or enabled, you can assign one of the following security levels to the zone: Low, Medium Low, Medium, High. If this policy setting is not configured or disabled, no security level is configured. Trusted Sites Zone Template provides the ability to assign the Trusted Sites Zone a specific security level. Explorer v6.0 in XP SP2 or enabled, you can assign one of the following security levels to the zone: Low, Medium Low, Medium, High. If this policy setting is not configured or disabled, no security level is configured. Restricted Sites Zone Template provides the ability to assign the Restricted Sites Zone a specific security level. Explorer v6.0 in XP SP2 or enabled, you can assign one of the following security levels to the zone: Low, Medium Low, Medium, High. If this policy setting is not configured or disabled, no security level is configured. Local Machine Zone Template provides the ability to assign the Local Machine Zone a specific security level. Explorer v6.0 in XP SP2 or enabled, you can assign one of the following security levels to the zone: Low, Medium Low, Medium, High. If this policy setting is not configured or disabled, no security level is configured.

7 Components 7 TABLE 2.2 Explorer/ Control Panel/Security Page (continued) Locked-Down Local Machine Zone Template provides the ability to assign the Locked-Down Local Machine Zone a specific security level. Explorer v6.0 in XP SP2 or enabled, you can assign one of the following security levels to the zone: Low, Medium Low, Medium, High. If this policy setting is not configured or disabled, no security level is configured. Locked-Down Zone Template provides the ability to assign the Locked-Down Zone a specific security level. Explorer v6.0 in XP SP2 or enabled, you can assign one of the following security levels to the zone: Low, Medium Low, Medium, High. If this policy setting is not configured or disabled, no security level is configured. Locked-Down Intranet Zone Template provides the ability to assign the Locked-Down Intranet Zone a specific security level. Explorer v6.0 in XP SP2 or enabled, you can assign one of the following security levels to the zone: Low, Medium Low, Medium, High. If this policy setting is not configured or disabled, no security level is configured. Locked-Down Trusted Sites Zone Template provides the ability to assign the Locked-Down Trusted Sites Zone a specific security level. Explorer v6.0 in XP SP2 or enabled, you can assign one of the following security levels to the zone: Low, Medium Low, Medium, High. If this policy setting is not configured or disabled, no security level is configured.

8 8 Web 2 Policy Settings for (including SP1) and TABLE 2.2 Explorer/ Control Panel/Security Page (continued) Locked-Down Restricted Sites Zone Template provides the ability to assign the Locked-Down Restricted Sites Zone a specific security level. Explorer v6.0 in XP SP2 or enabled, you can assign one of the following security levels to the zone: Low, Medium Low, Medium, High. If this policy setting is not configured or disabled, no security level is configured. TABLE 2.3 The Following Settings Apply to the Zone, Intranet Zone, Trusted Sites Zone, Restricted Sites Zone, and Local Machine Zone Folders Policy Setting Description Applies To Settings and Notes Run.NET Framework- Reliant Components Signed With Authenticode Run.NET Framework- Reliant Components Not Signed With Authenticode provides the ability to manage whether.net Framework components signed with Authenticode can be run from Explorer. provides the ability to manage whether.net Framework components that are not signed with Authenticode can be run from Explorer. Explorer v6.0 in XP SP2 or Explorer v6.0 in XP SP2 or enabled, Explorer will execute signed managed components based upon the following values available in the Run.NET Framework-Reliant Components Signed With Authenticode menu: Enable Will execute signed managed components. Disable Will not execute signed managed components. Prompt Will prompt the user to determine whether to execute signed managed components. If this policy is disabled, Explorer will not execute signed managed components. If this policy is not configured, Explorer will execute signed managed components. enabled, Explorer will execute unsigned managed components based upon the following values available in the Run.NET Framework-Reliant Components Not Signed With Authenticode menu: Enable Will execute unsigned managed components. Disable Will not execute unsigned managed components. Prompt Will prompt the user to determine whether to execute unsigned managed components. If this policy is disabled, Explorer will not execute unsigned managed components. If this policy is not configured, Explorer will execute unsigned managed components.

