enter display name here enter description here Accessibility International Security Connections Page Content Page Certificates Appearance Search Tabs Privacy Page Programs Page Add-on List Deny all add-ons unless specifically allowed in the Add-on List Turn off Crash Detection Do not allow users to enable or disable add-ons Add a specific list of search providers to the user's list of search providers Administrator Approved Controls Advanced settings Allow active content from CDs to run on user machines Check for server certificate revocation Turn off ClearType Do not allow resetting Internet Explorer settings Check for signatures on downloaded programs Allow third-party browser extensions This policy setting allows you to manage whether users receive a dialog requesting permission for active content on a CD to run. If you enable this policy setting, active content on a CD will run without a prompt. If you disable this policy setting, active content on a CD will always prompt before running. If you do not configure this policy, users can choose whether to be prompted before running active content on a CD. This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure. If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked. If you disable this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. This policy setting prevents the user from using the Reset Internet Explorer Settings feature. Reset Internet Explorer Settings allows the user to reset all settings changed since installation, delete browsing history, and disable add-ons that are not preapproved. If you enable this policy setting, the user cannot use Reset Internet Explorer Settings. If you disable or do not configure this policy setting, the user can use Reset Internet Explorer Settings. This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs. If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers. If you disable this policy setting, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers. If you do not configure this policy, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers. This policy setting allows you to manage whether Internet Explorer will launch COM add-ons known as browser helper objects, such as toolbars. Browser helper objects may contain flaws such as buffer overruns which impact Internet Explorer's performance or stability. If you enable this policy setting, Internet Explorer automatically launches any browser helper objects that are installed on the user's computer. If you disable this policy setting, browser helper objects do not launch. If you do not configure this policy, Internet Explorer automatically launches any browser helper objects that are installed on the user's computer. This policy setting allows you to manage whether users can automatically download and install Web components (such as fonts) that can installed by Internet Explorer Active Setup. For example, if you open a Web page that requires Japanese-text display support, Internet Explorer could prompt the user to download the Japanese Language Pack component if it is not already installed. If you enable this policy setting, Web components such as fonts will be automatically installed as necessary. If you disable this policy setting, users will be prompted when Web Components such as fonts would be downloaded. If you do not configure this policy, users will be prompted when Web Components such as fonts would be downloaded. This policy setting allows you to manage whether users can download and install self-installing program files (non-Internet Explorer components) that are registered with Internet Explorer (such as Macromedia and Java) that are required in order to view web pages as intended. If you enable this policy setting, non-Internet Explorer components will be automatically installed as necessary. If you disable this policy setting, users will be prompted when non-Internet Explorer components would be installed. If you do not configure this policy setting, non-Internet Explorer components will be automatically installed as necessary. This policy setting allows you to manage whether Internet Explorer checks the Internet for newer versions. When Internet Explorer is set to do this, the checks occur approximately every 30 days, and users are prompted to install new versions as they become available. If you enable this policy setting, Internet Explorer checks the Internet for a new version approximately every 30 days and prompts the user to download new versions when they are available. If you disable this policy setting, Internet Explorer does not check the Internet for new versions of the browser, so does not prompt users to install them. If you do not configure this policy setting, Internet Explorer does not check the Internet for new versions of the browser, so does not prompt users to install them. This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. If you enable this policy setting, users will be prompted to install or run files with an invalid signature. If you disable this policy setting, users cannot run or install files with an invalid signature. If you do not configure this policy, users can choose to run or install files with an invalid signature. This policy setting allows you to manage whether Internet Explorer will display animated pictures found in Web content. Generally only animated GIF files are affected by this setting; active Web content such as java applets are not. If you enable this policy setting, Internet Explorer will play animated pictures found in Web content. If you disable this policy setting, Internet Explorer will not play or download animated pictures, helping pages display more quickly. If you do not configure this policy setting, Internet Explorer will play animated pictures found in Web content. This policy setting allows you to manage whether Internet Explorer will play sounds found in web content. Generally only sound files such as MIDI files are affected by this setting; active Web content such as java applets are not. If you enable this policy setting, Internet Explorer will play sounds found in Web content. If you disable this policy setting, Internet Explorer will not play or download sounds in Web content, helping pages display more quickly. If you enable this policy setting, Internet Explorer will play sounds found in Web content. This policy setting allows you to manage whether Internet Explorer will display videos found in Web content. Generally only embedded video files are affected by this setting; active Web content such as java applets are not. If you enable this policy setting, Internet Explorer will play videos found in Web content. If you disable this policy setting, Internet Explorer will not play or download videos, helping pages display more quickly. If you do not configure this policy setting, Internet Explorer will play videos found in Web content. This policy setting specifies whether you will accept requests from Web sites for Profile Assistant information. If you enable this policy setting, Profile Assistant information will not be provided, and users will not be prompted to provide information. If you disable this policy setting, then when a Web site requests Profile Assistant information, users will be prompted to choose which information to share. At that time, users can also choose to allow this information to be shared with the Web site in the future without being prompted. If you do not configure this policy setting, a user will have the freedom to accept requests from Web sites for Profile Assistant information. This policy setting allows you to manage whether Internet Explorer will save encrypted pages that contain secure (HTTPS) information such as passwords and credit card numbers to the Internet Explorer cache, which may be insecure. If you enable this policy setting, Internet Explorer will not save encrypted pages containing secure (HTTPS) information to the cache. If you disable this policy setting, Internet Explorer will save encrypted pages containing secure (HTTPS) information to the cache. If you do not configure this policy, Internet Explorer will save encrypted pages containing secure (HTTPS) information to the cache. This policy setting allows you to manage whether Internet Explorer deletes the contents of the Temporary Internet Files folder after all browser windows are closed. This protects against storing dangerous files on the computer, or storing sensitive files that other users could see, in addition to managing total disk space usage. If you enable this policy setting, Internet Explorer will delete the contents of the user's Temporary Internet Files folder when all browser windows are closed. If you disable this policy setting, Internet Explorer will not delete the contents of the user's Temporary Internet Files folder when browser windows are closed. If you do not configure this policy, Internet Explorer will not delete the contents of the Temporary Internet Files folder when browser windows are closed. Allow Install On Demand (Internet Explorer) Allow Install On Demand (except Internet Explorer) Automatically check for Internet Explorer updates Allow software to run or install even if the signature is invalid Play animations in web pages Play sounds in web pages Play videos in web pages Turn off Profile Assistant Do not save encrypted pages to disk Empty Temporary Internet Files folder when browser is closed Advanced Page Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services. If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won't be able to change the Suggestions setting on the Settings charm. If you disable this policy setting, users won't receive enhanced suggestions while typing in the Address bar. In addition, users won't be able to change the Suggestions setting on the Settings charm. If you don't configure this policy setting, users can change the Suggestions setting on the Settings charm. Always Turn on menu bar by default This policy setting prevents the user from specifying the color to which hyperlinks change when the mouse pointer pauses on them. If you enable this policy setting, the user cannot specify the hover color. You must specify the hover color (for example: 192,192,192). If you disable or do not configure this policy setting, the user can specify the hover color. Prevent specifying the hover color Audio/Video Player Turn on inline AutoComplete This policy setting allows you to turn on inline AutoComplete in Internet Explorer and File Explorer. The AutoComplete feature provides suggestions for what the user types by automatically completing the address or command with the closest match. If you enable this policy setting, inline AutoComplete is turned on. The user cannot turn it off. If you disable this policy setting, inline AutoComplete is turned off. The user cannot turn it on. If you do not configure this policy setting, the user can turn on or turn off inline AutoComplete. By default, inline AutoComplete is turned off for Windows Vista, Windows 7, Internet Explorer 7, and Internet Explorer 8. By default, inline AutoComplete is turned on for Internet Explorer 9. AutoComplete Turn off inline AutoComplete in File Explorer This policy setting let you turn off Inline AutoComplete in File Explorer. Inline AutoComplete provides suggestions for what you type by automatically completing the command inline with the closest match. By default, this functionality is turned on in File Explorer. If you enable this policy setting, Inline AutoComplete for File Explorer is turned off. The user cannot turn it on. If you disable this policy setting, Inline AutoComplete for File Explorer is turned on. The user cannot turn it off. If you do not configure this policy setting, a user will have the freedom to turn on or off Inline AutoComplete for File Explorer. Automatic Disable caching of Auto-Proxy scripts Do not search from the address bar Display the results in the main window Go to an intranet site for a one-word entry in the Address bar This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar. If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available. If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar. Background This policy setting prevents the user from specifying the background color in Internet Explorer. If you enable this policy setting, the user cannot specify the background color in Internet Explorer. You must specify the background color (for example: 192,192,192). If you disable or do not configure this policy setting, the user can specify the background color in Internet Explorer. Prevent specifying background color Turn on printing of background colors and images Disable external branding of Internet Explorer Browsing Carpoint Application Compatibility Offline Pages Code Download Prevent specifying the code download path for each computer This policy setting prevents the user from specifying the code download path for each computer. The Internet Component Download service exposes a function that is called by an application to download, verify, and install code for an Object Linking and Embedding (OLE) component. If you enable this policy setting, the user cannot specify the download path for the code. You must specify the download path. If you disable or do not configure this policy setting, the user can specify the download path for the code. Component Updates Disable changing Advanced page settings Disable the Advanced page Disable the Connections page Disable the Content page Disable the General page Disable the Privacy page Disable the Programs page Disable the Security page Send internationalized domain names Turn off sending UTF-8 query strings for URLs Use UTF-8 for mailto links Corporate Settings Customize user agent string DHTML Edit Control Use Automatic Detection for dial-up connections Turn off background synchronization for feeds and Web Slices Prevent downloading of enclosures Prevent subscribing to or deleting a feed or a Web Slice Prevent automatic discovery of feeds and Web Slices Prevent access to feed list Turn on Basic feed authentication over HTTP Prevent "Fix settings" functionality Prevent managing the phishing filter Turn off Managing SmartScreen Filter for Internet Explorer 8 Prevent managing SmartScreen Filter Turn off the Security Settings Check feature Turn on script debugging This policy setting allows you to turn on your script debugger, if one is installed. Website developers use script debuggers to test programs and scripts on their webpages. You can use the script debugger to browse, edit, and debug .htm and .asp files that contain Microsoft Visual Basic Scripting Edition (VBScript) or Microsoft JScript. If you enable this policy setting, script debugging is turned on. The user cannot turn off script debugging. If you disable this policy setting, script debugging is turned off. The user cannot turn on script debugging. If you do not configure this policy setting, the user can turn on or turn off script debugging. Position the menu bar above the navigation bar Prevent changing pop-up filter level Turn off toolbar upgrade tool Display error message on proxy script download failure Display settings Turn on compatibility logging Internet Control Panel URL Encoding Enforce full-screen mode Open in existing Internet Explorer window This policy setting prevents the text on the screen from being rendered through the ClearType technology that enhances the readability of text on LCD displays. If you enable this policy setting, applications that host MSHTML do not render text by using the Microsoft ClearType rendering engine. If you disable or do not configure this policy setting, applications that host MSHTML render text by using the Microsoft ClearType rendering engine. Prevents users from running the Internet Explorer Tour from the Help menu in Internet Explorer. If you enable this policy, the Tour command is removed from the Help menu. If you disable this policy or do not configure it, users can run the tour from the Help menu. This policy setting allows you to specify a list of web sites that will be allowed to open pop-up windows regardless of the Internet Explorer process's Pop-Up Blocker settings. If you enable this policy setting, you can enter a list of sites which will be allowed to open pop-up windows regardless of user settings. Only the domain name is allowed, so www.contoso.com is valid, but not http://www.contoso.com. Wildcards are allowed, so *.contoso.com is also valid. If you disable this or do not configure this policy setting, you will not be able to provide a default Pop-up Blocker exception list. Note: You can disable users from adding or removing websites to the exception list by enabling "Turn off Managing Pop-up Allow list" policy. This policy setting allows you to bypass prompting when a script that is running in any process on the computer attempts to perform a Clipboard operation (delete, copy, or paste). If you enable this policy setting, the user is not prompted when a script that is running in any process on the computer performs a Clipboard operation. This means that if the zone behavior is currently set to prompt, it will be bypassed and enabled. If you disable this policy setting, the user is prompted when a script that is running in any process on the computer attempts to perform a Clipboard operation. If you do not configure this policy setting, current values of the URL action for the application or process on the computer prevail. This policy setting allows you to bypass prompting when a script that is running in the Internet Explorer process attempts to perform a Clipboard operation (delete, copy, or paste) and the URL action for the zone is set to prompt. If you enable this policy setting, the user is not prompted when a script that is running in the Internet Explorer process performs a Clipboard operation. In the Internet Explorer process, if the zone behavior is currently set to prompt, it will be bypassed and enabled. If you disable this policy setting, the user is prompted when a script that is running in the Internet Explorer process attempts to perform a Clipboard operation. If you do not configure this policy setting, current values of the URL action for the Internet Explorer process prevail. This policy setting allows you to define applications and processes that can access the Clipboard without prompting the user. Note: Do not enter the Internet Explorer processes in this list. To enable or disable Internet Explorer processes, use the "Bypass prompting for Clipboard access for scripts running in the Internet Explorer process" policy. If the "Bypass prompting for Clipboard access for scripts running in any process" policy setting is enabled, the processes configured in this policy setting take precedence over that policy setting. If you enable this policy setting and enter a value of 1, prompts are bypassed. If you enter a value of 0, prompts are not bypassed. Value Name is the name of the executable file. If Value Name is empty or the value is not 0 or 1, the policy setting is ignored. If you enable this policy setting for an application or process in the list, a script can perform a Clipboard operation without prompting the user. This means that if the zone behavior is currently set to prompt, it will be bypassed and enabled. If you disable this policy setting for an application or process in the list, a script that is running in the application or process cannot bypass the prompt for delete, copy, or paste operations from the Clipboard. If you do not configure this policy setting, current values of the URL action for an application or process in the list prevail. Disable Import/Export Settings wizard Turn off browser geolocation Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects File menu: Disable closing the browser and Explorer windows File menu: Disable Save As... menu option File menu: Disable Save As Web Page Complete File menu: Disable New menu option File menu: Disable Open menu option Shockwave Flash Smallest Smaller Medium Larger Largest Prevent choosing default text size This policy setting prevents the user from choosing the default text size in Internet Explorer. If you enable this policy setting, the user cannot choose the default text size in Internet Explorer. You must specify the default text size: • Largest • Larger • Medium • Smaller • Smallest If you disable or do not configure this policy setting, the user can choose the default text size in Internet Explorer. Force pop-ups to open in a new tab Force pop-ups to open in a new window Foreground Turn off details in messages about Internet connection problems This policy setting specifies whether, when there is a problem connecting with an Internet server, to provide a detailed description with hints about how to correct the problem. If you clear this check box, the user sees only the error code and the name of the error. If you enable this policy setting, when there is a problem connecting with an Internet server, the user does not see a detailed description or hints about how to correct the problem. The user cannot change this policy setting. If you disable this policy setting, when there is a problem connecting with an Internet server, the user sees a detailed description with hints about how to correct the problem. The user cannot change this policy setting. If you do not configure this policy setting, the user can turn on or turn off details in these error messages. Turn off page-zooming functionality General Colors Help menu: Remove 'Send Feedback' menu option Help menu: Remove 'For Netscape Users' menu option Help menu: Remove 'Tip of the Day' menu option Help menu: Remove 'Tour' menu option Help Menu > About Internet Explorer Prevent specifying cipher strength update information URLs This policy setting prevents the user from specifying a URL that contains update information about cipher strength. When the user logs on to a secure page, the page cannot grant access unless the Internet browser connects with a prespecified encryption. To ensure that the browser meets this requirement, this policy setting allows you to specify the URL to update the browser security setting. If you enable this policy setting, the user cannot specify the cipher strength update information URL. You must specify the cipher strength update information URL. If you disable or do not configure this policy setting, the user can specify the cipher strength update information URL. Hover Start the Internet Connection Wizard automatically This policy setting determines whether the Internet Connection Wizard was completed. If the Internet Connection Wizard was not completed, this policy setting starts the wizard automatically. If you enable this policy setting, the Internet Connection Wizard starts automatically if it was not completed before. The user cannot prevent the wizard from starting. If you disable this policy setting, the Internet Connection Wizard does not start automatically. The user can start the wizard manually. If you do not configure this policy setting, the user can decide whether the Internet Connection Wizard should start automatically. Internet Connection Wizard Settings Identity Manager: Prevent users from using Identities Always convert to IDN format Convert Intranet addresses to IDN format Never convert to IDN format Convert non-Intranet addresses to IDN format This policy setting allows you to customize the Internet Explorer version string as reported to web servers in the HTTP User Agent header. If you enable this policy setting, Internet Explorer sends the specified custom string in the version portion of the User Agent header. If you disable or do not configure this policy setting, Internet Explorer sends the current Internet Explorer version in the User Agent header (for example, "MSIE 7.0"). This policy setting controls whether to have background synchronization for feeds and Web Slices. If you enable this policy setting, the ability to synchronize feeds and Web Slices in the background is turned off. If you disable or do not configure this policy setting, the user can synchronize feeds and Web Slices in the background. This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. This policy setting prevents the user from subscribing to or deleting a feed or a Web Slice. If you enable this policy setting, the menu command to subscribe to a feed and the menu command to delete a feed are disabled, and access to Web Slices is turned off. A developer cannot add a feed or Web Slice or delete a feed or Web Slice by using the Feed APIs. A developer also cannot create or delete folders. If you disable or do not configure this policy setting, the user can subscribe to a feed or Web Slice through the Subscribe button in Internet Explorer and delete a feed or Web Slice through the feed list control. A developer can add or delete a feed or Web Slice by using the Feed APIs. This policy setting prevents users from having Internet Explorer automatically discover whether a feed or Web Slice is available for an associated webpage. If you enable this policy setting, the user does not receive a notification on the toolbar that a feed or Web Slice is available. If you disable or do not configure this policy setting, the user receives a notification when a feed or Web Slice is available and can click the feed discovery button. This policy setting prevents the user from using Internet Explorer as a feed reader. This policy setting has no impact on the Windows RSS Platform. If you enable this policy setting, the user cannot access the feed list in the Favorites Center. If you disable or do not configure this policy setting, the user can access the feed list in the Favorites Center. This policy setting allows users to have their feeds authenticated through the Basic authentication scheme over an unencrypted HTTP connection. If you enable this policy setting, the Windows RSS Platform authenticates feeds to servers by using the Basic authentication scheme in combination with a less secure HTTP connection. If you disable or do not configure this policy setting, the Windows RSS Platform does not authenticate feeds to servers by using the Basic authentication scheme in combination with a less secure HTTP connection. A developer cannot change this policy setting through the Feed APIs. This policy setting prevents the user from using the "Fix settings" functionality related to Security Settings Check. If you enable this policy setting, the user cannot use the "Fix settings" functionality. If you disable or do not configure this policy setting, the user can use the "Fix settings" functionality. Note: When this policy setting is enabled, the "Fix settings" command on the Notification bar shortcut menu should be disabled. This policy setting positions the menu bar above the navigation bar. The navigation bar contains icons for a variety of features, including browsing web pages, searching the web by using a selection of search tools, accessing and managing favorites, viewing a history of visited pages, printing, and accessing email and newsgroups. The menu bar contains menus that open lists of commands. The commands include options for printing, customizing Internet Explorer, copying and pasting text, managing favorites, and accessing Help. If you enable this policy setting, the menu bar is above the navigation bar. The user cannot interchange the positions of the menu bar and the navigation bar. If you disable this policy setting, the menu bar is below the navigation bar. The user cannot interchange the positions of the menu bar and the navigation bar. If you do not configure this policy setting, the user can interchange the positions of the menu bar and the navigation bar. This policy setting prevents the user from managing a filter that warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing." If you enable this policy setting, the user is not prompted to enable the phishing filter. You must specify which mode the phishing filter uses: manual, automatic, or off. If you select manual mode, the phishing filter performs only local analysis, and the user is prompted to permit any data to be sent to Microsoft. If the feature is fully enabled, all website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user. If you disable or do not configure this policy setting, the user is prompted to decide the mode of operation for the phishing filter. This policy setting allows the user to enable the SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. If you enable this policy setting, the user is not prompted to turn on SmartScreen Filter. You must specify which mode the SmartScreen Filter uses: on, or off.All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user. If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on the SmartScreen Filter during the first-run experience. This policy setting prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. If you enable this policy setting, the user is not prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user. If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on SmartScreen Filter during the first-run experience. This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk. If you enable this policy setting, the feature is turned off. If you disable or do not configure this policy setting, the feature is turned on. This policy setting logs information that is blocked by new features in Internet Explorer. The logged compatibility information is displayed in the Windows Event Viewer. If you enable this policy setting, the user can log information that is blocked by new Internet Explorer features. The user cannot turn off logging. If you disable this policy setting, the user cannot log information that is blocked by new Internet Explorer features. The user cannot turn on logging. If you do not configure this policy setting, the user can change the logging settings. This policy setting allows you to enforce full-screen mode, which disables the navigation bar, the menu bar, and the Command bar. Starting with Windows 8, this policy only applies to Internet Explorer on the desktop. The navigation bar includes features for browsing webpages, searching the web by using a selection of search tools, viewing a history of visited pages, printing, and accessing email and newsgroups. The menu bar contains menus that open lists of commands for printing, customizing Internet Explorer, copying and pasting text, managing favorites, and accessing Help. The Command bar enables the user to access and manage favorites, feeds, shortcuts to home page, and more. Full-screen mode disables not only these three bars, but also the shortcuts to these bars. If you enable this policy setting, the navigation bar, the menu bar, and the Command bar are not visible, and the user cannot access them. If you disable or do not configure this policy setting, the user can view and access the navigation bar, the menu bar, and the Command bar. This policy setting allows you to configure whether newly installed add-ons are automatically activated in the Internet Explorer 9 browser. Any add-ons that were activated in a previous version of Internet Explorer are considered to be the same as newly installed add-ons and are not activated when the user upgrades to Internet Explorer 9. In Internet Explorer 9, add-ons are defined as toolbars, Browser Helper Objects, or Explorer bars. ActiveX controls are referred to as plug-ins and are not part of this definition. If you enable this policy setting, newly installed add-ons are automatically activated in the browser. If you disable or do not configure this policy setting, newly installed add-ons are not automatically activated in the browser. Internet Explorer notifies the user when newly installed add-ons are ready for use. The user must choose to activate them by responding to the notification, using Manage Add-ons, or using other methods. This policy setting prevents Internet Explorer from displaying a notification when the average time to load all the user's enabled add-ons exceeds the threshold. The notification informs the user that add-ons are slowing his or her browsing and displays a button that opens the Disable Add-ons dialog box. The Disable Add-ons dialog box displays the load time for each group of add-ons enabled in the browser. It allows the user to disable add-ons and configure the threshold. If you enable this policy setting, users are not notified when the average time to load all the user's enabled add-ons exceeds the threshold. If you disable or do not configure this policy setting, users are notified when the average time to load all the user's enabled add-ons exceeds the threshold. This is the default. Designates the Microsoft Agent ActiveX control as administrator-approved. Microsoft Agent is a set of software services that supports the presentation of software agents as interactive personalities within the Microsoft Windows interface. If you enable this policy, this control can be run in security zones in which you specify that administrator-approved controls can be run. If you disable this policy or do not configure it, these controls will not be designated as administrator-approved. To specify how administrator-approved controls are handled for each security zone, carry out the following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved. This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly. If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions. If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off. This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages. This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied. If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information: Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, ‘{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced. Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field. If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied. This policy setting allows you to ensure that any Internet Explorer add-ons not listed in the 'Add-on List' policy setting are denied. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages. By default, the 'Add-on List' policy setting defines a list of add-ons to be allowed or denied through Group Policy. However, users can still use the Add-on Manager within Internet Explorer to manage add-ons not listed within the 'Add-on List' policy setting. This policy setting effectively removes this option from users - all add-ons are assumed to be denied unless they are specifically allowed through the 'Add-on List' policy setting. If you enable this policy setting, Internet Explorer only allows add-ons that are specifically listed (and allowed) through the 'Add-on List' policy setting. If you disable or do not configure this policy setting, users may use Add-on Manager to allow or deny any add-ons that are not included in the 'Add-on List' policy setting. Note: If an add-on is listed in the 'Add-on List' policy setting, the user cannot change its state through Add-on Manager (unless its value has been set to allow user management - see the 'Add-on List' policy for more details). This policy setting allows you to manage the crash detection feature of add-on Management. If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply. If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional. This policy setting allows you to manage whether users have the ability to allow or deny add-ons through Add-On Manager. If you enable this policy setting, users cannot enable or disable add-ons through Add-On Manager. If you disable or do not configure this policy setting, the appropriate controls in the Add-On Manager will be available to the user. This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website. If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration. Contains settings to enable or disable ActiveX controls. This policy setting allows you to turn on or turn off the earlier menus (for example, File, Edit, and View) in Internet Explorer. If you enable this policy setting, the menu bar appears in Internet Explorer by default, and the user cannot turn it off. If you disable this policy setting, the menu bar appears in Internet Explorer by default, and the user cannot turn it on. If you do not configure this policy setting, the menu bar is turned off by default. The user can turn on or turn off the menu bar. Designates the Audio/Video Player ActiveX control as administrator-approved. This control is used for playing sounds, videos, and other media. If you enable this policy, this control can be run in security zones in which you specify that administrator-approved controls can be run. If you disable this policy or do not configure it, this control will not be designated as administrator-approved. To specify how administrator-approved controls are handled for each security zone, carry out the following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved. Prevents automatic proxy scripts, which interact with a server to automatically configure users' proxy settings, from being stored in the users' cache. If you enable this policy, automatic proxy scripts will not be stored temporarily on the users' computer. If you disable this policy or do not configure it, automatic proxy scripts can be stored in the users' cache. Prevents branding of Internet programs, such as customization of Internet Explorer and Outlook Express logos and title bars, by another party. If you enable this policy, it prevents customization of the browser by another party, such as an Internet service provider or Internet content provider. If you disable this policy or do not configure it, users could install customizations from another party-for example, when signing up for Internet services. This policy is intended for administrators who want to maintain a consistent browser across an organization. Designates the Microsoft Network (MSN) Carpoint automatic pricing control as administrator-approved. This control enables enhanced pricing functionality on the Carpoint Web site, where users can shop for and obtain information about vehicles. If you enable this policy, this control can be run in security zones in which you specify that administrator-approved controls can be run. If you disable this policy or do not configure it, this control will not be designated as administrator-approved. To specify how administrator-approved controls are handled for each security zone, carry out the following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved. Contains settings to configure Internet Explorer Contains settings for Offline pages and channels. Prevents users from changing settings on the Advanced tab in the Internet Options dialog box. If you enable this policy, users are prevented from changing advanced Internet settings, such as security, multimedia, and printing. Users cannot select or clear the check boxes on the Advanced tab. If you disable this policy or do not configure it, users can select or clear settings on the Advanced tab. If you set the "Disable the Advanced page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this policy, because the "Disable the Advanced page" policy removes the Advanced tab from the interface. Removes the Advanced tab from the interface in the Internet Options dialog box. If you enable this policy, users are prevented from seeing and changing advanced Internet settings, such as security, multimedia, and printing. If you disable this policy or do not configure it, users can see and change these settings. When you set this policy, you do not need to set the "Disable changing Advanced page settings" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\), because this policy removes the Advanced tab from the interface. Removes the Connections tab from the interface in the Internet Options dialog box. If you enable this policy, users are prevented from seeing and changing connection and proxy settings. If you disable this policy or do not configure it, users can see and change these settings. When you set this policy, you do not need to set the following policies for the Content tab, because this policy removes the Connections tab from the interface: "Disable Internet Connection Wizard" "Disable changing connection settings" "Prevent changing proxy settings" "Disable changing Automatic Configuration settings" If you enable this policy setting, users are prevented from seeing and changing ratings, certificates, AutoComplete, Wallet, and Profile Assistant settings. If you disable this policy or do not configure it, users can see and change these settings. Removes the General tab from the interface in the Internet Options dialog box. If you enable this policy, users are unable to see and change settings for the home page, the cache, history, Web page appearance, and accessibility. If you disable this policy or do not configure it, users can see and change these settings. When you set this policy, you do not need to set the following Internet Explorer policies (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\), because this policy removes the General tab from the interface: "Disable changing home page settings" "Disable changing Temporary Internet files settings" "Disable changing history settings" "Disable changing color settings" "Disable changing link color settings" "Disable changing font settings" "Disable changing language settings" "Disable changing accessibility settings" Removes the Privacy tab from the interface in the Internet Options dialog box. If you enable this policy, users are prevented from seeing and changing default settings for privacy. If you disable this policy or do not configure it, users can see and change these settings. Removes the Programs tab from the interface in the Internet Options dialog box. If you enable this policy, users are prevented from seeing and changing default settings for Internet programs. If you disable this policy or do not configure it, users can see and change these settings. When you set this policy, you do not need to set the following policies for the Programs tab, because this policy removes the Programs tab from the interface: "Disable changing Messaging settings" "Disable changing Calendar and Contact settings" "Disable the Reset Web Settings feature" "Disable changing default browser check" Removes the Security tab from the interface in the Internet Options dialog box. If you enable this policy, it prevents users from seeing and changing settings for security zones, such as scripting, downloads, and user authentication. If you disable this policy or do not configure it, users can see and change these settings. When you set this policy, you do not need to set the following Internet Explorer policies, because this policy removes the Security tab from the interface: "Security zones: Do not allow users to change policies" "Security zones: Do not allow users to add/delete sites" This policy setting allows you to manage whether Internet Explorer converts Unicode domain names to internationalized domain name (IDN) format (Punycode) before sending them to Domain Name System (DNS) servers or to proxy servers. If you enable this policy setting, you must specify when IDN server names should be sent: 0) Unicode domain names are never converted to IDN format. 1) Unicode domain names are converted to IDN format only for addresses that are not in the Intranet zone. 2) Unicode domain names are converted to IDN format only for addresses that are in the Intranet zone. 3) Unicode domain names are always converted to IDN format. If you disable or do not configure this policy setting, the user can control this setting by using Advanced Options in Internet Control Panel. By default, domain names are converted to IDN format only for addresses that are not in the Intranet zone. This policy setting determines whether Internet Explorer uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers. If you enable this policy setting, you must specify when to use UTF-8 to encode query strings: 0) Never encode query strings. 1) Only encode query strings for URLs that aren't in the Intranet zone. 2) Only encode query strings for URLs that are in the Intranet zone. 3) Always encode query strings. If you disable or don't configure this policy setting, users can turn this behavior on or off, using Internet Explorer Advanced Options settings. The default is to encode all query strings in UTF-8. This policy setting allows you to manage whether Internet Explorer uses 8-bit Unicode Transformation Format (UTF-8) for mailto links. If you enable this policy setting, Internet Explorer encodes mailto links in UTF-8. If you disable or do not configure this policy setting, Internet Explorer sends mailto links encoded through the user's code page. This behavior matches the behavior of Internet Explorer 6 and earlier. The user can change this behavior on the Internet Explorer Tools menu: Click Internet Options, click the Advanced tab, and then under International, select the "Use UTF-8 for mailto links" check box. This ActiveX control enables users to edit HTML text and see a faithful rendition of how the text would look in the browser. There are two versions of the control: a more powerful version that cannot be invoked by a web site because it includes file access and other features, and a "safe for scripting" version that has restricted functionality and is intended for use by web sites. If you enable this policy, this control will be available as an administrator approved control and can be run if the user specifies to run administrator-approved Active-X controls and plug-ins under security zones. If you disable this policy or do not configure it, this control will not be designated as administrator-approved. Specifies that Automatic Detection will be used to configure dial-up settings for users. Automatic Detection uses a DHCP (Dynamic Host Configuration Protocol) or DNS server to customize the browser the first time it is started. If you enable this policy, users' dial-up settings will be configured by Automatic Detection. If you disable this policy or do not configure it, dial-up settings will not be configured by Automatic Detection, unless specified by the user. This policy setting prevents the user from changing the level of pop-up filtering. The available levels are as follows: High: Block all pop-ups. Medium: Block most automatic pop-ups. Low: Allow pop-ups from secure sites. If you enable this policy setting, the user cannot change the filter level. You can specify the filter level by importing Privacy settings from your computer under Internet Explorer Maintenance. If you disable or do not configure this policy setting, the user can manage pop-ups by changing the filter level. You may also want to enable the "Prevent managing pop-up exception list" and "Turn off pop-up management" policy settings to prevent the user from configuring pop-up behavior. This policy setting allows you to turn off the toolbar upgrade tool. The toolbar upgrade tool determines whether incompatible toolbars or Browser Helper Objects are installed when Internet Explorer starts. If the tool detects an incompatible toolbar, the user is prompted to update or disable the toolbar. Specific toolbars or Browser Helper Objects that are enabled or disabled via policy settings do not undergo this check. If you enable this policy setting, the toolbar upgrade tool does not check for incompatible toolbars. The user is not prompted, and incompatible toolbars run unless previously disabled through policy settings or user choice. If you disable or do not configure this policy setting, the toolbar upgrade tool checks for incompatible toolbars. The user can enable or disable incompatible toolbars. Toolbars that are enabled or disabled via policy settings do not undergo these checks. Specifies that error messages will be displayed to users if problems occur with proxy scripts. If you enable this policy, error messages will be displayed when the browser does not download or run a script to set proxy settings. If you disable this policy or do not configure it, error messages will not be displayed when problems occur with proxy scripts. Contains settings that control features found in the Internet Options dialog. This policy settings disables the Import/Export Settings wizard. This wizard allows you to import settings from another browser, import settings from a file, or export settings to a file. Importing settings from another browser allows the user to import favorites and feeds from other browsers. Importing settings from a file allows the user to import favorites, feeds and cookies from a file. Exporting settings to a file allows the user to export favorites, feeds and cookies to a file. If you enable this policy setting, the user will not be able to use the Import/Export Settings wizard. If you disable or do not configure this policy setting, the user will be able to use the Import/Export Settings wizard. This policy setting allows you to disable browser geolocation support. This will prevent websites from requesting location data about the user. If you enable this policy setting, browser geolocation support is turned off. If you disable this policy setting, browser geolocation support is turned on. If you do not configure this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab. This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings. If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box. Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library. Prevents users from closing Microsoft Internet Explorer and File Explorer. If you enable this policy, the Close command on the File menu will appear dimmed. If you disable this policy or do not configure it, users are not prevented from closing the browser or File Explorer. Note: The Close button in the top right corner of the program will not work; if users click the Close button, they will be informed that the command is not available. Prevents users from saving Web pages from the browser File menu to their hard disk or to a network share. If you enable this policy, the Save As command on the File menu will be removed. If you disable this policy or do not configure it, users can save Web pages for later viewing. This policy takes precedence over the "File Menu: Disable Save As Web Page Complete" policy, which prevents users from saving the entire contents that are displayed or run from a Web Page, such as graphics, scripts, and linked files, but does not prevent users from saving the text of a Web page. Caution: If you enable this policy, users are not prevented from saving Web content by pointing to a link on a Web page, clicking the right mouse button, and then clicking Save Target As. Prevents users from saving the complete contents that are displayed on or run from a Web page, including the graphics, scripts, linked files, and other elements. It does not prevent users from saving the text of a Web page. If you enable this policy, the Web Page, Complete file type option will be removed from the Save as Type box in the Save Web Page dialog box. Users can still save Web pages as hypertext markup language (HTML) files or as text files, but graphics, scripts, and other elements are not saved. To display the Save Web Page dialog box, users click the File menu, and then click the Save As command. If you disable this policy or do not configure it, users can save all elements on a Web page. The "File menu: Disable Save As... menu option" policy, which removes the Save As command, takes precedence over this policy. If it is enabled, this policy is ignored. Prevents users from opening a new browser window from the File menu. If this policy is enabled, users cannot open a new browser window by clicking the File menu, pointing to the New menu, and then clicking Window. The user interface is not changed, but a new window will not be opened, and users will be informed that the command is not available. If you disable this policy or do not configure it, users can open a new browser window from the File menu. Caution: This policy does not prevent users from opening a new browser window by right-clicking, and then clicking the Open in New Window command. To prevent users from using the shortcut menu to open new browser windows, you should also set the "Disable Open in New Window menu option" policy, which disables this command on the shortcut menu, or the "Turn off Shortcut Menu" policy, which disables the entire shortcut menu. Note: the user will still be able to open New Tabs. Prevents users from opening a file or Web page from the File menu in Internet Explorer. If you enable this policy, the Open dialog box will not appear when users click the Open command on the File menu. If users click the Open command, they will be notified that the command is not available. If you disable this policy or do not configure it, users can open a Web page from the browser File menu. Caution: This policy does not prevent users from right-clicking a link on a Web page, and then clicking the Open or Open in New Window command. To prevent users from opening Web pages by using the shortcut menu, set the "Disable Open in New Window menu option" policy, which disables this command on the shortcut menu, or the "Turn off Shortcut Menu" policy, which disables the entire shortcut menu. Designates Shockwave flash as an administrator approved control. If you enable this policy, this control can be run in security zones in which you specify that administrator-approved controls can be run. If you disable this policy or do not configure it, this control will not be designated as administrator-approved. To specify how administrator-approved controls are handled for each security zone, carry out the following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved. This policy setting prevents the user from zooming in to or out of a page to better see the content. If you enable this policy setting, applications that host MSHTML do not respond to user input that causes the content to be re-rendered at a scaled size. If you disable or do not configure this policy setting, applications that host MSHTML respond to user input that causes the content to be re-rendered at a scaled size. Prevents users from sending feedback to Microsoft by clicking the Send Feedback command on the Help menu. If you enable this policy, the Send Feedback command is removed from the Help menu. If you disable this policy or do not configure it, users can fill out an Internet form to provide feedback about Microsoft products. Prevents users from displaying tips for users who are switching from Netscape. If you enable this policy, the For Netscape Users command is removed from the Help menu. If you disable this policy or do not configure it, users can display content about switching from Netscape by clicking the For Netscape Users command on the Help menu. Caution: Enabling this policy does not remove the tips for Netscape users from the Microsoft Internet Explorer Help file. Prevents users from viewing or changing the Tip of the Day interface in Microsoft Internet Explorer. If you enable this policy, the Tip of the Day command is removed from the Help menu. If you disable this policy or do not configure it, users can enable or disable the Tip of the Day, which appears at the bottom of the browser. Prevents users from configuring unique identities by using Identity Manager. Identity Manager enables users to create multiple accounts, such as e-mail accounts, on the same computer. Each user has a unique identity, with a different password and different program preferences. If you enable this policy, users will not be able to create new identities, manage existing identities, or switch identities. The Switch Identity option will be removed from the File menu in Address Book. If you disable this policy or do not configure it, users can set up and change identities. Designates a set of Microsoft Network (MSN) Investor controls as administrator-approved. These controls enable users to view updated lists of stocks on their Web pages. If you enable this policy, these controls can be run in security zones in which you specify that administrator-approved controls can be run. If you disable this policy or do not configure it, these controls will not be designated as administrator-approved. Select the check boxes for the controls that you want to designate as administrator-approved. To specify how administrator-approved controls are handled for each security zone, carry out the following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved. Restricts the amount of information downloaded for offline viewing. If you enable this policy, you can set limits to the size and number of pages that users can download. If users attempt to exceed the number of subscriptions, a prompt will appear that states that they cannot set up more Web sites for offline viewing. If you disable this policy or do not configure it, then users can determine the amount of content that is searched for new information and downloaded. Caution: Although the Maximum Number of Offline Pages option determines how many levels of a Web site are searched for new information, it does not change the user interface in the Offline Favorites wizard. Note: The begin and end times for downloading are measured in minutes after midnight. The Maximum Offline Page Crawl Depth setting specifies how many levels of a Web site are searched for new information. Allows Administrators to enable and disable the Media Explorer Bar and set the auto-play default. The Media Explorer Bar plays music and video content from the Internet. If you disable the Media explorer bar, users cannot display the Media Explorer Bar. The auto-play feature is also disabled. When users click on a link within Internet Explorer, the content will be played by the default media client on their system. If you enable the Media Explorer Bar or do not configure it, users can show and hide the Media Explorer Bar. Administrators also have the ability to turn the auto-play feature on or off. This setting only applies if the Media Explorer Bar is enabled. If checked, the Media Explorer Bar will automatically display and play the media content when the user clicks on a media link. If unchecked, the content will be played by the default media client on their system. Designates a set of Microsoft ActiveX controls used to manipulate pop-up menus in the browser as administrator-approved. If you enable this policy, these controls can be run in security zones in which you specify that administrator-approved controls can be run. If you disable this policy or do not configure it, these controls will not be designated as administrator-approved. To specify a control as administrator-approved, click Enabled, and then select the check box for the control: -- MCSiMenu - enables Web authors to control the placement and appearance of Windows pop-up menus on Web pages -- Popup Menu Object - enables Web authors to add pop-up menus to Web pages To specify how administrator-approved controls are handled for each security zone, carry out the following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved. Contains settings for showing or hiding menus and menu options in Internet Explorer. Designates the Microsoft Chat ActiveX control as administrator-approved. This control is used by Web authors to build text-based and graphical-based Chat communities for real-time conversations on the Web. If you enable this policy, this control can be run in security zones in which you specify that administrator-approved controls can be run. If you disable this policy or do not configure it, this control will not be designated as administrator-approved. To specify how administrator-approved controls are handled for each security zone, carry out the following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved. Designates a set of MSNBC controls as administrator-approved. These controls enable enhanced browsing of news reports on the MSNBC Web site. If you enable this policy, these controls can be run in security zones in which you specify that administrator-approved controls can be run. If you disable this policy or do not configure it, these controls will not be designated as administrator-approved. Select the check boxes for the controls that you want to designate as administrator-approved. To specify how administrator-approved controls are handled for each security zone, carry out the following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved. Designates NetShow File Transfer Control as an administrator approved control. If you enable this policy, this control can be run in security zones in which you specify that administrator-approved controls can be run. If you disable this policy or do not configure it, this control will not be designated as administrator-approved. To specify how administrator-approved controls are handled for each security zone, carry out the following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved. Prevents users from adding channels to Internet Explorer. Channels are Web sites that are updated automatically on your computer, according to a schedule specified by the channel provider. If you enable this policy, the Add Active Channel button, which appears on a channel that users haven't yet subscribed to, will be disabled. Users also cannot add content that is based on a channel, such as some of the Active Desktop items from Microsoft's Active Desktop Gallery, to their desktop. If you disable this policy or do not configure it, users can add channels to the Channel bar or to their desktop. Note: Most channel providers use the words Add Active Channel for this option; however, a few use different words, such as Subscribe. Prevents users from specifying that Web pages can be downloaded for viewing offline. When users make Web pages available for offline viewing, they can view the content when their computer is not connected to the Internet. If you enable this policy, users cannot add new schedules for downloading offline content. The Make Available Offline check box will be dimmed in the Add Favorite dialog box. If you disable this policy or do not configure it, users can add new offline content schedules. This policy is intended for organizations that are concerned about server load for downloading content. The "Hide Favorites menu" policy (located in User Configuration\Administrative Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is enabled, this policy is ignored. Prevents users from determining which toolbars are displayed in Microsoft Internet Explorer and File Explorer. If you enable this policy, the list of toolbars, which users can display by clicking the View menu and then pointing to the Toolbars command, will appear dimmed. If you disable this policy or do not configure it, users can determine which toolbars are displayed in File Explorer and Internet Explorer. This policy can be used in coordination with the "Disable customizing browser toolbar buttons" policy, which prevents users from adding or removing toolbars from Internet Explorer. This policy setting prevents the shortcut menu from appearing when a user right-clicks a webpage while using Internet Explorer. Starting with Windows 8, this policy setting only applies to Internet Explorer on the desktop. If you enable this policy setting, the shortcut menu will not appear when a user right-clicks a webpage. If you disable or do not configure this policy setting, users can use the shortcut menu. This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer. If you enable this policy setting, the user cannot continue browsing. If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing. Prevents channel providers from recording information about when their channel pages are viewed by users who are working offline. If you enable this policy, it disables any channel logging settings set by channel providers in the channel definition format (.cdf) file. The .cdf file determines the schedule and other settings for downloading Web content. If you disable this policy or do not configure it, channel providers can record information about when their channel pages are viewed by users who are working offline. Prevents users from viewing the Channel bar interface. Channels are Web sites that are automatically updated on their computer according to a schedule specified by the channel provider. If you enable this policy, the Channel bar interface will be disabled, and users cannot select the Internet Explorer Channel Bar check box on the Web tab in the Display Properties dialog box. If you disable this policy or do not configure it, users can view and subscribe to channels from the Channel bar interface. This policy setting prevents the user from performing actions which will delete browsing history. For more information on browsing history Group Policy settings, see "Group Policies Settings in Internet Explorer 10" in the TechNet technical library. If you enable this policy setting, the user cannot access the Delete Browsing History dialog box. Starting with Windows 8, users cannot click the Delete Browsing History button on the Settings charm. If you disable or do not configure this policy setting, the user can access the Delete Browsing History dialog box. Starting with Windows 8, users can click the Delete Browsing History button on the Settings charm. This policy setting prevents the user from deleting form data. This feature is available in the Delete Browsing History dialog box. If you enable this policy setting, form data is preserved when the user clicks Delete. If you disable this policy setting, form data is deleted when the user clicks Delete. If you do not configure this policy setting, the user can choose whether to delete or preserve form data when he or she clicks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default. This policy setting prevents users from deleting passwords. This feature is available in the Delete Browsing History dialog box. If you enable this policy setting, passwords are preserved when the user clicks Delete. If you disable this policy setting, passwords are deleted when the user clicks Delete. If you do not configure this policy setting, the user can choose whether to delete or preserve passwords when he or she clicks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default. Prevents users from adding, editing, or removing schedules for offline viewing of Web pages and groups of Web pages that users have subscribed to. A subscription group is a favorite Web page plus the Web pages it links to. If you enable this policy, the Add, Remove, and Edit buttons on the Schedule tab in the Web page Properties dialog box are dimmed. To display this tab, users click the Tools menu, click Synchronize, select a Web page, click the Properties button, and then click the Schedule tab. If you disable this policy or do not configure it, users can add, remove, and edit schedules for Web sites and groups of Web sites. The "Disable editing schedules for offline pages" policy and the "Hide Favorites menu" policy (located in User Configuration\Administrative Templates\Windows Components\Internet Explorer) take precedence over this policy. If either policy is enabled, this policy is ignored. Prevents users from editing an existing schedule for downloading Web pages for offline viewing. When users make Web pages available for offline viewing, they can view content when their computer is not connected to the Internet. If you enable this policy, users cannot display the schedule properties of pages that have been set up for offline viewing. If users click the Tools menu, click Synchronize, select a Web page, and then click the Properties button, no properties are displayed. Users do not receive an alert stating that the command is unavailable. If you disable this policy or do not configure it, users can edit an existing schedule for downloading Web content for offline viewing. This policy is intended for organizations that are concerned about server load for downloading content. The "Hide Favorites menu" policy (located in User Configuration\Administrative Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is enabled, this policy is ignored. Prevents users from adding, removing, editing or viewing the list of Favorite links. The Favorites list is a way to store popular links for future use. If you enable this policy, the Favorites menu is removed from the interface, and the Favorites button on the browser toolbar appears dimmed. The Add to Favorites command on the shortcut menu is disabled; when users click it, they are informed that the command is unavailable. If you disable this policy or do not configure it, users can manage their Favorites list. Note: If you enable this policy, users also cannot click Synchronize on the Tools menu (in Internet Explorer 6) to manage their favorite links that are set up for offline viewing. This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. If you enable this policy setting, you must make one of the following choices: • Skip the First Run wizard, and go directly to the user's home page. • Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage. Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen. If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation. This policy setting prevents the user from accessing Help in Internet Explorer. If you enable this policy setting, the following occur: • The Help menu on the menu bar is not functional. • Help is removed from the Command bar. • The shortcut key F1 does not make Help appear. • Help cannot be accessed from the Settings charm (starting with Internet Explorer 10 on Windows 8). If you disable or do not configure this policy setting, the Internet Explorer Help menu is available to the user. The user can also use the Command bar and F1 to access Help. This policy setting prevents the Search box from appearing in Internet Explorer. When the Search box is available, it includes all installed search providers and a link to search settings. If you enable this policy setting, the Search box does not appear in the Internet Explorer frame. If you disable or do not configure this policy setting, the Search box appears by default in the Internet Explorer frame. Note: If you enable this policy setting, Internet Explorer does not enumerate search providers for the Accelerators infrastructure. If Accelerators are turned on, users can install search providers as Accelerators to include them on the Accelerator menu. Prevents Internet Explorer from automatically installing components. If you enable this policy, it prevents Internet Explorer from downloading a component when users browse to a Web site that needs that component. If you disable this policy or do not configure it, users will be prompted to download and install a component when visiting a Web site that uses that component. This policy is intended to help the administrator control which components the user installs. Prevents using the shortcut menu to open a link in a new browser window. If you enable this policy, users cannot point to a link, click the right mouse button, and then click the Open in New Window command. If you disable this policy or do not configure it, users can open a Web page in a new browser window by using the shortcut menu. This policy can be used in coordination with the "File menu: Disable New menu option" policy, which prevents users from opening the browser in a new window by clicking the File menu, pointing to New, and then clicking Window. Note: When users click the Open in New Window command, the link will not open in a new window and they will be informed that the command is not available. This policy setting allows you to turn off the Quick Tabs functionality in Internet Explorer. If you enable this policy setting, the entry points to Quick Tabs are removed from the Internet Explorer user interface. If you disable or do not configure this policy setting, Quick Tabs is turned on. Prevents users from disabling channel synchronization in Microsoft Internet Explorer. Channels are Web sites that are automatically updated on your computer according to a schedule specified by the channel provider. If you enable this policy, users cannot prevent channels from being synchronized. If you disable this policy or do not configure it, users can disable the synchronization of channels. This policy is intended to help administrators ensure that users' computers are being updated uniformly across their organization. Note: This policy does not prevent users from removing active content from the desktop interface. Prevents users from clearing the preconfigured settings for Web pages to be downloaded for offline viewing. When users make Web pages available for offline viewing, they can view content when their computer is not connected to the Internet. If you enable this policy, the Make Available Offline check box in the Organize Favorites Favorite dialog box and the Make This Page Available Offline check box will be selected but dimmed. To display the Make This Page Available Offline check box, users click the Tools menu, click Synchronize, and then click the Properties button. If you disable this policy or do not configure it, users can remove the preconfigured settings for pages to be downloaded for offline viewing. This policy is intended for organizations that are concerned about server load for downloading content. The "Hide Favorites menu" policy (located in User Configuration\Administrative Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is enabled, this policy is ignored. Disables existing schedules for downloading Web pages for offline viewing. When users make Web pages available for offline viewing, they can view content when their computer is not connected to the Internet. If you enable this policy, the check boxes for schedules on the Schedule tab of the Web page properties are cleared and users cannot select them. To display this tab, users click the Tools menu, click Synchronize, select a Web page, click the Properties button, and then click the Schedule tab. If you disable this policy, then Web pages can be updated on the schedules specified on the Schedule tab. This policy is intended for organizations that are concerned about server load for downloading content. The "Hide Favorites menu" policy (located in User Configuration\Administrative Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is enabled, this policy is ignored. Makes the Customize button in the Search Assistant appear dimmed. The Search Assistant is a tool that appears in the Search bar to help users search the Internet. If you enable this policy, users cannot change their Search Assistant settings, such as setting default search engines for specific tasks. If you disable this policy or do not configure it, users can change their settings for the Search Assistant. This policy is designed to help administrators maintain consistent settings for searching across an organization. This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box. If you enable this policy setting, the user cannot change the default search provider. If you disable or do not configure this policy setting, the user can change the default search provider. Prevents users from saving a program or file that Microsoft Internet Explorer has downloaded to the hard disk. If you enable this policy, users cannot save a program to disk by clicking the Save This Program to Disk command while attempting to download a file. The file will not be downloaded and users will be informed that the command is not available. If you disable this policy or do not configure it, users can download programs from their browsers. Prevents the Internet Explorer splash screen from appearing when users start the browser. If you enable this policy, the splash screen, which displays the program name, licensing, and copyright information, is not displayed. If you disable this policy or do not configure it, the splash screen will be displayed when users start their browsers. Prevents content from being downloaded from Web sites that users have subscribed to. When users make Web pages available for offline viewing, they can view content when their computer is not connected to the Internet. If you enable this policy, content will not be downloaded from Web sites that users have subscribed to. However, synchronization with the Web pages will still occur to determine if any content has been updated since the last time the user synchronized with or visited the page. If you disable this policy or do not configure it, content will not be prevented from being downloaded. The "Disable downloading of site subscription content" policy and the "Hide Favorites menu" policy (located in User Configuration\Administrative Templates\Windows Components\Internet Explorer) take precedence over this policy. If either policy is enabled, this policy is ignored. This policy setting allows you to turn off tabbed browsing and related entry points from the Internet Explorer user interface. Starting with Windows 8, this policy only applies to Internet Explorer on the desktop. If you enable this policy setting, tabbed browsing and related entry points are turned off for Internet Explorer, and the user cannot turn them on. If you disable this policy setting, tabbed browsing and related entry points appear on the user interface for Internet Explorer, and the user cannot turn them off. If you do not configure this policy setting, the user can turn on or turn off tabbed browsing. This policy setting allows you to define the user experience related to how pop-up windows appear in tabbed browsing in Internet Explorer. If you enable this policy setting, the user cannot configure pop-up windows in tabbed browsing. You must specify one of the following values: 0: Let Internet Explorer decide. 1: Force pop-up windows to open in new windows. 2: Force pop-up windows to open on new tabs. If you disable or do not configure this policy setting, Internet Explorer uses the user's setting for pop-up windows in tabbed browsing. Prevents users from determining which buttons appear on the Microsoft Internet Explorer and File Explorer standard toolbars. The buttons appearing on the toolbar can be customized by the "Customize" option. This is present under the Toolbars submenu of the View menu in Internet Explorer 6 and under the Toolbars submenu of the Tools menu in the Command bar in subsequent versions of Internet Explorer. If you enable this policy, the Customize option will be removed from the menu. If you disable this policy or do not configure it, users can customize which buttons appear on the Internet Explorer and File Explorer toolbars. This policy can be used in coordination with the "Disable customizing browser toolbars" policy, which prevents users from determining which toolbars are displayed in Internet Explorer and File Explorer. Prevents Internet Explorer from checking whether a new version of the browser is available. If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available. If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available. This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser. This policy setting allows you to configure how windows open in Internet Explorer when the user clicks links from other applications. If you enable this policy setting, the user cannot configure how windows open in Internet Explorer when he or she clicks links from other applications. You must specify one of the following: • Open in an existing Internet Explorer window. If tabbed browsing is enabled, a new tab is created in this scenario. • Open a new Internet Explorer window. If you disable or do not configure this policy setting, the user can configure how windows open when he or she clicks links from other applications. Allows Administrators to enable and disable the ability for Outlook Express users to save or open attachments that can potentially contain a virus. If you check the block attachments setting, users will be unable to open or save attachments that could potentially contain a virus. Users will not be able to disable the blocking of attachments in options. If the block attachments setting is not checked, the user can specify to enable or disable the blocking of attachments in options. Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Local Computer security zone. If you enable this policy, you can specify the persistence storage amount per domain or per document for this security zone. If you disable this policy or do not configure it, you cannot set this limit. Note: This setting does not appear in the user interface. Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Local Intranet security zone. If you enable this policy, you can specify the persistence storage amount per domain or per document for this security zone. If you disable this policy or do not configure it, you cannot set this limit. Note: This setting does not appear in the user interface. Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Trusted Sites security zone. If you enable this policy, you can specify the persistence storage amount per domain or per document for this security zone. If you disable this policy or do not configure it, you cannot set this limit. Note: This setting does not appear in the user interface. Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Internet security zone. If you enable this policy, you can specify the persistence storage amount per domain or per document for this security zone. If you disable this policy or do not configure it, you cannot set this limit. Note: This setting does not appear in the user interface. Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Restricted Sites security zone. If you enable this policy, you can specify the persistence storage amount per domain or per document for this security zone. If you disable this policy or do not configure it, you cannot set this limit. Note: This setting does not appear in the user interface. Contains settings for file size limits in internet security zones. If you enable this policy, the user cannot modify the Accessibility options. All options in the "Accessibility" window on the General Tab in the Internet Options dialog box appear dimmed. If you disable this policy or do not configure it, users can change accessibility settings, such as overriding fonts and colors on Web pages. If you set the "Disable the General page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this policy, because the "Disable the General page" policy removes the General tab from the interface. This setting specifies to automatically detect the proxy server settings used to connect to the Internet and customize Internet Explorer. This setting specifies that Internet explorer use the configuration settings provided in a file by the system administrator. If you enable this policy setting, the user will not be able to do automatic configuration. You can import your current connection settings from your machine using Internet Explorer Maintenance under Admin Templates using group policy editor. If you disable or do no configure this policy setting, the user will have the freedom to automatically configure these settings. Prevents users from changing the browser cache settings, such as the location and amount of disk space to use for the Temporary Internet Files folder. If you enable this policy, the browser cache settings appear dimmed. These settings are found in the dialog box that appears when users click the General tab and then click the Settings button in the Internet Options dialog box. If you disable this policy or do not configure it, users can change their cache settings. If you set the "Disable the General page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this policy, because the "Disable the General page" policy removes the General tab from the interface. Prevents users from changing the default programs for managing schedules and contacts. If you enable this policy, the Calendar and Contact combo boxes appear dimmed in the Internet Programs area. To display these options, users open the Internet Options dialog box, and then click the Programs tab. If you disable this policy or do not configure it, users can determine which programs to use for managing schedules and contacts, if programs that perform these tasks are installed. This "Disable the Programs Page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) takes precedence over this policy. If it is enabled, this policy is ignored. Prevents users from changing certificate settings in Internet Explorer. Certificates are used to verify the identity of software publishers. If you enable this policy, the settings in the Certificates area on the Content tab in the Internet Options dialog box appear dimmed. If you disable this policy or do not configure it, users can import new certificates, remove approved publishers, and change settings for certificates that have already been accepted. The "Disable the Content page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Content tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. Caution: If you enable this policy, users can still run the Certificate Manager Import Wizard by double-clicking a software publishing certificate (.spc) file. This wizard enables users to import and configure settings for certificates from software publishers that haven't already been configured for Internet Explorer. Prevents Microsoft Internet Explorer from checking to see whether it is the default browser. If you enable this policy, the Internet Explorer Should Check to See Whether It Is the Default Browser check box on the Programs tab in the Internet Options dialog box appears dimmed. If you disable this policy or do not configure it, users can determine whether Internet Explorer will check to see if it is the default browser. When Internet Explorer performs this check, it prompts the user to specify which browser to use as the default. This policy is intended for organizations that do not want users to determine which browser should be their default. The "Disable the Programs page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Programs tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. This policy setting allows you to choose whether users will be notified if Internet Explorer is not the default web browser. If you enable this policy setting, users will be notified if Internet Explorer is not the default web browser. Users cannot change the setting. If you disable this policy setting, users will not be notified if Internet Explorer is not the default web browser. Users cannot change the setting. If you do not configure this policy setting, users can choose whether to be notified that Internet Explorer is not the default web browser through the Tell me if Internet Explorer is not the default web browser check box on the Programs tab in the Internet Options dialog box. Note that starting with Internet Explorer 10 on Windows 8, the check box is located on the Advanced tab in the Internet Options dialog box. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library. Prevents users from changing the default Web page colors. If you enable this policy, the color settings for Web pages appear dimmed. The settings are located in the Colors area in the dialog box that appears when the user clicks the General tab and then clicks the Colors button in the Internet Options dialog box. If you disable this policy or do not configure it, users can change the default background and text color of Web pages. If you set the "Disable the General page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this policy, because the "Disable the General page" policy removes the General tab from the interface. Note: The default Web page colors are ignored on Web pages in which the author has specified the background and text colors. Prevents users from changing dial-up settings. If you enable this policy, the Settings button on the Connections tab in the Internet Options dialog box appears dimmed. If you disable this policy or do not configure it, users can change their settings for dial-up connections. If you set the "Disable the Connections page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this policy, because the "Disable the Connections page" policy removes the Connections tab from the interface. Prevents users from running the Internet Connection Wizard. If you enable this policy, the Setup button on the Connections tab in the Internet Options dialog box appears dimmed. Users will also be prevented from running the wizard by clicking the Connect to the Internet icon on the desktop or by clicking Start, pointing to Programs, pointing to Accessories, pointing to Communications, and then clicking Internet Connection Wizard. If you disable this policy or do not configure it, users can change their connection settings by running the Internet Connection Wizard. Note: This policy overlaps with the "Disable the Connections page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Connections tab from the interface. Removing the Connections tab from the interface, however, does not prevent users from running the Internet Connection Wizard from the desktop or the Start menu. Prevents users from changing font settings. If you enable this policy, users will not be able to change font settings for viewing Web pages. All font settings visible after pressing the "Fonts" button on the General Tab in the Internet Options dialog box will be disabled. If you disable this policy or do not configure it, users can change the default fonts for viewing Web pages. If you set the "Disable the General page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this policy, because the "Disable the General page" policy removes the General tab from the interface. Note: The default font settings colors are ignored in cases in which the Web page author has specified the font attributes. This AutoComplete feature suggests possible matches when users are filling up forms. If you enable this setting, the user is not suggested matches when filling forms. The user cannot change it. If you disable this setting, the user is suggested possible matches when filling forms. The user cannot change it. If you do not configure this setting, the user has the freedom to turn on the auto-complete feature for forms. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. This AutoComplete feature can remember and suggest User names and passwords on Forms. If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Temporary Internet Files and History Settings dialog box, from the Menu bar, on the Tools menu, click Internet Options, click the General tab, and then click Settings under Browsing history. If you enable this policy setting, a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not delete browsing history. If you disable or do not configure this policy setting, a user can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history. The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run. If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies. If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. Prevents users from changing language preference settings. If you enable this policy, users will not be able to set language preferences to read websites. Language preference settings visible after pressing the "Languages" button on the General Tab in the Internet Options dialog box will be disabled. If you disable this policy or do not configure it, users can change the language preference settings for viewing Web sites for languages in which the character set has been installed. If you set the "Disable the General page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this policy, because the "Disable the General page" policy removes the General tab from the interface. Prevents users from changing the colors of links on Web pages. If you enable this policy, the color settings for links appear dimmed. The settings are located in the Links area of the dialog box that appears when users click the General tab and then click the Colors button in the Internet Options dialog box. If you disable this policy or do not configure it, users can change the default color of links on Web pages. If you set the "Disable the General page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this policy, because the "Disable the General page" policy removes the General tab from the interface. Note: The default link colors are ignored on Web pages on which the author has specified link colors. Prevents users from changing the default programs for messaging tasks. If you enable this policy, the E-mail, Newsgroups, and Internet Call options in the Internet Programs area appear dimmed. To display these options, users open the Internet Options dialog box, and then click the Programs tab. If you disable this policy or do not configure it, users can determine which programs to use for sending mail, viewing newsgroups, and placing Internet calls, if programs that perform these tasks are installed. The "Disable the Programs page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Programs tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. You can allow pop-ups from specific websites by adding the sites to the exception list. If you enable this policy setting, the user cannot add websites to or remove websites from the exception list. If you disable or do not configure this policy setting, the user can add websites to or remove websites from the exception list. Note: You can allow a default list of sites that can open pop-up windows regardless of the Internet Explorer process's Pop-Up Blocker settings by enabling the "Specify pop-up allow list" policy setting. This policy setting allows you to manage pop-up management functionality in Internet Explorer. If you enable this policy setting, the Control Panel information relating to pop-up management will be unavailable (grayed out) and all other pop-up manager controls, notifications, and dialog boxes will not appear. Pop-up windows will continue to function as they did in Windows XP Service Pack 1 or earlier, although windows launched off screen will continue to be re-positioned onscreen. If you disable or do not configure this policy setting, the popup management feature will be functional. Prevents users from changing Profile Assistant settings. If you enable this policy, the My Profile button appears dimmed in the Personal Information area on the Content tab in the Internet Options dialog box. If you disable this policy or do not configure it, users can change their profile information, such as their street and e-mail addresses. The "Disable the Content page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Content tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. This policy setting specifies if a user can change proxy settings. If you enable this policy setting, the user will not be able to configure proxy settings. If you disable or do not configure this policy setting, the user can configure proxy settings. Prevents users from changing ratings that help control the type of Internet content that can be viewed. If you enable this policy, the settings in the Content Advisor area on the Content tab in the Internet Options dialog box appear dimmed. If you disable this policy or do not configure it, users can change their ratings settings. The "Disable the Ratings page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Ratings tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. Prevents users from restoring default settings for home and search pages. If you enable this policy, the Reset Web Settings button on the Programs tab in the Internet Options dialog box appears dimmed. If you disable this policy or do not configure it, users can restore the default settings for home and search pages. The "Disable the Programs page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Programs tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. This policy setting is used to manage temporary Internet files and cookies associated with your Internet browsing history, available by clicking Tools, Internet Options, and then Delete Browsing History in Internet Explorer. If you enable this policy setting, users will not be able to delete temporary Internet files and cookies. If you disable or do not configure this policy setting, users will be able to delete temporary Internet files and cookies. This AutoComplete feature suggests possible matches when users are entering Web addresses in the browser address bar. If you enable this policy setting, user will not be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. If you disable this policy setting, user will be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. If you do not configure this policy setting, a user will have the freedom to choose to turn the auto-complete setting for web-addresses on or off. This policy setting allows you to prevent Windows Search AutoComplete from providing results in the Internet Explorer Address bar. Windows Search AutoComplete suggests possible matches when a user is entering a web address in the browser Address bar. This feature provides more relevant results in the browser Address bar. If you enable this policy setting, Internet Explorer does not use Windows Search AutoComplete for providing relevant results in the Address bar. The user cannot change this setting. If you disable this policy setting, Internet Explorer uses Windows Search AutoComplete to provide relevant results in the Address bar. The user cannot change this setting. If you do not configure this policy setting, the user can choose to turn the Use Windows Search setting on or off. Note: If you enable this policy setting, feeds do not appear in the Address bar. This does not affect subscribing to feeds and interacting with them through the Favorites Center. This policy setting turns off URL Suggestions. URL Suggestions allow users to autocomplete URLs in the address bar based on common URLs. The list of common URLs is stored locally and is updated once a month. No user data is sent over the internet by this feature. If you enable this policy setting, URL Suggestions will be turned off. Users will not be able to turn on URL Suggestions. If you disable this policy setting, URL Suggestions will be turned on. Users will not be able to turn off URL Suggestions. If you do not configure this policy setting, URL Suggestions will be turned on. Users will be able to turn on or turn off URL Suggestions in the Internet Options dialog. By default, URL Suggestions are turned on. Designates Microsoft Scriptlet Component as an administrator approved control. It is an Active X control which is used to render HTML pages. If you enable this policy, this control can be run in security zones in which you specify that administrator-approved controls can be run. If you disable this policy or do not configure it, this control will not be designated as administrator-approved. To specify how administrator-approved controls are handled for each security zone, carry out the following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved. Disables using the F3 key to search in Internet Explorer and File Explorer. If you enable this policy, the search functionality of the F3 key is disabled. Users cannot press F3 to search the Internet (from Internet Explorer) or to search the hard disk (from File Explorer). If the user presses F3, a prompt appears that informs the user that this feature has been disabled. If you disable this policy or do not configure it, users can press F3 to search the Internet (from Internet Explorer) or the hard disk (from File Explorer). This policy is intended for situations in which administrators do not want users to explore the Internet or the hard disk. This policy can be used in coordination with the "File Menu: Disable Open menu option" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser Menus), which prevents users from opening files by using the browser. Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level. If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer. If you disable this policy or do not configure it, users of the same computer can establish their own security zone settings. This policy is intended to ensure that security zone settings apply uniformly to the same computer and do not vary from user to user. Also, see the "Security zones: Do not allow users to change policies" policy. Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. If you disable this policy or do not configure it, users can change the settings for security zones. This policy prevents users from changing security zone settings established by the administrator. Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. Also, see the "Security zones: Use only machine settings" policy. Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.) If you disable this policy or do not configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone. This policy prevents users from changing site management settings for security zones established by the administrator. Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored. Also, see the "Security zones: Use only machine settings" policy. This policy setting enables intranet mapping rules to be applied automatically if the computer belongs to a domain. If you enable this policy setting, automatic detection of the intranet is turned on, and intranet mapping rules are applied automatically if the computer belongs to a domain. If you disable this policy setting, automatic detection of the intranet is turned off, and intranet mapping rules are applied however they are configured. If this policy setting is not configured, the user can choose whether or not to automatically detect the intranet through the intranet settings dialog in Control Panel. This policy setting causes a Notification bar notification to appear when intranet content is loaded and the intranet mapping rules have not been configured. The Notification bar allows the user to enable intranet mappings, if they require them. If you enable this policy setting, a Notification bar notification appears whenever the user browses to a page that loads content from an intranet site. If you disable this policy setting, a Notification bar notification does not appear when the user loads content from an intranet site that is being treated as though it is in the Internet zone. If this policy setting is not configured, a Notification bar notification appears for intranet content loaded on a browser on a computer that is not a domain member, until the user turns off the Notification bar. Specifies that programs using the Microsoft Software Distribution Channel will not notify users when they install new components. The Software Distribution Channel is a means of updating software dynamically on users' computers by using Open Software Distribution (.osd) technologies. If you enable this policy, users will not be notified if their programs are updated using Software Distribution Channels. If you disable this policy or do not configure it, users will be notified before their programs are updated. This policy is intended for administrators who want to use Software Distribution Channels to update their users' programs without user intervention. This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website. If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. If you disable or do not configure this policy setting, the user can configure his or her list of search providers. This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP). If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. If you do not configure this policy setting, the user can choose to participate in the CEIP. Designates Microsoft Survey Control as an administrator approved control. If you enable this policy, this control can be run in security zones in which you specify that administrator-approved controls can be run. If you disable this policy or do not configure it, this control will not be designated as administrator-approved. To specify how administrator-approved controls are handled for each security zone, carry out the following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved. This policy setting allows you to configure how new tabs are created by default in Internet Explorer. If you enable this policy setting, the user cannot configure how new tabs are created by default. You must specify whether tabs should open in the foreground or in the background. The user cannot open the tabs in the background by pressing Ctrl+Shift+Select or open the tabs in the foreground by pressing Ctrl+Shift+Select. If you disable or do not configure this policy setting, the user can configure how new tabs are created by default. Specifies which buttons will be displayed on the standard toolbar in Microsoft Internet Explorer. If you enable this policy, you can specify whether or not each button will be displayed by selecting or clearing the check boxes for each button. If you disable this policy or do not configure it, the standard toolbar will be displayed with its default settings, unless users customize it. Contains settings to allow and restrict users from editing the toolbars in Internet Explorer. Administrators can also set the default toolbar buttons. Prevents users from opening the Internet Options dialog box from the Tools menu in Microsoft Internet Explorer. If you enable this policy, users cannot change their Internet options, such as default home page, cache size, and connection and proxy settings, from the browser Tools menu. When users click the Internet Options command on the Tools menu, they are informed that the command is unavailable. If you disable this policy or do not configure it, users can change their Internet settings from the browser Tools menu. Caution: This policy does not prevent users from viewing and changing Internet settings by clicking the Internet Options icon in Windows Control Panel. Also, see policies for Internet options in the \Administrative Templates\Windows Components\Internet Explorer and in \Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel folders. This policy setting allows you to manage whether users can launch the report site problems dialog using a menu option. If you enable this policy setting, a menu option won’t be available in Internet Explorer settings, or in the tools menu in the desktop. Users won’t be able to use it to launch the report site problems dialog box. If you disable or do not configure this policy setting, the menu options will be available. Applies proxy settings to all users of the same computer. If you enable this policy, users cannot set user-specific proxy settings. They must use the zones created for all users of the computer. If you disable this policy or do not configure it, users of the same computer can establish their own proxy settings. This policy is intended to ensure that proxy settings apply uniformly to the same computer and do not vary from user to user. Prevents users from displaying the browser in full-screen (kiosk) mode, without the standard toolbar. If you enable this policy, the Full Screen command on the View menu will appear dimmed, and pressing F11 will not display the browser in a full screen. If you disable this policy or do not configure it, users can display the browser in a full screen. This policy is intended to prevent users from displaying the browser without toolbars, which might be confusing for some beginning users. Prevents users from viewing the HTML source of Web pages by clicking the Source command on the View menu. If you enable this policy, the Source command on the View menu will appear dimmed. If you disable this policy or do not configure it, then users can view the HTML source of Web pages from the browser View menu. Caution: This policy does not prevent users from viewing the HTML source of a Web page by right-clicking a Web page to open the shortcut menu, and then clicking View Source. To prevent users from viewing the HTML source of a Web page from the shortcut menu, set the "Turn off Shortcut Menu" policy, which disables the entire shortcut menu. Let Internet Explorer decide Add-on Management This policy setting allows you to manage whether processes respect add-on management user preferences (as reflected by Add-on Manager) or policy settings. By default, any process other than the Internet Explorer processes or those listed in the 'Process List' policy setting ignore add-on management user preferences and policy settings. If you enable this policy setting, all processes will respect add-on management user preferences and policy settings. If you disable or do not configure this policy setting, all processes will not respect add-on management user preferences or policy settings. This policy setting allows you to manage whether the listed processes respect add-on management user preferences (as entered into Add-on Manager) or policy settings. By default, only Internet Explorer processes use the add-on management user preferences and policy settings. This policy setting allows you to extend support for these user preferences and policy settings to specific processes listed in the process list. If you enable this policy setting and enter a Value of 1, the process entered will respect the add-on management user preferences and policy settings. If you enter a Value of 0, the add-on management user preferences and policy settings are ignored by the specified process. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter Internet Explorer processes in this list because these processes always respect add-on management user preferences and policy settings. If the All Processes policy setting is enabled, the processes configured in this policy setting take precedence over that setting. If you do not configure this policy, processes other than the Internet Explorer processes will not be affected by add-on management user preferences or policy settings (unless "All Processes" is enabled). AJAX Binary Behavior Security Restriction Consistent Mime Handling Notification bar Local Machine Zone Lockdown Security Mime Sniffing Safety Feature MK Protocol Security Restriction Network Protocol Lockdown Object Caching Protection Protection From Zone Elevation Restrict ActiveX Install Restrict File Download Scripted Window Security Restrictions Allow native XMLHTTP support Technologies that enable communications between clients and server and/or cross domain communications. For each zone, the Binary and Scripted Behavior security restrictions may be configured to allow only a list of admin-approved behaviors. This list may be configured here, and applies to all processes which have opted in to the behavior, and to all zones. (Behaviors are components that encapsulate specific functionality or behavior on a page.) If you enable this policy setting, this sets the list of behaviors permitted in each zone for which Script and Binary Behaviors is set to 'admin-approved'. Behaviors must be entered in #package#behavior notation, e.g., #default#vml. If you disable this policy setting, no behaviors will be allowed in zones set to 'admin-approved', just as if those zones were set to 'disable'. If you do not configure this policy setting, only VML will be allowed in zones set to 'admin-approved'. Note. If this policy is set in both Computer Configuration and User Configuration, both lists of behaviors will be allowed as appropriate. Internet Explorer allows users and administrators to decide which add-ons are permitted to load. Applications hosting the Web Browser Control can be configured to respect the same settings as Internet Explorer. Internet Explorer contains dynamic binary behaviors: components that encapsulate specific functionality for the HTML elements to which they are attached. This policy setting controls whether the Binary Behavior Security Restriction setting is prevented or allowed. If you enable this policy setting, binary behaviors are prevented for all processes. Any use of binary behaviors for HTML rendering is blocked. If you disable or do not configure this policy setting, binary behaviors are allowed for all processes. Internet Explorer contains dynamic binary behaviors: components that encapsulate specific functionality for the HTML elements to which they are attached. This policy setting controls whether the Binary Behavior Security Restriction setting is prevented or allowed. If you enable this policy setting, binary behaviors are prevented for the File Explorer and Internet Explorer processes. If you disable this policy setting, binary behaviors are allowed for the File Explorer and Internet Explorer processes. If you do not configure this policy setting, binary behaviors are prevented for the File Explorer and Internet Explorer processes. Internet Explorer contains dynamic binary behaviors: components that encapsulate specific functionality for the HTML elements to which they are attached. This policy setting controls whether the Binary Behavior Security Restriction setting is prevented or allowed. This policy setting allows administrators to define applications for which they want this security feature to be prevented or allowed. If you enable this policy setting and enter a Value of 1 binary behaviors are prevented. If you enter a Value of 0 binary behaviors are allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting. If you disable or do not configure this policy setting, the security feature is allowed. Internet Explorer contains dynamic binary behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. These binary behaviors are not controlled by any pages in zones such as Restricted Sites. In Windows XP Service Pack 2, there is a new Internet Explorer security setting for binary behaviors. This new binary behaviors security setting provides a general mitigation to vulnerabilities in Internet Explorer binary behaviors, and disables any binary behaviors for HTML rendering from the Restricted Sites zone by default. Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. If you enable this policy setting, Consistent Mime Handling is enabled for all processes. If you disable or do not configure this policy setting, Consistent Mime Handling is prevented for all processes. Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. If you disable this policy setting, Internet Explorer will not require consistent MIME data for all received files. If you do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files. Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. This policy setting allows administrators to define applications for which they want this security feature to be prevented or allowed. If you enable this policy setting and enter a Value of 1, MIME handling is in effect. If you enter a Value of 0 file-type information is allowed to be inconsistent. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting. If you disable or do not configure this policy setting, the security feature is allowed. Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) type information to decide how to handle files that have been sent by a Web server. For example, when there is a Hypertext Transfer Protocol (HTTP) request for .jpg files, on receipt are generally displayed to the user in an Internet Explorer window. If Internet Explorer receives an executable file, Internet Explorer generally prompted the user for how to handle the file. In Windows XP Service Pack 2, Internet Explorer follows stricter rules that are designed to reduce the attack surface for spoofing the Internet Explorer MIME-handling logic. When files are served to the client, Internet Explorer uses the following pieces of information to decide how to handle the file: - File name extension - Content-Type from the HTTP header (MIME type) - Content-Disposition from the HTTP header - Results of the MIME sniff In Windows XP Service Pack 2, Internet Explorer requires that all file-type information that is provided by Web servers is consistent. For example, if the MIME type of a file is "text/plain" but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving the file in the Internet Explorer cache and changes its extension. (In a MIME sniff, Internet Explorer examines, or sniffs, a file to recognize the bit signatures of certain types of files.) This policy setting allows the user to run natively implemented, scriptable XMLHTTP. If you enable this policy setting, the user can run natively implemented, scriptable XMLHTTP. If you disable this policy setting, the user cannot run natively implemented, scriptable XMLHTTP. If you do not configure this policy setting, the user can choose to run natively implemented, scriptable XMLHTTP. This policy setting allows you to manage whether the Notification bar is displayed for processes other than the Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is not displayed for any process when file or code installs are restricted (except for the Internet Explorer Processes, for which the Notification bar is displayed by default). If you enable this policy setting, the Notification bar will be displayed for all processes. If you disable or do not configure this policy setting, the Notification bar will not be displayed for all processes other than Internet Explorer or those listed in the Process List. This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes. If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer processes. If you do not configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes. This policy setting allows you to manage whether the Notification bar is displayed for specific processes when file or code installs are restricted. By default, the Notification bar is not displayed for any process when file or code installs are restricted (except for the Internet Explorer Processes, for which the Notification bar is displayed by default). If you enable this policy setting and enter a Value of 1, the Notification bar is displayed. If you enter a Value of 0 the Notification bar is not displayed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable for IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting. If you disable or do not configure this policy setting, the Notification bar is not displayed for the specified processes. Enables applications hosting the Web Browser Control to automatically show the Notification bar when file downloads or code installs are restricted. Internet Explorer places zone restrictions on each Web page it opens, which are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone. Local Machine zone security applies to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is used as an attack vector to load malicious HTML code. If you enable this policy setting, the Local Machine zone security applies to all local files and content processed by any process other than Internet Explorer or those defined in a process list. If you disable or do not configure this policy setting, Local Machine zone security is not applied to local files or content processed by any process other than Internet Explorer or those defined in a process list. Internet Explorer places zone restrictions on each Web page it opens, which are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone. Local Machine zone security applies to all local files and content processed by Internet Explorer. This feature helps to mitigate attacks where the Local Machine zone is used as an attack vector to load malicious HTML code. If you enable this policy setting, the Local Machine zone security applies to all local files and content processed by Internet Explorer. If you disable this policy setting, Local Machine zone security is not applied to local files or content processed by Internet Explorer. If you do not configure this policy setting, the Local Machine zone security applies to all local files and content processed by Internet Explorer. Internet Explorer places zone restrictions on each Web page it opens, which are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, and so on). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone. Local Machine zone security applies to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is used as an attack vector to load malicious HTML code. If you enable this policy setting and enter a value of 1, Local Machine Zone security applies. If you enter a value of 0, Local Machine Zone security does not apply. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting. If you disable or do not configure this policy setting, the security feature is allowed. When Internet Explorer opens a Web page, it places restrictions on what the page can do, based on the location of the Web page. For example, Web pages that are located on the Internet might not be able to perform some operations, such as accessing information from the local hard drive. On the other hand, Web pages on the local computer are in the Local Machine zone, where they have the fewest security restrictions. The Local Machine zone is an Internet Explorer security zone, but is not displayed in the settings for Internet Explorer. The Local Machine zone allows Web content to run with fewer restrictions. Unfortunately, attackers also try to take advantage of the Local Machine zone to elevate their privileges and compromise a computer. In Windows XP Service Pack 2, all local files and content that is processed by Internet Explorer has the security of the Local Machine zone applied to it. This differs from previous versions, where local content was considered to be secure and had no zone-based security was placed on it. This feature dramatically restricts HTML in the Local Machine zone and controls running in the Local Machine Zone. This helps to mitigate attacks where the Local Machine zone is used as an attack vector to load malicious code. This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. If you enable this policy setting, the Mime Sniffing Safety Feature is enabled for all processes. If you disable or do not configure this policy setting, the Mime Sniffing Safety Feature is disabled for all processes. This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. If you disable this policy setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type. If you do not configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. This policy setting allows administrators to define applications for which they want this security feature to be prevented or allowed. If you enable this policy setting and enter a Value of 1, this protection will be in effect. If you enter a Value of 0, any file may be promoted to more dangerous file types. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting. If you disable or do not configure this policy setting, the security feature is allowed. One of the backup criteria for determining a file type is the result of the MIME sniff. By examining (or sniffing) a file, Internet Explorer can recognize the bit signatures of certain types of files. In Windows XP Service Pack 2, Internet Explorer MIME sniffing will never promote a file of one type to a more dangerous file type. For example, files that are received as plain text but that include HTML code will not be promoted to the HTML type, which could contain malicious code. In the absence of other file type information, the MIME sniff might be the only information that determines how to handle a given file download. If, for instance, Internet Explorer upgrades a text file to an HTML file, the file might execute code from the browser and possibly elevate the file's security privilege. Settings note: this feature can be turned off by zone in IE security zones settings. The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. If you enable this policy setting, the MK Protocol is disabled for all processes. Any use of the MK Protocol is blocked. If you disable or do not configure this policy setting, the MK Protocol is enabled. The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. If you disable this policy setting, applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes. If you do not configure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. This policy setting allows administrators to define applications for which they want this security feature to be prevented or allowed. If you enable this policy setting and enter a Value of 1, use of the MK protocol is prevented. If you enter a Value of 0, use of the MK protocol is allowed. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting. If you disable or do not configure this policy setting, the policy setting is ignored. In a reduction of attack surface, retired protocols are no longer supported. This feature disables the MK protocol. Resources hosted on the MK protocol will fail. Some legacy middleware apps may use this API, and this registry key can be set to allow them to continue to use it. Internet Explorer may be configured to prevent active content obtained through restricted protocols from running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted protocols is prevented or allowed. If you enable this policy setting, restricting content obtained through restricted protocols is allowed for all processes other than File Explorer or Internet Explorer. If you disable this policy setting, restricting content obtained through restricted protocols is prevented for all processes other than File Explorer or Internet Explorer. If you do not configure this policy setting, no policy is enforced for processes other than File Explorer and Internet Explorer. File Explorer and Internet Explorer may be configured to prevent active content obtained through restricted protocols from running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted protocols is prevented or allowed. If you enable this policy setting, restricting content obtained through restricted protocols is allowed for File Explorer and Internet Explorer processes. For example, you can restrict active content from pages served over the http and https protocols by adding the value names http and https. If you disable this policy setting, restricting content obtained through restricted protocols is prevented for File Explorer and Internet Explorer processes. If you do not configure this policy setting, the policy setting is ignored. Internet Explorer may be configured to prevent active content obtained through restricted protocols from running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted protocols is prevented or allowed. This policy setting allows administrators to define applications for which they want restricting content obtained through restricted protocols to be prevented or allowed. If you enable this policy setting and enter a Value of 1, restricting content obtained through restricted protocols is allowed. If you enter a Value of 0, restricting content obtained through restricted protocols is blocked. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the File Explorer or Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable these processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting. If you disable or do not configure this policy setting, the security feature is allowed. In File Explorer, Internet Explorer, or any other process which opts into the security restriction, Network Protocol Lockdown may be implemented in any security zone in order to prevent active content obtained through restricted protocols from running in an unsafe manner, if the target URL is in that zone. Each zone may be set to either prompt the user when such content attempts to run, or to simply disallow the content in that zone. This policy setting defines whether a reference to an object is accessible when the user navigates within the same domain or to a new domain. If you enable this policy setting, object reference is no longer accessible when navigating within or across domains for all processes. If you disable or do not configure this policy setting, object reference is retained when navigating within or across domains in the Restricted Zone sites. This policy setting defines whether a reference to an object is accessible when the user navigates within the same domain or to a new domain. If you enable this policy setting, an object reference is no longer accessible when navigating within or across domains for Internet Explorer processes. If you disable this policy setting, an object reference is retained when navigating within or across domains for Internet Explorer processes. If you do not configure this policy setting, an object reference is no longer accessible when navigating within or across domains for Internet Explorer processes. This policy setting defines whether a reference to an object is accessible when the user navigates within the same domain or to a new domain. This policy setting allows administrators to define applications for which they want this security feature to be prevented or allowed. If you enable this policy setting and enter a Value of 1, references to objects are inaccessible after navigation. If you enter a Value of 0, references to objects are still accessible after navigation. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting. If you disable or do not configure this policy setting, the security feature is allowed. In previous versions of Windows with Internet Explorer, some Web pages could access objects cached from another Web site. In Windows XP Service Pack 2, a reference to an object is no longer accessible when the user navigates to a new domain. For Windows XP Service Pack 2, there is now a new security context on all scriptable objects so that access to all cached objects is blocked. In addition to blocking access when navigating across domains, access is also blocked when navigating within the same domain. (In this context, a domain is defined as a fully qualified domain name (FQDN)). A reference to an object is no longer accessible after the context has changed due to navigation. Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, and so on). For example, Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. If you enable this policy setting, any zone can be protected from zone elevation for all processes. If you disable or do not configure this policy setting, processes other than Internet Explorer or those listed in the Process List receive no such protection. Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. If you disable this policy setting, no zone receives such protection for Internet Explorer processes. If you do not configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, and so on). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. This policy setting allows administrators to define applications for which they want this security feature to be prevented or allowed. If you enable this policy setting and enter a Value of 1, elevation to more privileged zones can be prevented. If you enter a Value of 0, elevation to any zone is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting. If you disable or do not configure this policy setting, the security feature is allowed. When a Web page is opened in Internet Explorer, Internet Explorer puts restrictions on what the page can do, based on where that Web page came from: the Internet, a local intranet server, a trusted site, and so on. For example, pages on the Internet have stricter security restrictions than pages on a user's local intranet. Web pages on a user's computer are in the Local Machine security zone, where they have the fewest security restrictions. This makes the Local Machine security zone a prime target for malicious users. Zone Elevation Blocks makes it harder to get code to run in this zone. (As a separate feature, Local Machine Zone Lockdown makes the zone less vulnerable to malicious users by changing its security settings.) Internet Explorer prevents the overall security context for any link on a page from being higher than the security context of the root URL. This means, for example, that a page in the Internet zone cannot navigate to a page in the Local Intranet zone, except as the result of a user-initiated action. A script, for example, could not cause this navigation. For the purpose of this mitigation, the security context ranking of the zones, from highest security context to lowest, is: Restricted Sites zone, Internet zone, Local Intranet zone, Trusted Sites zone, and Local Machine zone. Zone Elevation also disables JavaScript navigation if there is no security context. Settings note: this feature can be turned off or set to prompt by zone in IE security zones settings. This policy setting enables applications hosting the Web Browser Control to block automatic prompting of ActiveX control installation. If you enable this policy setting, the Web Browser Control will block automatic prompting of ActiveX control installation for all processes. If you disable or do not configure this policy setting, the Web Browser Control will not block automatic prompting of ActiveX control installation for all processes. This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes. If you disable this policy setting, prompting for ActiveX control installations will not be blocked for Internet Explorer processes. If you do not configure this policy setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes. This policy setting enables applications hosting the Web Browser Control to block automatic prompting of ActiveX control installation. If you enable this policy setting and enter a Value of 1, automatic prompting of ActiveX control installation is blocked. If you enter a Value of 0, automatic prompting of ActiveX control installation is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting. If you disable or do not configure this policy setting, the security feature is allowed. Enables applications hosting the Web Browser Control to block automatic prompting of ActiveX control installation. If a policy setting blocks prompting for an ActiveX control installation, the Notification bar appears instead. This policy setting enables applications hosting the Web Browser Control to block automatic prompting of file downloads that are not user initiated. If you enable this policy setting, the Web Browser Control will block automatic prompting of file downloads that are not user initiated for all processes. If you disable this policy setting, the Web Browser Control will not block automatic prompting of file downloads that are not user initiated for all processes. This policy setting enables blocking of file download prompts that are not user initiated. If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes. If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes. If you do not configure this policy setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes. This policy setting enables applications hosting the Web Browser Control to block automatic prompting of file downloads that are not user initiated. If you enable this policy setting and enter a Value of 1, automatic prompting of non-initiated file downloads is blocked. If you enter a Value of 0, automatic prompting of non-initiated file downloads is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting. If you disable or do not configure this policy setting, the security feature is allowed. Enables applications hosting the Web Browser Control to block automatic prompting of file downloads that were not user initiated. If a policy setting blocks prompting for a file download, the Notification bar appears instead. Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. If you enable this policy setting, scripted windows are restricted for all processes. If you disable or do not configure this policy setting, scripted windows are not restricted. Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. If you disable this policy setting, scripts can continue to create popup windows and windows that obfuscate other windows. If you do not configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. This policy setting allows administrators to define applications for which they want this security feature to be prevented or allowed. If you enable this policy setting and enter a Value of 1, such windows may not be opened. If you enter a Value of 0, windows have none of these restrictions. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting. If you disable or do not configure this policy setting, the security feature is allowed. Internet Explorer provides the capability for scripts to programmatically open additional windows of various types, and to resize and reposition existing windows. The Window Restrictions security feature restricts two types of script-initiated windows that have been used by malicious persons to deceive users: popup windows (which do not have components such as the address bar, title bar, status bar, and toolbars) and windows that include the title bar and status bar. Script-initiated windows with the title bar and status bar are constrained in scripted movement to ensure that these important and informative bars remain visible after the operation completes. - Scripts cannot position windows so that the title bar or address bar are above the visible top of the display. - Scripts cannot position windows such that the status bar is below the visible bottom of the display. - Script-initiated windows that include a title bar and status bar are constrained in scripted sizing to ensure that the title bar and status bar remain visible after the operation completes. - Scripts cannot resize windows such that the title bar, address bar, or status bar cannot be seen. - When creating a window, the definition of the fullscreen=yes specification is changed to mean "show the window as maximized," which will keep the title bar, address bar, and status bar visible. Internet Explorer has been modified to not turn off the status bar for any windows. The status bar is always visible for all Internet Explorer windows. Script-initiated popup windows are now constrained so that they: - Do not extend above the top or below the bottom of the parent Internet Explorer Web Object Control (WebOC) window. - Are smaller in height than the parent WebOC window. - Overlap the parent window horizontally. - Stay with the parent window if the parent window moves. - Appear above its parent so other windows (such as a dialog box) cannot be hidden. Contains settings to enable or disable security features for Internet Explorer, File Explorer and other applications. Restricted Protocols Per Security Zone The list of restricted protocols governed by Network Protocol Lockdown varies per security zone. Use these policies to set the restricted protocol list for each zone. If policy is set in both Computer Configuration and User Configuration, the two lists are combined. Internet Zone Restricted Protocols Intranet Zone Restricted Protocols Local Machine Zone Restricted Protocols Restricted Sites Zone Restricted Protocols Trusted Sites Zone Restricted Protocols For each zone, the Network Protocol Lockdown security restriction may be configured to prevent active content obtained through restricted protocols from running in an unsafe manner, either by prompting the user, or simply disabling the content. For each zone, this list of protocols may be configured here, and applies to all processes which have opted in to the security restriction. If you enable this policy setting for a zone, this sets the list of protocols to be restricted if that zone is set to Prompt or Disable for "Allow active content over restricted protocols to access my computer." If you disable or do not configure this policy setting for a zone, no protocols are restricted for that zone, regardless of the setting for "Allow active content over restricted protocols to access my computer." Note. If policy for a zone is set in both Computer Configuration and User Configuration, both lists of protocols will be restricted for that zone. Admin-approved behaviors All Processes Internet Explorer Processes Process List Bypass prompting for Clipboard access for scripts running in any process Bypass prompting for Clipboard access for scripts running in the Internet Explorer process Define applications and processes that can access the Clipboard without prompting Automatically activate newly installed add-ons Turn off add-on performance notifications Internet Explorer Internet Settings Investor This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone. If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone. If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone). If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. Install binaries signed by MD2 and MD4 signing technologies This policy setting allows you to manage whether Internet Explorer 9 can install ActiveX controls and other binaries signed with MD2 and MD4 signing technologies. Internet Explorer 9 does not support MD2 and MD4 signing technologies by default, because they are not as secure as other technologies. If you enable this policy setting, Internet Explorer 9 installs binaries signed by MD2 and MD4 signing technologies. If you disable or do not configure this policy setting, Internet Explorer 9 does not install binaries signed by MD2 and MD4 signing technologies. This policy setting controls whether sites which bypass the proxy server are mapped into the local Intranet security zone. If you enable this policy setting, sites which bypass the proxy server are mapped into the Intranet Zone. If you disable this policy setting, sites which bypass the proxy server aren't necessarily mapped into the Intranet Zone (other rules might map one there). If you do not configure this policy setting, users choose whether sites which bypass the proxy server are mapped into the Intranet Zone. This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. If you enable this policy setting, all network paths are mapped into the Intranet Zone. If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there). If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone. Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.) If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site.  For each entry that you add to the list, enter the following information: Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter http://www.contoso.com as the valuename, other protocols are not affected. If you enter just www.contoso.com, then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict. Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4. If you disable or do not configure this policy, users may choose their own site-to-zone assignments. This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. Intranet Sites: Include all local (intranet) sites not listed in other zones Internet Zone Locked-Down Internet Zone The settings in this zone apply only if the Internet Zone is in 'lockdown' mode, such as when the Network Protocol Lockdown security feature is in effect. If the zone is locked down, these URL action settings do not override the standard Internet Zone settings, but are compared against them. If the settings for that URL action in the two zones are the same, then that setting is used. Otherwise, the user is presented with a Notification bar, and may allow the zone to operate with the standard (non-lockdown) zone's setting. Intranet Zone Locked-Down Intranet Zone The settings in this zone apply only if the Intranet Zone is in 'lockdown' mode, such as when the Network Protocol Lockdown security feature is in effect. If the zone is locked down, these URL action settings do not override the standard Intranet Zone settings, but are compared against them. If the settings for that URL action in the two zones are the same, then that setting is used. Otherwise, the user is presented with a Notification bar, and may allow the zone to operate with the standard (non-lockdown) zone's setting. Administrator approved Anonymous logon Automatic logon with current username and password Automatic logon only in Intranet zone Custom Disable Disable Java Enable High High safety Low Low safety Medium Medium High Medium Low Medium safety Prompt Prompt for user name and password Local Machine Zone Locked-Down Local Machine Zone The settings in this zone apply only if the Local Machine Zone is in 'lockdown' mode, such as when the Local Machine Zone Lockdown security feature is in effect. If the zone is locked down, these URL action settings do not override the standard Local Machine Zone settings, but are compared against them. If the settings for that URL action in the two zones are the same, then that setting is used. Otherwise, the user is presented with a Notification bar, and may allow the zone to operate with the standard (non-lockdown) zone's setting. Allow websites to open windows without status bar or Address bar This policy setting controls whether websites can open new Internet Explorer windows that have no status bar or Address bar. If you enable this policy setting, websites can open new Internet Explorer windows that have no status bar or Address bar. If you disable this policy setting, websites cannot open new Internet Explorer windows that have no status bar or Address bar. If you do not configure this policy setting, the user can choose whether websites can open new Internet Explorer Windows that have no status bar or Address bar. Allow only approved domains to use ActiveX controls without prompt This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites. If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. Allow video and animation on a webpage that uses an older media player This policy setting allows the playing of video and animation through older media players in specified zones. Video and animation playback through the object tag may still be allowed, because this involves external controls or media players. The dynsrc attribute on the img tag specifies an older media player. Also, as of Internet Explorer 8, this policy setting controls HTML+TIME media elements that refer to audio and video files. If you enable this policy setting, video and animation can be played through older media players in specified zones. If you disable this policy setting, video and animation cannot be played through older media players. If you do not configure this policy setting, video and animation can be played through older media players in specified zones. Allow scriptlets This policy setting allows you to manage whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. Turn off first-run prompt Turn off first-run prompt This policy setting controls the first-run response that the user sees on a zone-by-zone basis. When the user encounters a new control that has not previously run in Internet Explorer, he or she may be prompted to approve the control. This policy setting determines whether the user is prompted. If you enable this policy setting, the first-run prompt is turned off in the corresponding zone. If you disable this policy setting, the first-run prompt is turned on in the corresponding zone. If you do not configure this policy setting, the first-run prompt is turned off by default. This policy setting controls the first-run response that the user sees on a zone-by-zone basis. When the user encounters a new control that has not previously run in Internet Explorer, he or she may be prompted to approve the control. This policy setting determines whether the user is prompted. If you enable this policy setting, the first-run prompt is turned off in the corresponding zone. If you disable this policy setting, the first-run prompt is turned on in the corresponding zone. If you do not configure this policy setting, the first-run prompt is turned on by default. Include local path when user is uploading files to a server This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form. If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form. If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. Turn on SmartScreen Filter scan This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. Allow websites to prompt for information by using scripted windows This policy setting determines whether scripted windows are automatically displayed. If you enable this policy setting, scripted windows are displayed. If you disable this policy setting, the user must choose to display any scripted windows by using the Notification bar. If you do not configure this policy setting, the user can enable or disable the Notification bar behavior. Allow updates to status bar via script Allow updates to status bar via script This policy setting allows you to manage whether script is allowed to update the status bar within the zone. If you enable this policy setting, script is allowed to update the status bar. If you disable or do not configure this policy setting, script is not allowed to update the status bar. This policy setting allows you to manage whether script is allowed to update the status bar within the zone. If you enable this policy setting, script is allowed to update the status bar. If you disable or do not configure this policy setting, script is allowed to update the status bar. Turn on Protected Mode This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode. If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode. If you do not configure this policy setting, the user can turn on or turn off Protected Mode. Turn on Cross-Site Scripting Filter This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections. If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. Show security warning for potentially unsafe files This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open. If you disable this policy setting, these files do not open. If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. Allow loading of XAML Browser Applications This policy setting allows you to manage the loading of XAML Browser Applications (XBAPs). These are browser-hosted, ClickOnce-deployed applications built via WinFX. These applications run in a security sandbox and take advantage of the Windows Presentation Foundation platform for the web. If you enable this policy setting and set the drop-down box to Enable, XBAPs are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XBAPs. If you disable this policy setting, XBAPs are not loaded inside Internet Explorer. The user cannot change this behavior. If you do not configure this policy setting, the user can decide whether to load XBAPs inside Internet Explorer. Allow scripting of Internet Explorer WebBrowser controls This policy setting determines whether a page can control embedded WebBrowser controls via script. If you enable this policy setting, script access to the WebBrowser control is allowed. If you disable this policy setting, script access to the WebBrowser control is not allowed. If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. Turn off .NET Framework Setup This policy setting prevents the user's computer from starting Microsoft .NET Framework Setup when the user is browsing to .NET Framework content in Internet Explorer. The .NET Framework is the next-generation platform for Windows. It uses the common language runtime and incorporates support from multiple developer tools. It includes the new managed code APIs for Windows. If you enable this policy setting, .NET Framework Setup is turned off. The user cannot change this behavior. If you disable this policy setting, .NET Framework Setup is turned on. The user cannot change this behavior. If you do not configure this policy setting, .NET Framework Setup is turned on by default. The user can change this behavior. Allow loading of XAML files This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files. If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior. If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. Allow loading of XPS files This policy setting allows you to manage the loading of XPS files. These files contain a fixed-layout representation of paginated content and are portable across platforms, devices, and applications. If you enable this policy setting and set the drop-down box to Enable, XPS files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XPS files. If you disable this policy setting, XPS files are not loaded inside Internet Explorer. The user cannot change this behavior. If you do not configure this policy setting, the user can decide whether to load XPS files inside Internet Explorer. Access data sources across domains This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. Allow active scripting This policy setting allows you to manage whether script code on pages in the zone is run. If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run. If you disable this policy setting, script code on pages in the zone is prevented from running. If you do not configure this policy setting, script code on pages in the zone is prevented from running. This policy setting allows you to manage whether script code on pages in the zone is run. If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run. If you disable this policy setting, script code on pages in the zone is prevented from running. If you do not configure this policy setting, script code on pages in the zone can run automatically. This policy setting allows you to manage whether script code on pages in the zone is run. If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run. If you disable this policy setting, script code on pages in the zone is prevented from running. If you do not configure this policy setting, users are queried to choose whether to allow script code on pages in the Local Machine zone to run. Allow META REFRESH This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page. If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page. If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page. Allow cut, copy or paste operations from the clipboard via script This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. If you enable this policy setting, a script can perform a clipboard operation. If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations. If you disable this policy setting, a script cannot perform a clipboard operation. If you do not configure this policy setting, a script cannot perform a clipboard operation. This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. If you enable this policy setting, a script can perform a clipboard operation. If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations. If you disable this policy setting, a script cannot perform a clipboard operation. If you do not configure this policy setting, a script can perform a clipboard operation. Allow binary and script behaviors This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available. If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. If you do not configure this policy setting, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available. This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available. If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. If you do not configure this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available. If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. If you do not configure this policy setting, binary and script behaviors are available. Use Pop-up Blocker This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. If you disable this policy setting, pop-up windows are not prevented from appearing. If you do not configure this policy setting, pop-up windows are not prevented from appearing. This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. If you disable this policy setting, pop-up windows are not prevented from appearing. If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. Display mixed content This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security information message to display pages containing both secure and nonsecure items. If you enable this policy setting, and the drop-down box is set to Enable, the user does not receive a security information message (This page contains both secure and nonsecure items. Do you want to display the nonsecure items?) and nonsecure content can be displayed. If the drop-down box is set to Prompt, the user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content. If you disable this policy setting, users cannot receive the security information message and nonsecure content cannot be displayed. If you do not configure this policy setting, the user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content. Download signed ActiveX controls This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. If you disable the policy setting, signed controls cannot be downloaded. If you do not configure this policy setting, signed controls cannot be downloaded. This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. If you disable the policy setting, signed controls cannot be downloaded. If you do not configure this policy setting, users can download signed controls without user intervention. This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. If you disable the policy setting, signed controls cannot be downloaded. If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. Download unsigned ActiveX controls This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. If you disable this policy setting, users cannot run unsigned controls. If you do not configure this policy setting, users cannot run unsigned controls. This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. If you disable this policy setting, users cannot run unsigned controls. If you do not configure this policy setting, users can run unsigned controls without user intervention. This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. If you disable this policy setting, users cannot run unsigned controls. If you do not configure this policy setting, users are queried to choose whether to allow the unsigned control to run. Allow drag and drop or copy and paste files This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone. If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone. If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically. This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone. If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone. If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone. Render legacy filters This policy setting specifies whether Internet Explorer renders legacy visual filters in this zone. If you enable this policy setting, you can control whether or not Internet Explorer renders legacy filters by selecting Enable, or Disable, under Options in Group Policy Editor. If you disable, or do not configure this policy setting, users can choose whether or not to render filters in this zone. Users can change this setting on the Security tab of the Internet Options dialog box. Filters are not rendered by default in this zone. This policy setting specifies whether Internet Explorer renders legacy visual filters in this zone. If you enable this policy setting, you can control whether or not Internet Explorer renders legacy filters by selecting Enable, or Disable, under Options in Group Policy Editor. If you disable, or do not configure this policy setting, users can choose whether or not to render filters in this zone. Users can change this setting on the Security tab of the Internet Options dialog box. Filters are rendered by default in this zone. Allow file downloads This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. If you enable this policy setting, files can be downloaded from the zone. If you disable this policy setting, files are prevented from being downloaded from the zone. If you do not configure this policy setting, files are prevented from being downloaded from the zone. This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. If you enable this policy setting, files can be downloaded from the zone. If you disable this policy setting, files are prevented from being downloaded from the zone. If you do not configure this policy setting, files can be downloaded from the zone. Allow font downloads This policy setting allows you to manage whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. This policy setting allows you to manage whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. Allow installation of desktop items This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this option are: If you enable this policy setting, users can install desktop items from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to install desktop items from this zone. If you disable this policy setting, users are prevented from installing desktop items from this zone. If you do not configure this policy setting, users are prevented from installing desktop items from this zone. This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this option are: If you enable this policy setting, users can install desktop items from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to install desktop items from this zone. If you disable this policy setting, users are prevented from installing desktop items from this zone. If you do not configure this policy setting, users can install desktop items from this zone automatically. This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this option are: If you enable this policy setting, users can install desktop items from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to install desktop items from this zone. If you disable this policy setting, users are prevented from installing desktop items from this zone. If you do not configure this policy setting, users are queried to choose whether to install desktop items from this zone. Locked-Down Internet Zone Template Internet Zone Template Locked-Down Intranet Zone Template Intranet Zone Template Java permissions This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to High Safety. This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to Low Safety. This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to Medium Safety. Launching applications and files in an IFRAME This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. If you do not configure this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. If you do not configure this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. Locked-Down Local Machine Zone Template Local Machine Zone Template Logon options This policy setting allows you to manage settings for logon options. If you enable this policy setting, you can choose from the following logon options. Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session. Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password. If you disable this policy setting, logon is set to Automatic logon only in Intranet zone. If you do not configure this policy setting, logon is set to Automatic logon with current username and password. This policy setting allows you to manage settings for logon options. If you enable this policy setting, you can choose from the following logon options. Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session. Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password. If you disable this policy setting, logon is set to Automatic logon only in Intranet zone. If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone. This policy setting allows you to manage settings for logon options. If you enable this policy setting, you can choose from the following logon options. Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session. Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password. If you disable this policy setting, logon is set to Automatic logon only in Intranet zone. If you do not configure this policy setting, logon is set to Prompt for username and password. Enable MIME Sniffing This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature. If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature. If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature. If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature. If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. Enable dragging of content from different domains within a window This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting. If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog. In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. Enable dragging of content from different domains across windows This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting. In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog. In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. Navigate windows and frames across different domains This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. Allow active content over restricted protocols to access my computer This policy setting allows you to manage whether a resource hosted on an admin-restricted protocol in the Trusted Sites Zone can run active content such as script, ActiveX, Java and Binary Behaviors. The list of restricted protocols may be set in the Trusted Sites Zone Restricted Protocols section under Network Protocol Lockdown policy. If you enable this policy setting, no Trusted Sites Zone content accessed is affected, even for protocols on the restricted list. If you select Prompt from the drop-down box, the Notification bar will appear to allow control over questionable content accessed over any restricted protocols; content over other protocols is unaffected. If you disable this policy setting, all attempts to access such content over the restricted protocols is blocked. If you do not configure this policy setting, all attempts to access such content over the restricted protocols is blocked when the Network Protocol Lockdown security feature is enabled. This policy setting allows you to manage whether a resource hosted on an admin-restricted protocol in the Intranet Zone can run active content such as script, ActiveX, Java and Binary Behaviors. The list of restricted protocols may be set in the Intranet Zone Restricted Protocols section under Network Protocol Lockdown policy. If you enable this policy setting, no Intranet Zone content accessed is affected, even for protocols on the restricted list. If you select Prompt from the drop-down box, the Notification bar will appear to allow control over questionable content accessed over any restricted protocols; content over other protocols is unaffected. If you disable this policy setting, all attempts to access such content over the restricted protocols is blocked. If you do not configure this policy setting, the Notification bar will appear to allow control over questionable content accessed over any restricted protocols when the Network Protocol Lockdown security feature is enabled. Do not prompt for client certificate selection when no certificates or only one certificate exists. This policy setting allows you to manage whether users are prompted to select a certificate when no certificate or only one certificate exists. If you enable this policy setting, Internet Explorer does not prompt users with a "Client Authentication" message when they connect to a Web site that has no certificate or only one certificate. If you disable this policy setting, Internet Explorer prompts users with a "Client Authentication" message when they connect to a Web site that has no certificate or only one certificate. If you do not configure this policy setting, Internet Explorer prompts users with a Client Authentication message when they connect to a Web site that has no certificate or only one certificate. This policy setting allows you to manage whether users are prompted to select a certificate when no certificate or only one certificate exists. If you enable this policy setting, Internet Explorer does not prompt users with a "Client Authentication" message when they connect to a Web site that has no certificate or only one certificate. If you disable this policy setting, Internet Explorer prompts users with a "Client Authentication" message when they connect to a Web site that has no certificate or only one certificate. If you do not configure this policy setting, Internet Explorer does not prompt users with a "Client Authentication" message when they connect to a Web site that has no certificate or only one certificate. Automatic prompting for ActiveX controls This policy setting manages whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. This policy setting manages whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. Automatic prompting for file downloads This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. Locked-Down Restricted Sites Zone Template Restricted Sites Zone Template Run ActiveX controls and plugins This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone. If you enable this policy setting, controls and plug-ins can run without user intervention. If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run. If you disable this policy setting, controls and plug-ins are prevented from running. If you do not configure this policy setting, controls and plug-ins are prevented from running. This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone. If you enable this policy setting, controls and plug-ins can run without user intervention. If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run. If you disable this policy setting, controls and plug-ins are prevented from running. If you do not configure this policy setting, controls and plug-ins can run without user intervention. Script ActiveX controls marked safe for scripting This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script. If you enable this policy setting, script interaction can occur automatically without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction. If you disable this policy setting, script interaction is prevented from occurring. If you do not configure this policy setting, script interaction is prevented from occurring. This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script. If you enable this policy setting, script interaction can occur automatically without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction. If you disable this policy setting, script interaction is prevented from occurring. If you do not configure this policy setting, script interaction can occur automatically without user intervention. Don't run antimalware programs against ActiveX controls This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. Initialize and script ActiveX controls not marked as safe This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. Scripting of Java applets This policy setting allows you to manage whether applets are exposed to scripts within the zone. If you enable this policy setting, scripts can access applets automatically without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets. If you disable this policy setting, scripts are prevented from accessing applets. If you do not configure this policy setting, scripts are prevented from accessing applets. This policy setting allows you to manage whether applets are exposed to scripts within the zone. If you enable this policy setting, scripts can access applets automatically without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets. If you disable this policy setting, scripts are prevented from accessing applets. If you do not configure this policy setting, scripts can access applets automatically without user intervention. Run .NET Framework-reliant components signed with Authenticode This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. If you disable this policy setting, Internet Explorer will not execute signed managed components. If you do not configure this policy setting, Internet Explorer will not execute signed managed components. This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. If you disable this policy setting, Internet Explorer will not execute signed managed components. If you do not configure this policy setting, Internet Explorer will execute signed managed components. Software channel permissions This policy setting allows you to manage software channel permissions. If you enable this policy setting, you can choose the following options from the drop-down box. Low safety to allow users to be notified of software updates by e-mail, software packages to be automatically downloaded to users' computers, and software packages to be automatically installed on users' computers. Medium safety to allow users to be notified of software updates by e-mail and software packages to be automatically downloaded to (but not installed on) users' computers. High safety to prevent users from being notified of software updates by e-mail, software packages from being automatically downloaded to users' computers, and software packages from being automatically installed on users' computers. If you disable this policy setting, permissions are set to high safety. If you do not configure this policy setting, permissions are set to High safety. This policy setting allows you to manage software channel permissions. If you enable this policy setting, you can choose the following options from the drop-down box. Low safety to allow users to be notified of software updates by e-mail, software packages to be automatically downloaded to users' computers, and software packages to be automatically installed on users' computers. Medium safety to allow users to be notified of software updates by e-mail and software packages to be automatically downloaded to (but not installed on) users' computers. High safety to prevent users from being notified of software updates by e-mail, software packages from being automatically downloaded to users' computers, and software packages from being automatically installed on users' computers. If you disable this policy setting, permissions are set to high safety. If you do not configure this policy setting, permissions are set to Low safety. This policy setting allows you to manage software channel permissions. If you enable this policy setting, you can choose the following options from the drop-down box. Low safety to allow users to be notified of software updates by e-mail, software packages to be automatically downloaded to users' computers, and software packages to be automatically installed on users' computers. Medium safety to allow users to be notified of software updates by e-mail and software packages to be automatically downloaded to (but not installed on) users' computers. High safety to prevent users from being notified of software updates by e-mail, software packages from being automatically downloaded to users' computers, and software packages from being automatically installed on users' computers. If you disable this policy setting, permissions are set to high safety. If you do not configure this policy setting, permissions are set to Medium safety. Submit non-encrypted form data This policy setting allows you to manage whether data on HTML forms on pages in the zone may be submitted. Forms sent with SSL (Secure Sockets Layer) encryption are always allowed; this setting only affects non-SSL form data submission. If you enable this policy setting, information using HTML forms on pages in this zone can be submitted automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow information using HTML forms on pages in this zone to be submitted. If you disable this policy setting, information using HTML forms on pages in this zone is prevented from being submitted. If you do not configure this policy setting, information using HTML forms on pages in this zone can be submitted automatically. This policy setting allows you to manage whether data on HTML forms on pages in the zone may be submitted. Forms sent with SSL (Secure Sockets Layer) encryption are always allowed; this setting only affects non-SSL form data submission. If you enable this policy setting, information using HTML forms on pages in this zone can be submitted automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow information using HTML forms on pages in this zone to be submitted. If you disable this policy setting, information using HTML forms on pages in this zone is prevented from being submitted. If you do not configure this policy setting, users are queried to choose whether to allow information using HTML forms on pages in this zone to be submitted. Locked-Down Trusted Sites Zone Template Trusted Sites Zone Template Run .NET Framework-reliant components not signed with Authenticode This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. Userdata persistence This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. Allow script-initiated windows without size or position constraints This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature. If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature. If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. If you do not configure this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature. Web sites in less privileged Web content zones can navigate into this zone This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. Intranet Sites: Include all sites that bypass the proxy server Restricted Sites Zone Locked-Down Restricted Sites Zone The settings in this zone apply only if the Restricted Zone is in 'lockdown' mode, such as when the Network Protocol Lockdown security feature is in effect. If the zone is locked down, these URL action settings do not override the standard Restricted Zone settings, but are compared against them. If the settings for that URL action in the two zones are the same, then that setting is used. Otherwise, the relevant behavior is strictly blocked, preventing the zone from operating with the standard (non-lockdown) zone's setting. Security Page If you enable any policies for the security page, it is strongly recommended that you also configure policy to disable the security page from being presented in the UI to prevent users from believing that they can change their security settings. You can disable the security page using the policy located at Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\. Trusted Sites Zone Locked-Down Trusted Sites Zone The settings in this zone apply only if the Trusted Zone is in 'lockdown' mode, such as when the Network Protocol Lockdown security feature is in effect. If the zone is locked down, these URL action settings do not override the standard Trusted Zone settings, but are compared against them. If the settings for that URL action in the two zones are the same, then that setting is used. Otherwise, the user is presented with a Notification bar, and may allow the zone to operate with the standard (non-lockdown) zone's setting. Intranet Sites: Include all network paths (UNCs) Site to Zone Assignment List This policy setting prevents the user from specifying the color of webpage links that he or she has not yet clicked. Appropriate color choices can make links easier to see for some users, especially those who use high-contrast color schemes. If you enable this policy setting, the user cannot specify the color of links not yet clicked in Internet Explorer. You must specify the link color (for example: 192,192,192). If you disable or do not configure this policy setting, the user can specify the color of links not yet clicked. Prevent specifying the color of links that have not yet been clicked Link Colors This policy setting prevents the user from specifying the color of webpage links that he or she has already clicked. Appropriate color choices can make links easier to see for some users, especially those who use high-contrast color schemes. If you enable this policy setting, the user cannot specify the color of links already clicked in Internet Explorer. You must specify the link color (for example: 192,192,192). If you disable or do not configure this policy setting, the user can specify the color of links already clicked. Prevent specifying the color of links that have already been clicked Manual Subscription Limits 0 1 2 3 Configure Media Explorer Bar Menu Controls Browser menus Microsoft Agent Microsoft Chat MSNBC Multimedia NetShow File Transfer Control Never Open in a new Internet Explorer window Disable adding channels Disable adding schedules for offline pages Turn on automatic signup This policy setting allows Internet Explorer to be started automatically to complete the signup process after the branding is complete for Internet service providers (ISPs) through the Internet Explorer Administration Kit (IEAK). If you enable this policy setting, Internet Explorer is started automatically to complete the signup process after the branding is complete for ISPs (IEAK). The user cannot change this behavior. If you disable this policy setting, Internet Explorer is not started automatically to complete the signup process after the branding is complete for ISPs (IEAK). The user cannot change this behavior. If you do not configure this policy setting, the user can decide whether to start Internet Explorer automatically to complete the signup process after the branding is complete for ISPs (IEAK). Disable customizing browser toolbars Turn off Shortcut Menu Prevent ignoring certificate errors Disable offline page hit logging Disable channel user interface completely Prevent access to Delete Browsing History Prevent deleting form data Prevent deleting passwords Disable editing and creating of schedule groups Disable editing schedules for offline pages Hide Favorites menu Prevent running First Run wizard Prevent access to Internet Explorer Help Prevent Internet Explorer Search box from appearing Disable Automatic Install of Internet Explorer components Disable Open in New Window menu option Turn off Quick Tabs functionality Disable removing channels Disable removing schedules for offline pages Disable all scheduled offline pages Prevent changing the default search provider Disable Save this program to disk option Disable showing the splash screen Disable downloading of site subscription content Turn off tabbed browsing Turn off configuration of pop-up windows in tabbed browsing Disable customizing browser toolbar buttons Disable Periodic Check for Internet Explorer software updates Prevent configuration of how windows open Configure Outlook Express Turn off page transitions This policy setting specifies if, as you move from one Web page to another, Internet Explorer fades out of the page you are leaving and fades into the page to which you are going. If you enable this policy setting, page transitions will be turned off. The user cannot change this behavior. If you disable this policy setting, page transitions will be turned on. The user cannot change this behavior. If you do not configure this policy setting, the user can turn on or off page transitions. This feature only applies to versions of Internet Explorer up to and including Internet Explorer 8. Persistence Behavior File size limits for Local Machine zone File size limits for Intranet zone File size limits for Trusted Sites zone File size limits for Internet zone File size limits for Restricted Sites zone Off On Pop-up allow list Printing This policy setting specifies whether Internet Explorer prints background colors and images when the user prints a webpage. Including background colors and images might reduce the speed at which a page is printed and the quality of the printing, depending on the capabilities of the printer. If you enable this policy setting, the printing of background colors and images is turned on. The user cannot turn it off. If you disable this policy setting, the printing of background colors and images is turned off. The user cannot turn it on. If you do not configure this policy setting, the user can turn on or turn off the printing of background colors and images. Disable changing accessibility settings Disable changing Automatic Configuration settings Turn off automatic image resizing This policy setting specifies that you want Internet Explorer to automatically resize large images so that they fit in the browser window. If you enable this policy setting, automatic image resizing is turned off. The user cannot change this setting. If you disable this policy setting, automatic image resizing is turned on. The user cannot change this setting. If you do not configure this policy setting, the user can turn on or off automatic image resizing. Disable changing Temporary Internet files settings Disable changing Calendar and Contact settings Disable changing certificate settings Disable changing default browser check Notify users if Internet Explorer is not the default web browser Disable changing color settings Disable changing connection settings Disable Internet Connection wizard Disable changing font settings Disable AutoComplete for forms Turn on the auto-complete feature for user names and passwords on forms Disable "Configuring History" Disable changing home page settings Disable changing language settings Disable changing link color settings Disable changing Messaging settings Prevent managing pop-up exception list Turn off pop-up management Disable changing Profile Assistant settings Prevent changing proxy settings Disable changing ratings settings Disable the Reset Web Settings feature Prevent the deletion of temporary Internet files and cookies Turn off the auto-complete feature for web addresses Turn off Windows Search AutoComplete Turn off URL Suggestions RSS Feeds Turn on the display of script errors This policy setting specifies whether to display script errors when a page does not appear properly because of problems with its scripting. This feature is off by default, but it is useful to developers when they are testing webpages. If you enable this policy setting, the user is shown script errors when a page does not appear properly because of problems with its scripting. The user cannot change this policy setting. If you disable this policy setting, the user is not shown script errors when a page does not appear properly because of problems with its scripting. The user cannot change this policy setting. If you do not configure this policy setting, the user can turn on or turn off the display of script errors. Microsoft Scriptlet Component Clipboard access Search: Disable Find Files via F3 within the browser Search: Disable Search Customization Searching Security Zones: Use only machine settings Security Zones: Do not allow users to change policies Security Zones: Do not allow users to add/delete sites Security Features Turn on automatic detection of intranet Turn on Notification bar notification for intranet content Disable software update shell notifications on program launch Turn off image display This policy setting specifies whether graphical images are included when pages are displayed. Sometimes, pages that contain several graphical images are displayed very slowly. If you want to display pages more quickly, you can turn off image display. If you enable this policy setting, images do not appear. The user cannot turn on image display. However, the user can still display an individual image by right-clicking the icon that represents the image and then clicking Show Picture. The "Allow the display of image download placeholders" policy setting must be disabled if this policy setting is enabled. If you disable this policy setting, images appear. The user cannot turn off image display. If you do not configure this policy setting, the user can turn on or turn off image display. Allow the display of image download placeholders This policy setting specifies whether placeholders appear for graphical images while the images are downloading. This allows items on the page to be positioned where they will appear when the images are completely downloaded. This option is ignored if the Show Pictures check box is cleared. If you enable this policy setting, placeholders appear for graphical images while the images are downloading. The user cannot change this policy setting. The "Turn off image display" policy setting must be disabled if this policy setting is enabled. If you disable this policy setting, placeholders will not appear for graphical images while the images are downloading. The user cannot change this policy setting. If you do not configure this policy setting, the user can allow or prevent the display of placeholders for graphical images while the images are downloading. Allow Internet Explorer to play media files that use alternative codecs This policy setting specifies whether Internet Explorer plays media files that use alternative codecs and that require additional software. If you enable this policy setting, Internet Explorer plays these files, if the appropriate software is installed. If you disable this policy setting, Internet Explorer does not play these files. If you do not configure this policy setting, the user can change the "Enable alternative codecs in HTML5 media elements" setting on the Advanced tab in the Internet Options dialog box. Signup Settings Turn off smart image dithering This policy setting specifies whether you want Internet Explorer to smooth images so that they appear less jagged when displayed. If you enable this policy setting, smart image dithering is turned off. The user cannot turn it on. If you disable this policy setting, smart image dithering is turned on. The user cannot turn it off. If you do not configure this policy setting, the user can turn on or turn off smart image dithering. Turn off smooth scrolling This policy setting specifies whether smooth scrolling is used to display content at a predefined speed. If you enable this policy setting, smooth scrolling is turned off. The user cannot turn on smooth scrolling. If you disable this policy setting, smooth scrolling is turned on. The user cannot turn off smooth scrolling. If you do not configure this policy setting, the user can turn smooth scrolling on or off. Restrict search providers to a specific list Prevent participation in the Customer Experience Improvement Program Only Internet Explorer 4.0 At least Internet Explorer 5.0 Only Internet Explorer 5.0 and Internet Explorer 6.0 Only Internet Explorer 5.0 through Internet Explorer 7.0 Only Internet Explorer 5.0 through Internet Explorer 8.0 Only Internet Explorer 5.0 through Internet Explorer 9.0 At least Internet Explorer 5.0. Not supported on Windows 8 At least Internet Explorer 5.0. Not supported on Windows Vista Only Internet Explorer 5.0 Only Internet Explorer 6.0 At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Service Pack 1 Only Internet Explorer 6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1 through IE7 inclusive Only Internet Explorer 6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1 through IE8 inclusive At least Internet Explorer 6.0 in Windows 2003 Service Pack 1 At least Internet Explorer 6.0 in Windows 2003 Service Pack 1. Not supported on Windows Vista Only Internet Explorer 6.0 in Windows 2003 Service Pack 1 At least Internet Explorer 7.0 Only Internet Explorer 7.0 Only Internet Explorer 7.0 and Internet Explorer 8.0 Internet Explorer 7.0 to Internet Explorer 9.0 Internet Explorer 7.0 to Internet Explorer 10.0 Internet Explorer 8.0 to Internet Explorer 10.0 At least Internet Explorer 8.0 Only Internet Explorer 8.0 At least Internet Explorer 9.0 At least Internet Explorer 10.0 At least Internet Explorer 10.0 on Windows 8 At least Internet Explorer 11.0 At least Internet Explorer 11.0 on Windows Server 2012 or Windows 8.1 At least Internet Explorer 7.0. Not supported on Windows Vista At least Internet Explorer 7.0 in Windows Vista Microsoft Survey Control Prevent configuration of new tab creation This policy setting prevents the user from specifying the text color in Internet Explorer. If you enable this policy setting, the user cannot specify the text color in Internet Explorer. You must specify the text color (for example: 192,192,192). If you disable or do not configure this policy setting, the user can specify the text color in Internet Explorer. Prevent specifying text color Configure Toolbar Buttons Toolbars Tools menu: Disable Internet Options... menu option Turn off the ability to launch report site problems using a menu option Turn on ActiveX Filtering Turn off configuring underline links This policy setting specifies how you want links on webpages to be underlined. If you enable this policy setting, a user cannot choose when to underline links. You must specify when to underline links: • Always • Never • Hover (when the mouse pointer pauses on a link) If you disable or do not configure this policy setting, the user can choose when to underline links. Periodic check for updates to Internet Explorer and Internet Tools Prevent specifying the update check interval (in days) This policy setting prevents the user from specifying the update check interval. The default value is 30 days. If you enable this policy setting, the user cannot specify the update check interval. You must specify the update check interval. If you disable or do not configure this policy setting, the user can specify the update check interval. Prevent changing the URL for checking updates to Internet Explorer and Internet Tools This policy setting prevents the user from changing the default URL for checking updates to Internet Explorer and Internet Tools. If you enable this policy setting, the user cannot change the URL that is displayed for checking updates to Internet Explorer and Internet Tools. You must specify this URL. If you disable or do not configure this policy setting, the user can change the URL that is displayed for checking updates to Internet Explorer and Internet Tools. Prevent configuration of search on Address bar This policy setting specifies whether the user can conduct a search on the Address bar. If you enable this policy setting, you must specify which of the following actions applies to searches on the Address bar. The user cannot change the specified action. • Do not search from the Address bar: The user cannot use the Address bar for searches. The user can still perform searches on the Search bar by clicking the Search button. • Display the results in the main window: When the user searches on the Address bar, the list of search results is displayed in the main window. If you disable or do not configure this policy setting, the user can specify what action applies to searches on the Address bar. Always encode query strings in UTF-8 Encode query strings in UTF-8 only in Intranet URLs Never encode query strings in UTF-8 Encode query strings in UTF-8 only in non-Intranet URLs Disable top result search Enable top result search Prevent configuration of top-result search on Address bar This policy setting allows you to specify whether a user can browse to the website of a top result when search is enabled on the Address bar. The possible options are: • Disable top result search: When a user performs a search in the Address bar, a list of search results from the selected search provider is displayed in the main window. • Enable top result search: When a user performs a search in the Address bar, the user is directed to an external top result website determined by the search provider, if available. If you enable this policy setting, you can choose where to direct the user after a search on the Address bar: a top-result website or a search-results webpage in the main window. If you disable or do not configure this policy setting, the user can select their preference for this behavior. Browsing to the top-result website is the default. Go directly to home page Turn on the hover color option This policy setting makes hyperlinks change color when the mouse pointer pauses on them. If you enable this policy setting, the hover color option is turned on. The user cannot turn it off. If you disable this policy setting, the hover color option is turned off. The user cannot turn it on. If you do not configure this policy setting, the user can turn on or turn off the hover color option. Make proxy settings per-machine (rather than per-user) Go directly to "Welcome To IE" page Prevent the use of Windows colors This policy setting prevents the user from using Windows colors as a part of the display settings. If you enable this policy setting, Windows colors are turned off. The user cannot turn them on. If you disable this policy setting, Windows colors are turned on. The user cannot turn them off. If you do not configure this policy setting, the user can turn on or turn off Windows colors for display. Turn off sending URL path as UTF-8 This policy setting specifies whether to use 8-bit Unicode Transformation Format (UTF-8), a standard that defines characters so they are readable in any language. By using UTF-8, you can exchange Internet addresses (URLs) that contain characters from any language. If you enable this policy setting, Internet Explorer does not allow sending the path portion of URLs as UTF-8. The user cannot change this policy setting. If you disable this policy setting, Internet Explorer allows sending the path portion of URLs as UTF-8. The user cannot change this policy setting. If you do not configure this policy setting, the user can allow or prevent the sending of the path portion of URLs as UTF-8. View menu: Disable Full Screen menu option View menu: Disable Source menu option Turn off Developer Tools Turn off Favorites bar Turn off Tab Grouping Turn off Data URI support Turn off Data Execution Prevention This policy setting allows you to manage whether the user can access Developer Tools in Internet Explorer. If you enable this policy setting, the user cannot access Developer Tools. If you disable or do not configure this policy setting, the user can access Developer Tools. Do not display the reveal password button This policy setting allows you to hide the reveal password button when Internet Explorer prompts users for a password. The reveal password button is displayed during password entry. When the user clicks the button, the current password value is visible until the mouse button is released (or until the tap ends). If you enable this policy setting, the reveal password button will be hidden for all password fields. Users and developers will not be able to depend on the reveal password button being displayed in any web form or web application. If you disable or do not configure this policy setting, the reveal password button can be shown by the application as a user types in a password. The reveal password button is visible by default. On at least Windows 8, if the "Do not display the reveal password button" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Credential User Interface is enabled for the system, it will override this policy setting. This policy setting allows you to manage whether a user has access to the Favorites bar in Internet Explorer. If you enable this policy setting, the Favorites bar is turned off. If you disable this policy setting, the Favorites bar is turned on. If you do not configure this policy setting, the user can turn on or turn off the Favorites bar. This policy setting allows you to manage whether the user has access to Tab Grouping in Internet Explorer. If you enable this policy setting, Tab Grouping is turned off. If you disable this policy setting, Tab Grouping is turned on. If you do not configure this policy setting, the user can turn on or turn off Tab Grouping. This policy setting allows you to turn off the Data Execution Prevention feature for Internet Explorer on Windows Server 2008, Windows Vista with SP1, and Windows XP with SP3. If you enable this policy setting, Internet Explorer does not turn on Data Execution Prevention on platforms that support the SetProcessDEPPolicy function. If you disable or do not configure this policy