9 Components 9 TABLE 2.3 The Following Settings Apply to the Zone, Intranet Zone, Trusted Sites Zone, Restricted Sites Zone, and Local Machine Zone Folders (continued) Policy Setting Description Applies To Settings and Notes Download Signed ActiveX Controls Download Unsigned ActiveX Controls provides the ability to control whether a user may download signed ActiveX controls from a page in the zone in which this policy is configured. provides the ability to control whether a user may download unsigned ActiveX controls from a page in the zone in which this policy is configured. Explorer v6.0 in XP SP2 or Explorer v6.0 in XP SP2 or enabled, users can download signed ActiveX controls based upon the following values selected from within the Download Signed Active X Controls menu: Disable Signed ActiveX controls are not downloaded. Enable Signed ActiveX controls are downloaded without user intervention. Prompt Users have a choice whether or not to download controls signed by publishers who are not trusted. Note that code signed by trusted publishers is silently downloaded. not configured, users are prompted whether to download controls signed by untrusted publishers. Note that code signed by trusted publishers is silently downloaded. disabled, signed controls are not downloaded. enabled, users can download unsigned ActiveX controls based upon the following values selected from within the Download Unsigned Active X Controls menu: Disable Unsigned ActiveX controls are not downloaded. Enable Unsigned ActiveX controls are downloaded without user intervention. Prompt Users have a choice whether or not to download unsigned controls. not configured or disabled, users cannot download unsigned controls. Initialize And Script ActiveX Controls Not Marked As Safe provides the ability to manage whether ActiveX controls not marked as safe can run with parameters and scripted. Explorer v6.0 in XP SP2 or enabled, users can initialize and script ActiveX controls not marked as safe based upon the following values selected from within the Initialize And Script Activex Controls Not Marked As Safe menu: Disable Unsafe ActiveX controls are not run. Enable Unsafe ActiveX controls are loaded with parameters or are scripted. Prompt Users have a choice whether to allow a control to be loaded with parameters or scripted. If this policy setting is not configured or disabled, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

10 10 Web 2 Policy Settings for (including SP1) and TABLE 2.3 The Following Settings Apply to the Zone, Intranet Zone, Trusted Sites Zone, Restricted Sites Zone, and Local Machine Zone Folders (continued) Policy Setting Description Applies To Settings and Notes Run ActiveX Controls And Plugins provides the ability to manage whether ActiveX controls and plugins can run on web pages from the specified zone. Explorer v6.0 in XP SP2 or enabled, ActiveX controls and plug-ins can be run based upon the following value selected in the Run ActiveX Controls And Plugin menu: Administrator Approved If an ActiveX control has been approved by the administrator, it will run without user intervention. Disable ActiveX controls will not run. Enable ActiveX controls will run without user intervention. Prompt Users are asked to choose whether to allow controls or plug-ins to run. disabled, users are prevented from running ActiveX controls. If this policy setting is not configured, ActiveX controls and plug-ins can run without user intervention. Script ActiveX Controls Marked Safe For Scripting provides the ability to manage whether an ActiveX control marked safe for scripting can interact with a script. Explorer v6.0 in XP SP2 or enabled, ActiveX controls marked safe for scripting can interact with a script based upon the following value selected in the Script ActiveX Controls Marked Safe For Scripting menu: Disable ActiveX script interaction is prevented. Enable ActiveX controls will interact with scripts without user intervention. Prompt Users are asked to choose whether to allow script interaction. disabled, script interaction is prevented. If this policy setting is not configured, script interaction can occur without user intervention. Allow File Downloads provides the ability to control file downloads from the zone. Note that this option is determined by the zone of the page with the link attached to the download, not the zone from which the file is delivered. Explorer v6.0 in XP SP2 or enabled, file can be downloaded from the zone. If this policy setting is disabled, files will be prevented from being downloaded from the zone. If this policy setting is not configured, files can be downloaded from the zone.

11 Components 11 TABLE 2.3 The Following Settings Apply to the Zone, Intranet Zone, Trusted Sites Zone, Restricted Sites Zone, and Local Machine Zone Folders (continued) Policy Setting Description Applies To Settings and Notes Allow Font Downloads provides the ability to control whether pages of the zone can download HTML fonts. Explorer v6.0 in XP SP2 or enabled, HTML fonts can be downloaded based upon the value selected in the Allow Font Downloads menu: Disable Fonts will not be able to be downloaded. Enable Font will be downloaded automatically. Prompt Users are asked to choose whether to allow HTML fonts to download. If this policy setting is disabled, HTML fonts are prevented from being downloaded. If this policy setting is not configured, HTML fonts can be downloaded automatically. Java Permissions provides the ability to control permissions for Java applets. Explorer v6.0 in XP SP2 or enabled, you can choose the following options from the Java Permissions menu: Custom Permission settings can be controlled individually for each applet. Disable Java Java applets cannot be run. High Safety Applets run in their own memory space. Low Safety Java applets can perform all operations. disabled, Java applets cannot run. If this policy setting is not configured, the permission is set to High Safety. Access Data Sources Across Domains provides the ability to control whether Explorer can access data from another security zone using Microsoft XML (MSXML) or ActiveX data Objects (ADO). Explorer v6.0 in XP SP2 or enabled, users can load a page in the zone that uses MSXML or ADO to access data from another zone. If this policy setting is not configured or disabled, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

12 12 Web 2 Policy Settings for (including SP1) and TABLE 2.3 The Following Settings Apply to the Zone, Intranet Zone, Trusted Sites Zone, Restricted Sites Zone, and Local Machine Zone Folders (continued) Policy Setting Description Applies To Settings and Notes Allow Active Content Over Restricted Protocols To Access My Computer provides the ability to manage whether a resource hosted on an adminrestricted protocol in the Intranet Zone can run active content such as ActiveX, Java, and Binary behaviors. The list of restricted protocols may be set in the Intranet Zone Restricted Protocols section under Network Protocol Lockdown policy. Explorer v6.0 in XP SP2 or enabled, no Intranet Zone content accessed is affected, even for protocols on the restricted list. You can select Prompt from the drop-down menu. An Information Bar appears to allow control over questionable content accessed over any restricted protocols. If this policy setting is disabled, all attempts to access such content over the restricted protocols are blocked. If this policy setting is not configured, the Information Bar will appear to provide the ability to control whether questionable content accessed over any restricted protocols is allowed when the Network Protocol Lockdown security feature is enabled. Automatic Prompting For File Downloads provides the ability to control whether users receive a prompt for non userinitiated file downloads. Note that regardless of this setting, users will still receive standard file download dialog boxes for user-initiated downloads. Explorer v6.0 in XP SP2 or enabled, users will receive a file download dialog box for automatic download attempts. If this policy setting is not configured or disabled, file downloads that are not user-initiated will be blocked and users will see a prompt in the Information Bar. Users can then click the Information Bar to allow the file download prompt.

13 Components 13 TABLE 2.3 The Following Settings Apply to the Zone, Intranet Zone, Trusted Sites Zone, Restricted Sites Zone, and Local Machine Zone Folders (continued) Policy Setting Description Applies To Settings and Notes Automatic Prompting For ActiveX Controls This policy setting provides the ability to control whether users receive a prompt for ActiveX control installations. Explorer v6.0 in XP SP2 or enabled, users will receive a prompt when an attempt to install an ActiveX control takes place. not configured or disabled, ActiveX control installations will be blocked, and users will see a prompt in the Information Bar. Users can then click the Information Bar to allow the ActiveX control prompt. Allow META REFRESH This policy setting provides the ability to control whether a user s browser can be redirected to another Web page if the author of the Web page uses the META REFRESH tag to redirect browsers to alternate websites. Explorer v6.0 in XP SP2 or enabled, a user s browser will be able to be redirected to another web page via the META REFRESH setting. If this policy setting is disabled, a user s browser that loads a page containing an active META REFRESH setting will not be redirected to another web page. not configured, a user s browser can be redirected to another web page. Allow Script- Initiated Without Size Or Position Constraints This policy setting provides the ability to manage restrictions on scriptinitiated popup windows and windows that include title and status bars. Explorer v6.0 in XP SP2 or enabled, Restrictions security will not apply in this zone. not configured or disabled, the possible harmful actions contained in script-initiated pop-up windows cannot be run.

14 14 Web 2 Policy Settings for (including SP1) and TABLE 2.3 The Following Settings Apply to the Zone, Intranet Zone, Trusted Sites Zone, Restricted Sites Zone, and Local Machine Zone Folders (continued) Policy Setting Description Applies To Settings and Notes Allow Binary And Script Behaviors Display Mixed Content provides the ability to manage dynamic binary and script behaviors. provides the ability to manage whether users can display nonsecure items and whether users receive a security information message to display pages containing both secure and nonsecure items. Explorer v6.0 in XP SP2 or Explorer v6.0 in XP SP2 or enabled, binary and script behaviors are available. If Administrator approved is selected in the drop-down menu, only behaviors listed in the Admin-approved Binary Behaviors Security Restriction policy are available. disabled, binary and script behaviors are not available unless applications have implemented a custom security manager. If this policy is not configured, binary and script behaviors are available. enabled, you can select the following values in the Display Mixed Content menu: Disable Users cannot receive the security information message, and nonsecure content cannot be displayed. Enable The user does not receive a security information message, and nonsecure content can be displayed. Prompt The user will receive the security information message on the web pages that contain both secure and nonsecure content. If this policy setting is not configured, the user will receive the security information message on web pages that contain both secure and nonsecure content.