setting, Internet Explorer uses the SetProcessDEPPolicy function to turn on Data Execution Prevention on platforms that support the function. This policy setting has no effect if Windows has been configured to enable Data Execution Prevention. This policy setting allows you to turn on or turn off Data URI support. A Data URI allows web developers to encapsulate images and .css files within the body of the URL and optionally encode them by using base 64 encoding. Malware filters or other network-based filters may not properly filter encapsulated data. If you enable this policy setting, Data URI support is turned off. Without Data URI support, a Data URI will be interpreted as a failed URL. If you disable this policy setting, Data URI support is turned on. If you do not configure this policy setting, Data URI support can be turned on or off through the registry. Prevent deleting cookies Prevent deleting websites that the user has visited Prevent deleting download history Prevent deleting temporary Internet files Prevent deleting InPrivate Filtering data Prevent deleting ActiveX Filtering, Tracking Protection, and Do Not Track data Prevent deleting favorites site data Allow deleting browsing history on exit Delete Browsing History Turn off Automatic Crash Recovery Change the maximum number of connections per host (HTTP 1.1) Maximum number of connections per server (HTTP 1.0) Turn off cross-document messaging Turn off the XDomainRequest object Turn off the WebSocket Object Set the maximum number of WebSocket connections per server The WebSocket object allows websites to request data across domains from your browser by using the WebSocket protocol. This policy setting allows administrators to enable or disable the WebSocket object. This policy setting does not prevent client-side communication across domains via other features in Internet Explorer 10. Also, this policy setting does not prevent a site from requesting cross-domain data through a server. If you enable this policy setting, websites cannot request data across domains by using the WebSocket object. If you disable or do not configure this policy setting, websites can request data across domains by using the WebSocket object. By default, the WebSocket object is enabled. This policy setting allows you to change the default limit of WebSocket connections per server. The default limit is 6; you can select a value from 2 through 128. If you enable this policy setting, Internet Explorer uses the WebSocket connection limit that you set with this policy setting. If you disable or do not configure this policy setting, Internet Explorer uses the default limit of 6 WebSocket connections per server. Prevent bypassing SmartScreen Filter warnings Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet This policy setting prevents the user from deleting cookies. This feature is available in the Delete Browsing History dialog box. If you enable this policy setting, cookies are preserved when the user clicks Delete. If you disable this policy setting, cookies are deleted when the user clicks Delete. If you do not configure this policy setting, the user can choose whether to delete or preserve cookies when he or she clicks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default. This policy setting prevents the user from deleting the history of websites that he or she has visited. This feature is available in the Delete Browsing History dialog box. If you enable this policy setting, websites that the user has visited are preserved when he or she clicks Delete. If you disable this policy setting, websites that the user has visited are deleted when he or she clicks Delete. If you do not configure this policy setting, the user can choose whether to delete or preserve visited websites when he or she clicks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default. This policy setting prevents the user from deleting temporary Internet files. This feature is available in the Delete Browsing History dialog box. If you enable this policy setting, temporary Internet files are preserved when the user clicks Delete. If you disable this policy setting, temporary Internet files are deleted when the user clicks Delete. If you do not configure this policy setting, the user can choose whether to delete or preserve temporary Internet files when he or she clicks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default. This policy setting prevents the user from deleting InPrivate Filtering data. Internet Explorer collects InPrivate Filtering data during browser sessions other than InPrivate Browsing sessions to determine which third-party items should be blocked when InPrivate Filtering is enabled. This feature is available in the Delete Browsing History dialog box. If you enable this policy setting, InPrivate Filtering data is preserved when the user clicks Delete. If you disable this policy setting, InPrivate Filtering data is deleted when the user clicks Delete. If you do not configure this policy setting, the user can choose whether to delete or preserve InPrivate Filtering data when he or she clicks Delete. In Internet Explorer 9 and Internet Explorer 10: This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the Personalized Tracking Protection List, which blocks third-party items while the user is browsing. With at least Internet Explorer 11: This policy setting prevents users from deleting ActiveX Filtering data, Tracking Protection data, and Do Not Track exceptions stored for visited websites. This feature is available in the Delete Browsing History dialog box. If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks Delete. If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks Delete. If you don't configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking Delete. This policy setting prevents the user from deleting favorites site data. This feature is available in the Delete Browsing History dialog box. If you enable this policy setting, favorites site data is preserved when the user clicks Delete. If you disable this policy setting, favorites site data is deleted when the user clicks Delete. If you do not configure this policy setting, the user can choose whether to delete or preserve favorites site data when he or she clicks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effect. This policy setting prevents the user from deleting his or her download history. This feature is available in the Delete Browsing History dialog box. If you enable this policy setting, download history is preserved when the user clicks Delete. If you disable this policy setting, download history is deleted when the user clicks Delete. If you do not configure this policy setting, the user can choose whether to delete or preserve download history when he or she clicks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default. This policy setting allows the automatic deletion of specified items when the last browser window closes. The preferences selected in the Delete Browsing History dialog box (such as deleting temporary Internet files, cookies, history, form data, and passwords) are applied, and those items are deleted. If you enable this policy setting, deleting browsing history on exit is turned on. If you disable this policy setting, deleting browsing history on exit is turned off. If you do not configure this policy setting, it can be configured on the General tab in Internet Options. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effect. This policy setting turns off Automatic Crash Recovery. If you enable this policy setting, Automatic Crash Recovery does not prompt the user to recover his or her data after a program stops responding. If you disable or do not configure this policy setting, Automatic Crash Recovery prompts the user to recover his or her data after a program stops responding. This policy setting allows you to change the default connection limit for HTTP 1.1 from 6 connections per host to a limit of your choice (from 2 through 128). If you enable this policy setting, Internet Explorer uses the connection limit of your choice for HTTP 1.1. If you disable or do not configure this policy setting, Internet Explorer uses the default connection limit for HTTP 1.1 (6 connections per host). In versions of Internet Explorer before Internet Explorer 8, the default connection limit for HTTP 1.1 was 2. This policy setting allows you to change the default connection limit for HTTP 1.0 from 6 connections per host to a limit of your choice (from 2 through 128). If you disable or do not configure this policy setting, Internet Explorer will use the default connection limit for HTTP 1.0 (6 connections per host). In versions of Internet Explorer prior to Internet Explorer 8, the default connection limit for HTTP 1.0 was 4. This policy setting allows you to manage whether documents can request data across third-party domains embedded in the page. If you enable this policy setting, documents cannot request data across third-party domains embedded in the page. If you disable or do not configure this policy setting, documents can request data across third-party domains embedded in the page. This policy setting allows you to choose whether websites can request data across domains by using the XDomainRequest object. Note that this policy setting does not block client-side communication across domains through other features in Internet Explorer 8, and it does not prevent a site from requesting cross-domain data through a server. If you enable this policy setting, websites cannot request data across domains by using the XDomainRequest object. If you disable or do not configure this policy setting, websites can request data across domains by using the XDomainRequest object. This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. If you enable this policy setting, SmartScreen Filter warnings block the user. If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. If you enable this policy setting, SmartScreen Filter warnings block the user. If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. Turn on Caret Browsing support Turn on Enhanced Protected Mode Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled Use HTTP 1.1 Use HTTP 1.1 through proxy connections Allow Internet Explorer to use the SPDY/3 network protocol Allow fallback to SSL 3.0 (Internet Explorer) Non-Protected Mode Sites All Sites No Sites Turn off encryption support Turn off Print Menu Turn off the flip ahead with page prediction feature Turn off loading websites and content in the background to optimize performance Always send Do Not Track header Show Content Advisor on Internet Options This policy setting allows you to turn Caret Browsing on or off. Caret Browsing allows users to browse to a webpage by using the keyboard to move the cursor. Caret Browsing supports standard text-editor functionality, such as using the Shift key to select text and copying a selection to the clipboard. This policy setting is particularly useful to users who do not use a mouse. If you enable this policy setting, Caret Browsing is turned on. If you disable this policy setting, Caret Browsing is turned off. If you do not configure this policy setting, Caret Browsing support can be turned on or off through the registry. Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode. If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista. If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog. This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows. Important: Some ActiveX controls and toolbars may not be available when 64-bit processes are used. If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. If you disable this policy setting, Internet Explorer 11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default. This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode. Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website. If you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode websites will run in Enhanced Protected Mode. If you disable or do not configure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior. This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1. If you enable this policy setting, Internet Explorer uses HTTP 1.1. If you disable this policy setting, Internet Explorer does not use HTTP 1.1. If you do not configure this policy setting, users can configure Internet Explorer to use or not use HTTP 1.1. This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1 through proxy connections. If you enable this policy setting, Internet Explorer uses HTTP 1.1 through proxy connections. If you disable this policy setting, Internet Explorer does not use HTTP 1.1 through proxy connections. If you do not configure this policy setting, users can configure Internet Explorer to use or not use HTTP 1.1 through proxy connections. This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization. If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol. If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol. If you don't configure this policy setting, users can turn this behavior on or off, using Internet Explorer Advanced Internet Options settings. The default is on. This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails. We recommend that you do not allow insecure fallback in order to prevent a man-in-the-middle attack. This policy does not affect which security protocols are enabled. If you disable this policy, system defaults will be used. This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match. If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list. If you disable or do not configure this policy setting, the user can select which encryption method the browser supports. Note: SSL 2.0 is off by default. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. This policy setting allows you to manage whether users can access the Print menu. Starting with Windows 8, this policy setting also allows you to manage whether users can access the Print flyout for Internet Explorer and any printers under the Devices charm. If you enable this policy setting, the Print menu in Internet Explorer will not be available. Starting with Windows 8, the Print flyout for Internet Explorer will not be available, and users will not see printers under the Devices charm. If you disable or do not configure this policy setting, the Print menu in Internet Explorer will be available. Starting with Windows 8, the Print flyout for Internet Explorer will be available, and users will see installed printers under the Devices charm. This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop. If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background. If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background. If you don't configure this setting, users can turn this behavior on or off, using the Settings charm. This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view. If you enable this policy setting, Internet Explorer doesn't load any websites or content in the background. If you disable this policy setting, Internet Explorer preemptively loads websites and content in the background. If you don't configure this policy setting, users can turn this behavior on or off, using Internet Explorer settings. This feature is turned on by default This policy setting allows you to configure how Internet Explorer sends the Do Not Track (DNT) header. If you enable this policy setting, Internet Explorer sends a DNT:1 header with all HTTP and HTTPS requests. The DNT:1 header signals to the servers not to track the user. For Internet Explorer 9 and 10: If you disable this policy setting, Internet Explorer only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used. For at least Internet Explorer 11: If you disable this policy setting, Internet Explorer only sends the Do Not Track header if inPrivate Browsing mode is used. If you don't configure the policy setting, users can select the Always send Do Not Track header option, in Internet Explorer settings. By selecting this option, Internet Explorer sends a DNT:1 header with all HTTP and HTTPS requests; unless the user grants a site-specific exception. Internet Explorer sends a DNT:0 header to any sites granted an exception. By default, this option is turned on. This policy setting shows the Content Advisor setting on the Content tab of the Internet Options dialog box. If you enable this policy setting, Internet Explorer displays the Content Advisor setting on the Content tab of the Internet Options dialog box. Users can change Content Advisor settings. If you disable or do not configure this policy setting, Internet Explorer does not display the Content Advisor setting on the Content tab of the Internet Options dialog box. Use no secure protocols Only use SSL 2.0 Only use SSL 3.0 Use SSL 2.0 and SSL 3.0 Only use TLS 1.0 Use SSL 2.0 and TLS 1.0 Use SSL 3.0 and TLS 1.0 Use SSL 2.0, SSL 3.0, and TLS 1.0 Only use TLS 1.1 Use SSL 2.0 and TLS 1.1 Use SSL 3.0 and TLS 1.1 Use SSL 2.0, SSL 3.0, and TLS 1.1 Use TLS 1.0 and TLS 1.1 Use SSL 2.0, TLS 1.0, and TLS 1.1 Use SSL 3.0, TLS 1.0, and TLS 1.1 Use SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 Only use TLS 1.2 Use SSL 2.0 and TLS 1.2 Use SSL 3.0 and TLS 1.2 Use SSL 2.0, SSL 3.0, and TLS 1.2 Use TLS 1.0 and TLS 1.2 Use SSL 2.0, TLS 1.0, and TLS 1.2 Use SSL 3.0, TLS 1.0, and TLS 1.2 Use SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.2 Use TLS 1.1 and TLS 1.2 Use SSL 2.0, TLS 1.1, and TLS 1.2 Use SSL 3.0, TLS 1.1, and TLS 1.2 Use SSL 2.0, SSL 3.0, TLS 1.1, and TLS 1.2 Use TLS 1.0, TLS 1.1, and TLS 1.2 Use SSL 2.0, TLS 1.0, TLS 1.1, and TLS 1.2 Use SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 Use SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 Lock all toolbars Lock location of Stop and Refresh buttons about:blank New tab page Home page New tab page with my news feed Specify default behavior for a new tab Disable changing secondary home page settings Customize command labels Set tab process growth Allow Internet Explorer 8 shutdown behavior Use large icons for command buttons Display tabs on a separate row Show only icons Show selective text Show all text labels Hide the Command bar Hide the status bar This policy setting allows you to show or hide the Command bar. If you enable this policy setting, the Command bar is hidden and the user cannot choose to show it. If you disable this policy setting, the Command bar is shown and the user cannot choose to hide it. If you do not configure this policy setting, the Command bar is shown by default, and the user can choose to hide it. This policy setting allows you to show or hide the status bar. If you enable this policy setting, the status bar is hidden and the user cannot choose to show it. If you disable this policy setting, the status bar is shown and the user cannot choose to hide it. If you do not configure this policy setting, the status bar is shown by default, and the user can choose to hide it. This policy setting allows you to lock or unlock the toolbars on the user interface. If you enable this policy setting, the toolbars are locked and the user cannot move them. If you disable this policy setting, the toolbars are unlocked and the user can move them. If you do not configure this policy setting, the toolbars are locked by default, but the user can unlock them through the shortcut menu of the Command bar. This policy setting allows you to lock the Stop and Refresh buttons next to the Back and Forward buttons. If you enable this policy setting, the Stop and Refresh buttons are next to the Forward and Back buttons, and the user cannot move them. If you disable this policy setting, the Stop and Refresh buttons are next to the Address bar, and the user cannot move them. If you do not configure this policy setting, the Stop and Refresh buttons are next to the Address bar by default, and the user can choose to move them. This policy setting allows you to specify what is displayed when the user opens a new tab. If you enable this policy setting, you can choose which page to display when the user opens a new tab: blank page (about:blank), the first home page, the new tab page or the new tab page with my news feed. If you disable or do not configure this policy setting, the user can select his or her preference for this behavior. Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages. If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages. If you disable or do not configure this policy setting, the user can add secondary home pages. Note: If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages. This policy setting allows you to choose among three different labels for command buttons: show all text labels, show selective text, or show only icons. If you enable this policy setting, command buttons are displayed according to which one of the following options you choose, and the user cannot change how command buttons are displayed: Show all text labels: All command buttons have only text. Show selective text: Some command buttons have only text; some have icons and text. Show only icons: All command buttons have only icons. If you disable or do not configure this policy setting, the command buttons show selective text by default, and the user can change this. This policy setting allows you to set the rate at which Internet Explorer creates new tab processes. There are two algorithms that Internet Explorer uses. The default algorithm has four settings: low, medium, high, or default. Low creates very few tab processes; medium creates a moderate amount of tab processes; and high allows the tab process to grow very quickly and is intended only for computers that have ample physical memory. The default setting creates the optimal number of tab processes based on the operating system and amount of physical memory. We recommend the default setting. The second algorithm must be explicitly enabled through the creation of an integer setting. In this case, each Internet Explorer isolation setting will quickly grow to use the specified integer number of tab processes, regardless of the physical memory on the computer or how many Internet Explorer isolation settings are running. If you enable this policy setting, you set the rate at which Internet Explorer creates new tab processes to low, medium, or high, or to an integer. If you disable or do not configure this policy setting, the tab process growth is set to the default. The user can change this value by using the registry key. Note: On Terminal Server, the default value is the integer “1”. This policy setting allows you to revert to the Internet Explorer 8 behavior of allowing OnUnLoad script handlers to display UI during shutdown. This policy setting may be needed to fix compatibility problems with particular web applications. If you enable this policy setting, OnUnLoad script handlers display UI during shutdown. If you disable or do not configure this policy setting, OnUnLoad script handlers do not display UI during shutdown (default behavior in Internet Explorer 9). This policy setting allows you increase the size of icons for command buttons. If you enable this policy setting, icons for command buttons are 20 x 20 pixels and cannot be made smaller (16 x 16 pixels). If you disable this policy setting, icons for command buttons are 16 x 16 pixels (the default) and cannot be made bigger (20 x 20 pixels). If you do not configure this policy setting, icons for command buttons are 16 x 16 pixels, and the user can make them bigger (20 x 20 pixels). This policy setting allows you to manage where tabs are displayed. If you enable this policy setting, tabs are displayed on a separate row. If you disable this policy setting, tabs are not displayed on a separate row. If you do not configure this policy setting, the user can change where tabs are displayed. Turn off suggestions for all user-installed providers Turn off the quick pick menu This policy setting allows you to turn off suggestions for all user-installed search providers. If you enable this policy setting, the user cannot view suggestions for user-installed search providers. If you disable or do not configure this policy setting, the user can choose to view suggestions for all user-installed search providers that offer suggestions. This policy setting allows you to prevent the quick pick menu from appearing when a user clicks in the Search box. If you enable this policy setting, when a user clicks in the Search box, the quick pick menu does not appear until the user starts typing. If you disable or do not configure this policy setting, when a user clicks in the Search box, the quick pick menu appears. Turn off ActiveX Opt-In prompt Prevent per-user installation of ActiveX controls Specify use of ActiveX Installer Service for installation of ActiveX controls Turn on Suggested Sites This policy setting allows you to turn off the ActiveX Opt-In prompt. ActiveX Opt-In prevents websites from loading any ActiveX control without prior approval. If a website attempts to load an ActiveX control that Internet Explorer has not used before, a Notification bar will appear, asking the user for approval. If you enable this policy setting, the ActiveX Opt-In prompt does not appear. Internet Explorer does not ask the user for permission to load an ActiveX control, and Internet Explorer loads the control if it passes all other internal security checks. If you disable or do not configure this policy setting, the ActiveX Opt-In prompt appears. This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis. If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. If you disable or do not configure this policy setting, ActiveX controls can be installed on a per-user basis. This policy setting allows you to specify how ActiveX controls are installed. If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls. If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process. This policy setting controls the Suggested Sites feature, which recommends websites based on the user’s browsing activity. Suggested Sites reports a user’s browsing history to Microsoft to suggest sites that the user might want to visit. If you enable this policy setting, the user is not prompted to enable Suggested Sites. The user’s browsing history is sent to Microsoft to produce suggestions. If you disable this policy setting, the entry points and functionality associated with this feature are turned off. If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature. Privacy Turn off InPrivate Browsing This policy setting allows you to turn off the InPrivate Browsing feature. InPrivate Browsing prevents Internet Explorer from storing data about a user's browsing session. This includes cookies, temporary Internet files, history, and other data. If you enable this policy setting, InPrivate Browsing is turned off. If you disable this policy setting, InPrivate Browsing is available for use. If you do not configure this policy setting, InPrivate Browsing can be turned on or off through the registry. Prevent the computer from loading toolbars and Browser Helper Objects when InPrivate Browsing starts This policy setting allows you to choose whether or not toolbars and Browser Helper Objects (BHOs) are loaded by default during an InPrivate Browsing session. Toolbars and BHOs may store data about a user's browsing session. By default, the computer does not load them when InPrivate Browsing starts. If you enable this policy setting, toolbars and BHOs are not loaded by default during an InPrivate Browsing session. If you disable this policy setting, toolbars and BHOs are loaded by default during an InPrivate Browsing session. If you do not configure this policy setting, it can be configured on the Privacy tab in Internet Options. Turn off collection of InPrivate Filtering data This policy setting allows you to turn off the collection of data used by the InPrivate Filtering Automatic mode. The data consists of the URLs of third-party content, along with data about the first-party websites that referenced it. It is collected during non-InPrivate (normal) browsing sessions. If you enable this policy setting, InPrivate Filtering data collection is turned off. If you disable this policy setting, InPrivate Filtering collection is turned on. If you do not configure this policy setting, InPrivate Filtering data collection can be turned on or off on the Privacy tab in Internet Options. Establish InPrivate Filtering threshold This policy setting allows you to establish the threshold for InPrivate Filtering Automatic mode. The threshold sets the number of first-party sites that a particular third-party item can be referenced from before it is blocked. Setting this value lower can help prevent more third-party sites from obtaining details about a user's browsing. However, doing so may cause compatibility issues on some websites. The allowed value range is 3 through 30. If you enable this policy setting, the selected value is enforced. If you disable or do not configure this policy setting, the user can establish the InPrivate Filtering threshold by clicking the Safety button and then clicking InPrivate Filtering. Establish Tracking Protection threshold This policy setting allows you to establish the threshold for Tracking Protection Automatic mode. The threshold sets the number of first-party sites that a particular third-party item can be referenced from before it is blocked. Setting this value lower can help prevent more third-party sites from obtaining details about a user's browsing. However, doing so may cause compatibility issues on some websites. The allowed value range is 3 through 30. If you enable this policy setting, the selected value is enforced. If you disable or do not configure this policy setting, the user can establish the Tracking Protection threshold by clicking the Safety button and then clicking Tracking Protection. Turn off InPrivate Filtering This policy setting allows you to turn off InPrivate Filtering. InPrivate Filtering helps users control whether third parties can automatically collect information about their browsing based on the sites that they visit. InPrivate Filtering does this by identifying third-party content that is used by multiple websites that users have visited. If you enable this policy setting, InPrivate Filtering is turned off in all browsing sessions, and InPrivate Filtering data is not collected. If you disable this policy setting, InPrivate Filtering is available for use. If you do not configure this policy setting, it can be configured through the registry. Turn off Tracking Protection This policy setting allows you to turn off Tracking Protection. Tracking Protection helps users control whether third parties can automatically collect information about their browsing based on the sites that they visit. Tracking Protection does this by identifying third-party content that is used by multiple websites that users have visited. If you enable this policy setting, Tracking Protection is disabled in all browsing sessions, and Tracking Protection data is not collected. If you disable this policy setting, Tracking Protection is available for use. If you do not configure this policy setting, it can be configured through the registry. Accelerators Add non-default Accelerators Add default Accelerators This policy setting allows you to add non-default Accelerators. If you enable this policy setting, the specified Accelerators are added to the user's browser. The user can append other Accelerators to this list, but the user cannot remove or change the Accelerators that this policy setting has added. Default and non-default Accelerators should not overlap. If you disable or do not configure this policy setting, the user has Accelerators that are provided through first use of the browser. This policy setting allows you to add default Accelerators. If you enable this policy setting, the specified Accelerators are added to the user's browser. The user can append other Accelerators to this list, but the user cannot remove or change the Accelerators that this policy setting has added. Default and non-default Accelerators should not overlap. If you disable or do not configure this policy setting, the user has Accelerators that are provided through first use of the browser. This policy setting allows you to manage whether users can access Accelerators. If you enable this policy setting, users cannot access Accelerators. If you disable or do not configure this policy setting, users can access Accelerators and install new Accelerators. This policy setting restricts the list of Accelerators that the user can access to only the set deployed through Group Policy. If you enable this policy setting, the user can access only Accelerators that are deployed through Group Policy. The user cannot add or delete Accelerators. If you disable or do not configure this policy setting, the user can access any Accelerators that he or she has installed. Turn off Accelerators Restrict Accelerators to those deployed through Group Policy Compatibility View Turn on Internet Explorer 7 Standards Mode Turn off Compatibility View Turn on Internet Explorer Standards Mode for local intranet Turn off Compatibility View button Use Policy List of Internet Explorer 7 sites Use Policy List of Quirks Mode