15 Components 15 TABLE 2.3 The Following Settings Apply to the Zone, Intranet Zone, Trusted Sites Zone, Restricted Sites Zone, and Local Machine Zone Folders (continued) Policy Setting Description Applies To Settings and Notes Do Not Prompt For Client Certificate Selection When No Certificates Or Only One Certificate Exists This policy setting provides the ability to manage whether users are prompted to select a certificate when no certificate or only one certificate exists. The prompt will appear if the user attempts to connect to a protected (HTTPS) website. Explorer v6.0 in XP SP2 or enabled, Explorer will not prompt users that have no certificate or only one certificate, with an authentication message when they connect to a protected website. not configured or disabled, Explorer prompts users with an authentication message when they connect to a protected website. Allow Drag And Drop Or Copy And Paste Files Allow Installation Of Desktop Items provides the ability to manage whether users can drag files or copy and paste files from a source within the configured zone. provides the ability to manage whether users can install Active Desktop items from this zone. Explorer v6.0 in XP SP2 or Explorer v6.0 in XP SP2 or enabled, users can drag files or copy and paste files from this zone automatically. You can choose to prompt users to allow a choice to whether to drag or copy files from the zone. disabled, users are prevented from dragging, copying, and pasting files from this zone. If this policy setting is not configured, users can drag, copy, and paste files from this zone automatically. enabled, users can install desktop items from this zone. You can also choose to prompt the user on whether to install desktop items from this zone. If this policy setting is disabled, users are prevented from installing desktop items from this zone. If this policy setting is not configured, users are prompted to choose whether to install desktop items from this zone.

16 16 Web 2 Policy Settings for (including SP1) and TABLE 2.3 The Following Settings Apply to the Zone, Intranet Zone, Trusted Sites Zone, Restricted Sites Zone, and Local Machine Zone Folders (continued) Policy Setting Description Applies To Settings and Notes Launching Applications And Files In An IFRAME Navigate Sub-Frames Across Different Domains Open Files Based On Content, Not File Extension provides the ability to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML pages in this specific zone. provides the ability to manage the opening of subframes and access of applications across different domains. provides the ability to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Explorer of the file type based on a bit signature. Explorer v6.0 in XP SP2 or Explorer v6.0 in XP SP2 or Explorer v6.0 in XP SP2 or enabled, users will be able to run applications and download files from IFRAMEs on the pages within the zone without user intervention. You can also choose to have users prompted whether to run applications or download files from IFRAMEs. If this policy setting is disabled, users are prevented from launching application and files in an IFRAME. If this policy setting is not configured, users are prompted to choose whether to run applications and download files from IFRAMEs. enabled, users can open subframes from other domains and access applications from other domains. You can also choose to prompt users whether to allow subframes or access applications in other domain. If this policy setting is disabled, users will not be able to open subframes or access applications in different domains. not configured, users can open subframes and access applications from other domains. enabled, the MIME Sniffing Safety Feature will not apply in this zone. If this policy setting is disabled, the actions that may be harmful cannot run. If this policy is not configured, the MIME Sniffing Safety Feature will not apply to this zone.

17 Components 17 TABLE 2.3 The Following Settings Apply to the Zone, Intranet Zone, Trusted Sites Zone, Restricted Sites Zone, and Local Machine Zone Folders (continued) Policy Setting Description Applies To Settings and Notes Software Channel Permissions Submit Non- Encrypted Form Data provides the ability to manage software channel permissions. provides the ability to manage whether data on HTML forms on pages in the zone can be submitted. Note that forms sent with SSL encryption are always allowed. This setting only affects non- SSL for data submission. Explorer v6.0 in XP SP2 or Explorer v6.0 in XP SP2 or enabled, you can choose the following values from the Software Channel Permissions drop-down menu: High Safety Prevents users from being notified of software updates by , software packages from being downloaded to users computers, and software packages from being automatically installed on users computers. Low Safety Allows users to be notified of software updates by , software packages from being downloaded to users computers, and software packages from being automatically installed on users computers. Medium Safety Allows users to be notified of software updates by and software packages from being downloaded to, but not installed on, users computers. disabled, permissions are set to High Safety. If this policy setting is not configured, permissions are set to Medium Safety. enabled, information using HTML forms on pages in this zone can be submitted automatically. You can also choose to prompt users to choose whether to allow HTML forms on pages in this zone to be submitted. If this policy setting is disabled, information using HTML forms on pages in this zone are prevented from being submitted. not configured, users are prompted to choose whether to allow information using HTML forms on pages in this zone to be submitted.

18 18 Web 2 Policy Settings for (including SP1) and TABLE 2.3 The Following Settings Apply to the Zone, Intranet Zone, Trusted Sites Zone, Restricted Sites Zone, and Local Machine Zone Folders (continued) Policy Setting Description Applies To Settings and Notes Use Pop-up Blocker provides the ability to manage whether unwanted pop-up windows appear. Explorer v6.0 in XP SP2 or enabled, most pop-up windows will be prevented from appearing. disabled, pop-up windows are not prevented. not configured, most pop-up windows are prevented from appearing. Userdata Persistence provides the ability to manage the preservation of information in the browser s history, in favorites, in an XML store, or directly within a web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is configured. Explorer v6.0 in XP SP2 or enabled, users can preserve information in the browser s history, in favorites, in an XML store, or directly within a web page saved to disk. disabled, user data persistence does not take place. not configured, users can preserve information in the browser s history, in favorites, in an XML store, or directly within a web page saved to disk. Web Sites In Less Privileged Web Content Zones Can Navigate Into This Zone provides the ability to manage whether websites from less privileged zones can navigate into this zone. Explorer v6.0 in XP SP2 or enabled, websites from less privileged zones, such as the Restricted Zone, can open new windows in, or navigate into, this zone. Note that you can select prompt to provide a warning to the user that potentially risky navigation is about to occur. If this policy setting is disabled, the possibly harmful navigations are prevented. not configured, websites from less privileged zones can open new windows in, or navigate into this zone.

19 Components 19 TABLE 2.3 The Following Settings Apply to the Zone, Intranet Zone, Trusted Sites Zone, Restricted Sites Zone, and Local Machine Zone Folders (continued) Policy Setting Description Applies To Settings and Notes Allow Active Scripting provides the ability to manage whether script code on web pages in the zone is run. Explorer v6.0 in XP SP2 or enabled, script code on pages in the zone can run automatically. If this policy setting is disabled, script code is prevented from running on web pages in the zone. If this policy setting is not configured, script code on web pages within the zone can run automatically. Allow Paste Operations Via Script provides the ability to control whether scripts can perform a Clipboard operation such as cut, copy, or paste. Explorer v6.0 in XP SP2 or enabled, a script will be able to perform a Clipboard operation. If this policy setting is disabled, a script will not be able to perform a Clipboard operation. If this policy setting is not configured, a script will be able to perform a Clipboard operation. Scripting Of Java Applets Logon Options provides the ability to control whether Java applets are exposed to scripts within the zone. provides the ability to control logon options for the zone. Explorer v6.0 in XP SP2 or Explorer v6.0 in XP SP2 or enabled, scripts can access applets automatically without user intervention. disabled, scripts are prevented from accessing Java applets. not configured, scripts can access applets automatically without user intervention. enabled, you can choose the following from the Logon Options menu: Anonymous Logon Used to disable HTTP authentication and uses the guest account only for the Common File System (CIFS) protocol. Automatic Logon Only In Intranet Zone Use to query users for IDs and passwords in other zones. Automatic Logon With Current Username And Password Use to attempt logon using NTLM authentication. Prompt for User Name And Password Used to query users for user IDs and password. If this policy setting is not configured or disabled, logon is set to Automatic Logon Only In The Intranet Zone.

20 20 Web 2 Policy Settings for (including SP1) and TABLE 2.4 The Following Settings Apply to the Locked-Down Zone, Locked- Down Intranet Zone, Locked-Down Trusted Sites Zone, Locked-Down Restricted Sites Zone, and Locked-Down Local Machine Zone folders Policy Setting Description Applies To Settings and Notes Run.NET Framework- Reliant Components Signed With Authenticode provides the ability to manage whether.net Framework components signed with Authenticode can be run from Explorer. Explorer v6.0 in XP SP2 or SP1 or later enabled, Explorer will execute signed managed components based upon the following values available in the Run.NET Framework-Reliant Components Signed With Authenticode menu: Enable Will execute signed managed components. Disable Will not execute signed managed components. Prompt Will prompt the user to determine whether to execute signed managed components. If this policy is disabled, Explorer will not execute signed managed components. If this policy is not configured, Explorer will execute signed managed components. Run.NET Framework- Reliant Components Not Signed With Authenticode provides the ability to manage whether.net Framework components that are not signed with Authenticode can be run from Explorer. Explorer v6.0 in XP SP2 or SP1 or later enabled, Explorer will execute unsigned managed components based upon the following values available in the Run.NET Framework-reliant Components Not Signed With Authenticode menu: Enable Will execute unsigned managed components. Disable Will not execute unsigned managed components. Prompt Will prompt the user to determine whether to execute unsigned managed components. If this policy is disabled, Explorer will not execute unsigned managed components. If this policy is not configured, Explorer will execute unsigned managed components.