sites Include updated website lists from Microsoft This policy setting allows you to turn on Internet Explorer 7 Standards Mode. Compatibility View determines how Internet Explorer identifies itself to a web server and determines whether content is rendered in Internet Explorer 7 Standards Mode or the Standards Mode available in the latest version of Internet Explorer. If you enable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended). Additionally, all Standards Mode webpages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. If you disable this policy setting, Internet Explorer uses a current user agent string. Additionally, all Standards Mode webpages appear in the Standards Mode available in the latest version of Internet Explorer. This option matches the default behavior of Internet Explorer. If you do not configure this policy setting, the user can turn on and turn off Internet Explorer 7 Standards Mode. This policy setting controls the Compatibility View feature, which allows the user to fix website display problems that he or she may encounter while browsing. If you enable this policy setting, the user cannot use the Compatibility View button or manage the Compatibility View sites list. If you disable or do not configure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list. This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone. If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box. If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box. If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer. This policy setting controls the Compatibility View button that appears on the Command bar. This button allows the user to fix website display problems that he or she may encounter while browsing. If you enable this policy setting, the user cannot use the Compatibility View button. If you disable or do not configure this policy setting, the user can use the Compatibility View button. This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View. If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify. If you disable or do not configure this policy setting, the user can add and remove sites from the list. Compatibility View determines how Internet Explorer identifies itself to a web server and determines whether content is rendered in Quirks Mode or the Standards Mode available in the latest version of Internet Explorer. If you enable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended). Additionally, webpages included in this list appear in Quirks Mode. Turn on certificate address mismatch warning This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. If you enable this policy setting, the certificate address mismatch warning always appears. If you disable or do not configure this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Internet Control panel). This policy controls the website compatibility lists that Microsoft provides. The updated website lists are available on Windows Update. If you enable this policy setting, the Microsoft-provided website lists are used during browser navigation. If a user visits a site on the compatibility lists, the pages are automatically displayed in Compatibility View. If you disable this policy setting, the Microsoft-provided website lists are not used. Additionally, the user cannot activate the feature by using the Compatibility View Settings dialog box. If you do not configure this policy setting, the Microsoft-provided website lists are not active. The user can activate the feature by using the Compatibility View Settings dialog box. Turn off Reopen Last Browsing Session This policy setting allows you to manage whether a user has access to the Reopen Last Browsing Session feature in Internet Explorer. If you enable this policy setting, the user cannot use the Reopen Last Browsing Session feature. If you disable or do not configure this policy setting, the user can use the Reopen Last Browsing Session feature. Turn off ability to pin sites in Internet Explorer on the desktop This policy setting allows you to manage whether users can pin sites to locations where pinning is allowed, such as the taskbar, the desktop, or File Explorer. If you enable this policy setting, users cannot pin sites. If you disable or do not configure this policy setting, users can pin sites. Let users turn on and use Enterprise Mode from the Tools menu This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu. If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports. If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode. Send all sites not included in the Enterprise Mode Site List to Microsoft Edge. This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode Site List. Enabling this setting automatically opens all sites not included in the Enterprise Mode Site List in Microsoft Edge. Disabling, or not configuring this setting, opens all sites based on the currently active browser. Note: If you've also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. Show message when opening sites in Microsoft Edge using Enterprise Mode This policy setting lets you decide whether employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode. If you enable this setting, employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode. If you disable or don't configure this setting, the default app behavior occurs and no additional page appears. Configure which channel of Microsoft Edge to use for opening redirected sites Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this policy if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge. If any of the chosen versions are not installed on the device, that preference will be bypassed. If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed, the following behaviors occur: - If you disable or don't configure this policy, Microsoft Edge Stable channel is used. This is the default behavior. - If you enable this policy, you can configure redirected sites to open in up to three of the following channels where: 1 = Microsoft Edge Stable 2 = Microsoft Edge Beta version 77 or later 3 = Microsoft Edge Dev version 77 or later 4 = Microsoft Edge Canary version 77 or later If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel are not installed, the following behaviors occur: - If you disable or don't configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior. - If you enable this policy, you can configure redirected sites to open in up to three of the following channels where: 0 = Microsoft Edge version 45 or earlier 1 = Microsoft Edge Stable 2 = Microsoft Edge Beta version 77 or later 3 = Microsoft Edge Dev version 77 or later 4 = Microsoft Edge Canary version 77 or later *For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see https://go.microsoft.com/fwlink/?linkid=2102115. This update applies only to Windows 10 version 1709 and higher. Microsoft Edge Stable Microsoft Edge Beta version 77 or later Microsoft Edge Dev version 77 or later Microsoft Edge Canary version 77 or later Microsoft Edge version 45 or earlier Keep all intranet sites in Internet Explorer Prevents intranet sites from being opened in any browser except Internet Explorer. But note that If the ‘Send all sites not included in the Enterprise Mode Site List to Microsoft Edge’ (‘RestrictIE’) policy isn’t enabled, this policy has no effect. If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List. If you disable or don’t configure this policy, all intranet sites are automatically opened in Microsoft Edge. We strongly recommend keeping this policy in sync with the ‘Send all intranet sites to Internet Explorer’ (‘SendIntranetToInternetExplorer’) policy. Additionally, it’s best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge. Related policies: - Send all intranet sites to Internet Explorer (‘SendIntranetToInternetExplorer’) - Send all sites not included in the Enterprise Mode Site List to Microsoft Edge (‘RestrictIE’) For more info about how to use this policy together with other related policies to create the optimal configuration for your organization, see https://go.microsoft.com/fwlink/?linkid=2094210. Allow "Save Target As" in Internet Explorer mode This policy setting allows admins to enable "Save Target As" context menu in Internet Explorer mode. If you enable this policy, "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explorer. If you disable or do not configure this policy setting, "Save Target As" will not show up in the Internet Explorer mode context menu. For more information, see https://go.microsoft.com/fwlink/?linkid=2102115 Disable Internet Explorer 11 as a standalone browser This policy lets you restrict launching of Internet Explorer as a standalone browser. If you enable this policy, it: - Prevents Internet Explorer 11 from launching as a standalone browser. - Restricts Internet Explorer's usage to Microsoft Edge's native 'Internet Explorer mode'. - Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser. - Overrides any other policies that redirect to Internet Explorer 11. If you disable, or don’t configure this policy, all sites are opened using the current active browser settings. Note: Microsoft Edge Stable Channel must be installed for this policy to take effect. Never Always Once per user Turn off blocking of outdated ActiveX controls for Internet Explorer This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls. If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls. For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. Turn on ActiveX control logging in Internet Explorer This policy setting determines whether Internet Explorer saves log information for ActiveX controls. If you enable this policy setting, Internet Explorer logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file. If you disable or don't configure this policy setting, Internet Explorer won't log ActiveX control information. Note that you can turn this policy setting on or off regardless of the "Turn off blocking of outdated ActiveX controls for Internet Explorer" or "Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains" policy settings. For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following: 1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" 2. "hostname". For example, if you want to include http://example, use "example" 3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm" If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone. For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. Remove "Run this time" button for outdated ActiveX controls in Internet Explorer This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer. If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once. For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. Use the Enterprise Mode IE website list This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list. If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE. If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode. General Page Browsing History Set default storage limits for websites This policy setting sets data storage limits for indexed database and application caches for individual websites. When you set this policy setting, you provide the cache limit, in MB. If you enable this policy setting, Internet Explorer displays a notification when a website exceeds the configured storage limit. If you disable or do not configure this policy setting, users can set default data storage limits for indexed databases and application caches. Allow websites to store indexed databases on client computers This policy setting allows websites to store indexed database cache information on client computers. If you enable this policy setting, websites will be able to store an indexed database on client computers. Allow website database and caches on Website Data Settings will be unavailable to users. If you disable this policy setting, websites will not be able to store an indexed database on client computers. Allow website database and caches on Website Data Settings will be unavailable to users. If you do not configure this policy setting, websites will be able to store an indexed database on client computers. Allow website database and caches on Website Data Settings will be available to users. Users can choose whether or not to allow websites to store data on their computers. Set indexed database storage limits for individual domains This policy setting sets data storage limits for indexed databases of websites that have been allowed to exceed their storage limit. The “Set default storage limits for websites” policy setting sets the data storage limits for indexed databases. If a domain exceeds the indexed database storage limit for an individual domain, Internet Explorer sends an error to the website. No notification is sent to the user. This group policy sets the maximum data storage limit for domains that are trusted by users. When you set this policy setting, you provide the cache limit, in MB. The default is 500 MB. If you enable this policy setting, Internet Explorer will allow trusted domains to store additional data in indexed databases, up to the limit set in this group policy. If you disable or do not configure this policy setting, Internet Explorer will use the default maximum storage limit for all indexed databases. The default is 500 MB. Set maximum indexed database storage limit for all domains This policy setting sets the data storage limit for all combined indexed databases for a user. When you set this policy setting, you provide the storage limit in MB. When the limit is reached, Internet Explorer notifies the user, and the user must delete indexed databases before an updated database can be saved on their computer. The default maximum storage limit for all indexed databases is 4 GB. If you enable this policy setting, you can set the maximum storage limit for all indexed databases. The default is 4 GB. If you disable or do not configure this policy setting, Internet Explorer will use the default maximum storage limit for all indexed databases. The default is 4 GB. Allow websites to store application caches on client computers This policy setting allows websites to store file resources in application caches on client computers. If you enable this policy setting, websites will be able to store application caches on client computers. Allow website database and caches on Website Data Settings will be unavailable to users. If you disable this policy setting, websites will not be able to store application caches on client computers. Allow website database and caches on Website Data Settings will be unavailable to users. If you do not configure this policy setting, websites will be able to store application caches on client computers. Allow website database and caches on Website Data Settings will be available to users. Users can choose whether or not to allow websites to store data on their computers. Set application cache storage limits for individual domains This policy setting sets file storage limits for application caches of websites that have been allowed to exceed their storage limit. The “Set default storage limits for websites” policy setting sets the data storage limits for application caches. If a domain exceeds the application cache storage limit for an individual domain, Internet Explorer sends an error to the website. No notification will be displayed to the user. This group policy sets the maximum file storage limit for domains that are trusted by users. When you set this policy setting, you provide the cache limit, in MB. The default is 50 MB. If you enable this policy setting, Internet Explorer will allow trusted domains to store additional files in application caches, up to the limit set in this policy setting. If you disable or do not configure this policy setting, Internet Explorer will use the default maximum storage limit for all application caches. The default is 50 MB. Set maximum application caches storage limit for all domains This policy setting sets the file storage limit for all combined application caches for a user. When you set this policy setting, you provide the storage limit in MB. When the limit is reached, Internet Explorer notifies the user, and the user must delete application caches before an updated one can be saved on their computer. The default maximum storage limit for all application caches is 1 GB. If you enable this policy setting, you can set the maximum storage limit for all application caches. The default is 1 GB. If you disable or do not configure this policy setting, Internet Explorer will use the default maximum storage limit for all application caches. The default is 1 GB. Set application caches expiration time limit for individual domains This policy setting sets the number of days an inactive application cache will exist before it is removed. If the application cache is used before the expiration time limit, it will not be automatically removed. When you set this policy setting, you provide the expiration time limit in days. If you enable this policy setting, Internet Explorer will remove application caches that haven't been used within the timeframe set in this policy setting. If you disable or do not configure this policy setting, Internet Explorer will use the default application cache expiration time limit for all application caches. The default is 30 days. Set maximum application cache resource list size This policy setting sets the maximum number of resource entries that can be specified in a manifest file associated with an application cache. If the manifest associated with an application cache exceeds the number of resources allowed, including the page that referenced the manifest, Internet Explorer sends an error to the website. No notification will be displayed to the user. When you set this policy setting, you provide the resource limit as a number. The default is 1000 resources. If you enable this policy setting, Internet Explorer will allow the creation of application caches whose manifest file contains the number of resources, including the page that referenced the manifest, that are less than or equal to the limit set in this policy setting. If you disable or do not configure this policy setting, Internet Explorer will use the default maximum application cache resource list size for all application caches. The default is 1000 resources. Set maximum application cache individual resource size This policy setting sets the maximum size for an individual resource file contained in a manifest file. The manifest file is used to create the application cache. If any file in the manifest exceeds the allowed size, Internet Explorer sends an error to the website. No notification will be displayed to the user. When you set this policy setting, you provide the resource size limit, in MB. The default is 50 MB. If you enable this policy setting, Internet Explorer will allow the creation of application caches whose individual manifest file entries are less than or equal to the size set in this policy setting. If you disable or do not configure this policy setting, Internet Explorer will use the default application cache individual resource size for all application caches resources. The default is 50 MB. Start Internet Explorer with tabs from last browsing session This policy setting configures what Internet Explorer displays when a new browsing session is started. By default, Internet Explorer displays the home page. In Internet Explorer 10, Internet Explorer can start a new browsing session with the tabs from the last browsing session. If you enable this policy setting, Internet Explorer starts a new browsing session with the tabs from the last browsing session. Users cannot change this option to start with the home page. If you disable this policy setting, Internet Explorer starts a new browsing session with the home page. Users cannot change this option to start with the tabs from the last browsing session. If you do not configure this policy setting, Internet Explorer starts with the home page. Users can change this option to start with the tabs from the last session. Open Internet Explorer tiles on the desktop This policy setting configures Internet Explorer to open Internet Explorer tiles on the desktop. If you enable this policy setting, Internet Explorer opens tiles only on the desktop. If you disable this policy setting, Internet Explorer does not open tiles on the desktop. If you do not configure this policy, users can choose how Internet Explorer tiles are opened. Set how links are opened in Internet Explorer This policy setting allows you to choose how links are opened in Internet Explorer: Let Internet Explorer decide, always in Internet Explorer, or always in Internet Explorer on the desktop. If you enable this policy setting, Internet Explorer enforces your choice. Users cannot change the setting. If you disable or do not configure this policy setting, users can choose how links are opened in Internet Explorer. Always in Internet Explorer on the desktop Always in Internet Explorer Let Internet Explorer decide Install new versions of Internet Explorer automatically This policy setting configures Internet Explorer to automatically install new versions of Internet Explorer when they are available. If you enable this policy setting, automatic upgrade of Internet Explorer will be turned on. If you disable this policy setting, automatic upgrade of Internet Explorer will be turned off. If you do not configure this policy, users can turn on or turn off automatic updates from the About Internet Explorer dialog. Turn off phone number detection This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system. If you enable this policy setting, phone number detection is turned off. Users won't be able to modify this setting. If you disable this policy setting, phone number detection is turned on. Users won't be able to modify this setting. If you don't configure this policy setting, users can turn this behavior on or off, using Internet Explorer settings. The default is on. Turn off the immersive Internet Explorer browser This policy setting lets you decide whether to let Internet Explorer start the immersive Internet Explorer browser. If you enable this policy setting, Internet Explorer stops the immersive browser from starting, letting only the desktop browser start. Users won't be able to change this setting. If you disable or don't configure this policy setting, users can use both the immersive and desktop browsers. Prevent users from turning off Internet Explorer extensions using the "-extoff" command-line parameter. This policy setting lets you decide whether to let Internet Explorer extensions be turned off using the "-extoff" command-line parameter. If you enable this policy setting, Internet Explorer stops users from turning off Internet Explorer extensions using the "-extoff" parameter. If you disable or don't configure this policy setting, users won't be able to turn off Internet Explorer extensions using the parameter. Turn on Site Discovery XML output Turn on Site Discovery WMI output Limit Site Discovery output by Domain Limit Site Discovery output by Zone This policy setting allows you to manage the XML output functionality of the Internet Explorer Site discovery Toolkit(SDTK). When enabled the feature will write data collected to an XML file at a location specified when setting this policy. When disabled, no data will be written to the XML file. Enabling or disabling this setting will not impact other output methods available for the SDTK. This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site discovery Toolkit(SDTK). When enabled the feature will write data collected to a WMI class which can then be aggregated using a client management solution(SCCM) or other means. When disabled, no data will be written to the WMI class. Enabling or disabling this setting will not impact other output methods available for the SDTK. This policy setting allows you to control which Domains are included in the discovery functionality of the Internet Explorer Site discovery Toolkit(SDTK). When enabled the feature will collect data from sites that are part of the domains configured in the policy. When disabled, or not configured, all domains will be included in site discovery. This policy can be used in conjunction with other policies controlling sites included in Site Discovery. To configure the domain(s) included in data collection for the IE Site Discovery Toolkit, Add one domain per line to the text box. For example: microsoft.sharepoint.com outlook.com onedrive.com timecard.contoso.com LOBApp.contoso.com This policy setting allows you to control which site zones are included in the discovery functionality of the Internet Explorer Site discovery Toolkit(SDTK). When enabled the feature will collect data from sites that are part of the zones configured in the policy. When disabled or not configured all Zones will be included in site discovery. This policy can be used in conjunction with other policies controlling sites included in Site Discovery. To configure zone(s) included in site discovery, a binary number is formed based on the selected zones. The decimal representation of this number is used to represent this number in policy. For example: • 2 - Intranet site zone only   Binary Representation - 00010 • 0 - Restricted Sites Zone • 0 - Internet Zone • 0 - Trusted Sites Zone • 1 - Local Intranet Zone • 0 - Local Machine Zone • 6 - Intranet and Trusted site zones only   Binary Representation - 00110 • 0 - Restricted Sites Zone • 0 - Internet Zone • 1 - Trusted Sites Zone • 1 - Local Intranet Zone • 0 - Local Machine Zone • 22 - Trusted, Intranet, and Restricted site zones only   Binary Representation - 10110 • 1 - Restricted Sites Zone • 0 - Internet Zone • 1 - Trusted Sites Zone • 1 - Local Intranet Zone • 0 - Local Machine Zone Domain allow list Add-on List Hover color 255,0,0 ActiveMovie Control Media Control Background color 192,192,192 CarPoint AutoPricer Control Path CODEBASE Select the desired behavior Select the desired behavior Enter IE Version String DHTML Edit Control Select phishing filter mode Select SmartScreen Filter mode for Internet Explorer 8 Select SmartScreen Filter mode Type the location (URL) of where to receive reports about the websites for which users turn on and use Enterprise Mode Type the location (URL) of your Enterprise Mode IE website list Shockwave Flash Default Size Cipher Strength Update Information URL: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=128bit Enter restricted protocols for this zone. Enter the allowed behaviors here. Process List: MSN Investor Chart Control MS Investor Ticker Open windows without address or status bars Only allow approved domains to use ActiveX controls without prompt Only allow approved domains to use ActiveX controls without prompt Allow video and animation on a Web page that uses a legacy media player Scriptlets First-Run Opt-In Include local directory path when uploading files to a server Use SmartScreen Filter Prompt for information using scripted windows Status bar updates via script Protected Mode Turn on Cross-Site Scripting (XSS) Filter Turn on Cross-Site Scripting (XSS) Filter Launching programs and unsafe files XAML browser applications Internet Explorer web browser control .NET Framework Setup XAML Files XPS documents Access data sources across domains Access data sources across domains Access data sources across domains Allow active scripting Allow active scripting Allow active scripting Allow META REFRESH Allow META REFRESH Allow paste operations via script Allow paste operations via script Allow Binary and Script Behaviors Allow Binary and Script Behaviors Allow Binary and Script Behaviors Use Pop-up Blocker Use Pop-up Blocker Display mixed content Download signed ActiveX controls Download signed ActiveX controls Download signed ActiveX controls Download unsigned ActiveX controls Download unsigned ActiveX controls Download unsigned ActiveX controls Allow drag and drop or copy and paste files Allow drag and drop or copy and paste files Render legacy filters Render legacy filters Allow file downloads Allow file downloads Allow font downloads Allow font downloads Allow installation of desktop items Allow installation of desktop items Allow installation of desktop items Locked-Down Internet Internet Locked-Down Intranet Intranet Java permissions Java permissions Java permissions Java permissions Launching applications and files in an IFRAME Launching applications and files in an IFRAME Launching applications and files in an IFRAME Locked-Down Local Machine Zone Local Machine Zone Logon options Logon options Logon options Enable MIME Sniffing Enable MIME Sniffing Enable dragging of content from different domains within a window Enable dragging of content from different domains across windows Navigate windows and frames across different domains Navigate windows and frames across different domains Allow active content over restricted protocols to access my computer Allow active content over restricted protocols to access my computer Do not prompt for client certificate selection when no certificates or only one certificate exists. Do not prompt for client certificate selection when no certificates or only one certificate exists. Automatic prompting for ActiveX controls Automatic prompting for ActiveX controls Automatic prompting for file downloads Automatic prompting for file downloads Locked-Down Restricted Sites Restricted Sites Run ActiveX controls and plugins Run ActiveX controls and plugins Script ActiveX controls marked safe for scripting Script ActiveX controls marked safe for scripting Don't run antimalware programs against ActiveX controls Don't run antimalware programs against ActiveX controls Initialize and script ActiveX controls not marked as safe Initialize and script ActiveX controls not marked as safe Scripting of Java applets Scripting of Java applets Run .NET Framework-reliant components signed with Authenticode Run .NET Framework-reliant components signed with Authenticode Software channel permissions Software channel permissions Software channel permissions Submit non-encrypted form data Submit non-encrypted form data Locked-Down Trusted Sites Trusted Sites Run .NET Framework-reliant components not signed with Authenticode Run .NET Framework-reliant components not signed with Authenticode Userdata persistence Userdata persistence Allow script-initiated windows without size or position constraints Allow script-initiated windows without size or position constraints Web sites in less privileged Web content zones can navigate into this zone Web sites in less privileged Web content zones can navigate into this zone Web sites in less privileged Web content zones can navigate into this zone Enter the zone assignments here. Link color 0,0,255 Visited link color 96,100,32 Maximum size of subscriptions in kilobytes: Maximum number of offline pages: Minimum number of minutes between scheduled updates: Time to begin preventing scheduled updates: Time to end preventing scheduled updates: Maximum offline page crawl depth: Disable the Media Explorer Bar and auto-play feature Auto-Play Media files in the Media bar when enabled MCSiMenu Popup Menu Object Ikonic Menu Control Microsoft Agent Control MSChat Control MSNBC News Control NetShow File Transfer Control Select your choice Select tabbed browsing pop-up behavior Select where to open links Block attachments that could contain a virus Per domain(in kilobytes) Per document (in kilobytes) Per domain (in kilobytes) Per document (in kilobytes) Per domain (in kilobytes) Per document (in kilobytes) Per domain (in kilobytes) Per document (in kilobytes) Per domain (in kilobytes) Per document (in kilobytes) Enter the list of sites here. Prompt me to save passwords Days to keep pages in History Home Page Microsoft Scriptlet Component Microsoft Survey Control Select tab opening position Text color 0,0,0 Show Back button Show Forward button Show Stop button Show Refresh button Show Home button Show Search button Show Favorites button Show History button Show Folders button Show Fullscreen button Show Tools button Show Mail button Show Font size button Show Print button Show Edit button Show Discussions button Show Cut button Show Copy button Show Paste button Show Encoding button When searching from the Address bar: Underline links Update check interval (in days): URL to be displayed for updates: http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update When searching from the address bar: Maximum number of connections: Maximum number of connections: Secure Protocol combinations Allow insecure fallback for: New tab behavior Secondary home pages Command Labeling Tab Process Growth Threshold (3-30): Threshold (3-30): List of non-default Accelerators to install List of default Accelerators to install List of sites List of sites Set default storage limits for websites Set indexed database storage limits for individual domains Set maximum indexed database storage limit for all domains Domain Storage Limit Total Storage Limit Number of days Number of resources Maximum resource size Default browser launch behavior for links Output path Zone mask Domain list First choice Second choice Third choice Notify that Internet Explorer 11 browser is disabled