21 Components 21 TABLE 2.4 The Following Settings Apply to the Locked-Down Zone, Locked- Down Intranet Zone, Locked-Down Trusted Sites Zone, Locked-Down Restricted Sites Zone, and Locked-Down Local Machine Zone folders (continued) Policy Setting Description Applies To Settings and Notes Download Signed ActiveX Controls Download Unsigned ActiveX Controls provides the ability to control whether a user may download signed ActiveX controls from a page in the zone in which this policy is configured. provides the ability to control whether a user may download unsigned ActiveX controls from a page in the zone in which this policy is configured. Explorer v6.0 in XP SP2 or SP1 or later Explorer v6.0 in XP SP2 or SP1 or later enabled, users can download signed ActiveX controls based upon the following values selected from within the Download Signed Active X Controls menu: Disable Signed ActiveX controls are not downloaded Enable Signed ActiveX controls are downloaded without user intervention. Prompt Users have a choice whether or not to download controls signed by publishers who are not trusted. Note that code signed by trusted publishers are silently downloaded. If this policy setting is not configured, users are prompted whether to download controls signed by untrusted publishers. Note that code signed by trusted publishers is silently downloaded. disabled, signed controls are not downloaded. enabled, users can download unsigned ActiveX controls based upon the following values selected from within the Download Unsigned Active X Controls menu: Disable Unsigned ActiveX controls are not downloaded. Enable Unsigned ActiveX controls are downloaded without user intervention. Prompt Users have a choice whether or not to download unsigned controls. not configured or disabled, users cannot download unsigned controls.

22 22 Web 2 Policy Settings for (including SP1) and TABLE 2.4 The Following Settings Apply to the Locked-Down Zone, Locked- Down Intranet Zone, Locked-Down Trusted Sites Zone, Locked-Down Restricted Sites Zone, and Locked-Down Local Machine Zone folders (continued) Policy Setting Description Applies To Settings and Notes Initialize And Script ActiveX Controls Not Marked As Safe provides the ability to manage whether ActiveX controls not marked as safe can run with parameters and scripted. Explorer v6.0 in XP SP2 or SP1 or later enabled, users can initialize and script ActiveX controls not marked as safe based upon the following values selected from within the Initialize And Script ActiveX Controls Not Marked As Safe menu: Disable Unsafe ActiveX controls are not run. Enable Unsafe ActiveX controls are loaded with parameters or are scripted. Prompt Users have a choice whether to allow a control to be loaded with parameters or scripted. If this policy setting is not configured or disabled, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. Run ActiveX Controls And Plugins provides the ability to manage whether ActiveX controls and plug-ins can run on web pages from the specified zone. Explorer v6.0 in XP SP2 or SP1 or later enabled, ActiveX controls and plug-ins can be run based upon the following value selected in the Run ActiveX Controls And Plugin menu: Administrator Approved If an ActiveX control has been approved by the administrator, it will run without user intervention. Disable ActiveX controls will not run. Enable ActiveX controls will run without user intervention. Prompt Users are asked to choose whether to allow controls or plug-ins to run. If this policy setting is disabled, users are prevented from running ActiveX controls. not configured, ActiveX controls and plug-ins can run without user intervention.

23 Components 23 TABLE 2.4 The Following Settings Apply to the Locked-Down Zone, Locked- Down Intranet Zone, Locked-Down Trusted Sites Zone, Locked-Down Restricted Sites Zone, and Locked-Down Local Machine Zone folders (continued) Policy Setting Description Applies To Settings and Notes Script ActiveX Controls Marked Safe For Scripting provides the ability to manage whether an ActiveX control marked safe for scripting can interact with a script. Explorer v6.0 in XP SP2 or SP1 or later enabled, ActiveX controls marked safe for scripting can interact with a script based upon the following value selected in the Script ActiveX Controls Marked Safe For Scripting menu: Disable ActiveX script interaction is prevented. Enable ActiveX controls will interact with scripts without user intervention. Prompt Users are asked to choose whether to allow script interaction. disabled, script interaction is prevented. If this policy setting is not configured, script interaction can occur without user intervention. Allow File Downloads provides the ability to control file downloads from the zone. Note that this option is determined by the zone of the page with the link attached to the download, not the zone from which the file is delivered. Explorer v6.0 in XP SP2 or SP1 or later enabled, file can be downloaded from the zone. If this policy setting is disabled, files will be prevented from being downloaded from the zone. If this policy setting is not configured, files can be downloaded from the zone. Allow Font Downloads provides the ability to control whether pages of the zone can download HTML fonts. Explorer v6.0 in XP SP2 or SP1 or later enabled, HTML fonts can be downloaded based upon the value selected in the Allow Font Downloads menu: Disable Fonts will not be able to be downloaded. Enable Font will be downloaded automatically. Prompt Users are asked to choose whether to allow HTML fonts to download. If this policy setting is disabled, HTML fonts are prevented from being downloaded. not configured, HTML fonts can be downloaded automatically.

24 24 Web 2 Policy Settings for (including SP1) and TABLE 2.4 The Following Settings Apply to the Locked-Down Zone, Locked- Down Intranet Zone, Locked-Down Trusted Sites Zone, Locked-Down Restricted Sites Zone, and Locked-Down Local Machine Zone folders (continued) Policy Setting Description Applies To Settings and Notes Java Permissions provides the ability to control permissions for java applets. Explorer v6.0 in XP SP2 or SP1 or later enabled, you can choose the following options from the Java Permissions menu: Custom Permission settings can be controlled individually for each applet. Disable Java Java applets cannot be run. High Safety Applets run in their own memory space. Low Safety Java applets can perform all operations. If this policy setting is disabled, Java applets cannot run. If this policy setting is not configured, the permission is set to High Safety. Access Data Sources Across Domains Automatic Prompting For File Downloads provides the ability to control whether Explorer can access data from another security zone using Microsoft XML (MSXML) or ActiveX data Objects (ADO). provides the ability to control whether users receive a prompt for non userinitiated file downloads. Note that regardless of this setting, users will still receive standard file download dialog boxes for user-initiated downloads. Explorer v6.0 in XP SP2 or SP1 or later Explorer v6.0 in XP SP2 or SP1 or later enabled, users can load a page in the zone that uses MSXML or ADO to access data from another zone. If this policy setting is not configured or disabled, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. enabled, users will receive a file download dialog box for automatic download attempts. If this policy setting is not configured or disabled, file downloads that are not userinitiated will be blocked, and users will see a prompt in the Information Bar. Users can then click the Information Bar to allow the file download prompt.

25 Components 25 TABLE 2.4 The Following Settings Apply to the Locked-Down Zone, Locked- Down Intranet Zone, Locked-Down Trusted Sites Zone, Locked-Down Restricted Sites Zone, and Locked-Down Local Machine Zone folders (continued) Policy Setting Description Applies To Settings and Notes Automatic Prompting For ActiveX Controls Allow META REFRESH provides the ability to control whether users receive a prompt for ActiveX control installations. provides the ability to control whether a user s browser can be redirected to another web page if the author of the web page uses the META REFRESH tag to redirect browsers to alternate websites. Explorer v6.0 in XP SP2 or SP1 or later Explorer v6.0 in XP SP2 or SP1 or later enabled, users will receive a prompt when an attempt to install an ActiveX control takes place. not configured or disabled, ActiveX control installations will be blocked, and users will see a prompt in the Information Bar. Users can then click the Information Bar to allow the ActiveX control prompt. enabled, a user s browser will be able to be redirected to another web page via the META REFRESH setting. If this policy setting is disabled, a user s browser that loads a page containing an active META REFRESH setting will not be redirected to another web page. not configured, a user s browser can be redirected to another web page. Allow Script- Initiated Without Size Or Position Constraints provides the ability to manage restrictions on script-initiated pop-up windows and windows that include title and status bars. Explorer v6.0 in XP SP2 or SP1 or later enabled, Restrictions security will not apply in this zone. If this policy setting is not configured or disabled, the possible harmful actions contained in script-initiated pop-up windows cannot be run.

26 26 Web 2 Policy Settings for (including SP1) and TABLE 2.4 The Following Settings Apply to the Locked-Down Zone, Locked- Down Intranet Zone, Locked-Down Trusted Sites Zone, Locked-Down Restricted Sites Zone, and Locked-Down Local Machine Zone folders (continued) Policy Setting Description Applies To Settings and Notes Allow Binary And Script Behaviors Display Mixed Content provides the ability to manage dynamic binary and script behaviors. provides the ability to manage whether users can display nonsecure items and whether users receive a security information message to display pages containing both secure and nonsecure items. Explorer v6.0 in XP SP2 or SP1 or later Explorer v6.0 in XP SP2 or SP1 or later enabled, binary and script behaviors are available. If Administrator Approved is selected in the dropdown menu, only behaviors listed in the Admin-Approved Binary Behaviors Security Restriction policy are available. disabled, binary and script behaviors are not available unless applications have implemented a custom security manager. If this policy is not configured, binary and script behaviors are available. enabled, you can select the following values in the Display Mixed Content menu: Disable Users cannot receive the security information message and nonsecure content cannot be displayed. Enable The user does not receive a security information message and nonsecure content can be displayed. Prompt The user will receive the security information message on the web pages that contain both secure and nonsecure content. not configured, the user will receive the security information message on web pages that contain both secure and nonsecure content. Do Not Prompt For Client Certificate Selection When No Certificates Or Only One Certificate Exists provides the ability to manage whether users are prompted to select a certificate when no certificate or only one certificate exists. The prompt will appear if the user attempts to connect to a protected (HTTPS) website. Explorer v6.0 in XP SP2 or SP1 or later enabled, Explorer will not prompt users that have no certificate or only one certificate, with an authentication message when they connect to a protected website. If this policy setting is not configured or disabled, Explorer prompts users with an authentication message when they connect to a protected website.

27 Components 27 TABLE 2.4 The Following Settings Apply to the Locked-Down Zone, Locked- Down Intranet Zone, Locked-Down Trusted Sites Zone, Locked-Down Restricted Sites Zone, and Locked-Down Local Machine Zone folders (continued) Policy Setting Description Applies To Settings and Notes Allow Drag And Drop Or Copy And Paste Files provides the ability to manage whether users can drag files or copy and paste files from a source within the configured zone. Explorer v6.0 in XP SP2 or SP1 or later enabled, user can drag files or copy and paste files from this zone automatically. You can choose to prompt users to allow a choice to whether to drag or copy files from the zone. If this policy setting is disabled, users are prevented from dragging, copying, and pasting files from this zone. If this policy setting is not configured, users can drag, copy, and paste files from this zone automatically. Allow Installation Of Desktop Items Launching Applications And Files In An IFRAME provides the ability to manage whether users can install Active Desktop items from this zone. provides the ability to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML pages in this specific zone. Explorer v6.0 in XP SP2 or SP1 or later Explorer v6.0 in XP SP2 or SP1 or later enabled, users can install desktop items from this zone. You can also choose to prompt the user on whether to install desktop items from this zone. disabled, users are prevented from installing desktop items from this zone. If this policy setting is not configured, users are prompted to choose whether to install desktop items from this zone. enabled, users will be able to run applications and download files from IFRAMEs on the pages within the zone without user intervention. You can also choose to have users prompted whether to run applications or download files from IFRAMEs. disabled, users are prevented from launching application and files in an IFRAME. not configured, users are prompted to choose whether to run applications and download files from IFRAMEs.

28 28 Web 2 Policy Settings for (including SP1) and TABLE 2.4 The Following Settings Apply to the Locked-Down Zone, Locked- Down Intranet Zone, Locked-Down Trusted Sites Zone, Locked-Down Restricted Sites Zone, and Locked-Down Local Machine Zone folders (continued) Policy Setting Description Applies To Settings and Notes Navigate Sub-Frames Across Different Domains Open Files Based On Content, Not File Extension provides the ability to manage the opening of subframes and access of applications across different domains. provides the ability to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Explorer of the file type based on a bit signature. Explorer v6.0 in XP SP2 or SP1 or later Explorer v6.0 in XP SP2 or SP1 or later enabled, users can open subframes from other domains and access applications from other domains. You can also choose to prompt users whether to allow subframes or access applications in other domain. disabled, users will not be able to open subframes or access applications in different domains. If this policy setting is not configured, users can open subframes and access applications from other domains. enabled, the MIME Sniffing Safety Feature will not apply in this zone. If this policy setting is disabled, the actions that may be harmful cannot run. If this policy is not configured, the MIME Sniffing Safety Feature will not apply to this zone.