[gptalk] Re: [J&R SPAM ALERT BA] - Re: clicking on links in outlook 2003 - Bayesian Filter detected spam

  • From: "Aristotle Zoulas" <zou@xxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 11 Apr 2007 12:42:51 -0400

We tried Gray's advice still no luck. Here is the output file.

 

Thanks for all your help so far.

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Wednesday, April 11, 2007 12:17 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [J&R SPAM ALERT BA] - [gptalk] Re: clicking on links in outlook
2003 - Bayesian Filter detected spam

 

Aristotle-

What other settings do you have set? Can you output a GPResults report
on that user? I suspect its an unrelated setting that is behaving
differently in IE7 than previous versions. Perhaps an IE security
setting?

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Gray Troutman
Sent: Wednesday, April 11, 2007 9:12 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: clicking on links in outlook 2003

 

Are you using the Outlook 2003 ADM?  If you are there is a setting under
Administrative Templates -> Microsoft Outlook 2003 -> Tools | Options ->
Security -> Enable links in e-mail attachments.  This has the standard
Not Configured, Enabled, Disabled settings.  For Enabled you have the
option to check if you want to enforce the setting on or off.  If you're
not using this ADM, I would suggest installing it and then checking
Enabled and Enforce setting on. 



On 4/11/07, Aristotle Zoulas <zou@xxxxxx> wrote:

The link is there, when they click on it they get "operation has been
cancelled..." Works fine with ie6, craps out with ie7. Works fine with
ie7 and no software group policy.

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto: gptalk-bounce@xxxxxxxxxxxxx
<mailto:gptalk-bounce@xxxxxxxxxxxxx> ] On Behalf Of Gray Troutman
Sent: Tuesday, April 10, 2007 6:04 PM
To: gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx> 
Subject: [gptalk] Re: clicking on links in outlook 2003

 

Under Tools | Option -> Security, there's a setting for "Enable links in
e-mail messages".  Have you looked at that?

On 4/10/07, Aristotle Zoulas <zou@xxxxxx> wrote:

I have users running XP SP2, Outlook
<http://www.experts-exchange.com/Software/Internet_Email/Q_22478726.html
>  2003. I use group policy to control the users and desktops. I
recently upgraded a couple users to IE7 to test it in our environment.
Once upgraded to IE7 the users can no longer click links such as 
http://www.google.com in there emails with out getting the following
error:

 


The operation has been cancelled due to restrictions in effect on this 
computer
<http://www.experts-exchange.com/Software/Internet_Email/Q_22478726.html
> . Please contact your system administrator.

I have not changed anything thing in any of my policies; however, if I
pull the user out of their respective OUs and move to an OU with no
policies applied to it the error goes away. 

Does anyone know of a setting that would cause this behavior in either
Outlook or IE7 that can be changed to remedy this situation???

Any help would be greatly appreciated, thank you in advance!

 

 

Aristotle 

 

 

ÿþ<html dir="ltr" xmlns:v="urn:schemas-microsoft-com:vml" gpmc_reportInitialized="false"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-16" /> <title>JR\ima on JR\IT2234-ABDUL</title> <!-- Styles --> <style type="text/css"> body { background-color:#FFFFFF; border:1px solid #666666; color:#000000; font-size:68%; font-family:MS Shell Dlg; margin:0,0,10px,0; word-break:normal; word-wrap:break-word; } table { font-size:100%; table-layout:fixed; width:100%; } td,th { overflow:visible; text-align:left; vertical-align:top; white-space:normal; } .title { background:#FFFFFF; border:none; color:#333333; display:block; height:24px; margin:0px,0px,-1px,0px; padding-top:4px; position:relative; table-layout:fixed; width:100%; z-index:5; } .he0_expanded { background-color:#FEF7D6; border:1px solid #BBBBBB; color:#3333CC; cursor:hand; display:block; font-family:MS Shell Dlg; font-size:100%; font-weight:bold; height:2.25em; margin-bottom:-1px; margin-left:0px; margin-right:0px; padding-left:8px; padding-right:5em; padding-top:4px; position:relative; width:100%; } .he1_expanded { background-color:#A0BACB; border:1px solid #BBBBBB; color:#000000; cursor:hand; display:block; font-family:MS Shell Dlg; font-size:100%; font-weight:bold; height:2.25em; margin-bottom:-1px; margin-left:10px; margin-right:0px; padding-left:8px; padding-right:5em; padding-top:4px; position:relative; width:100%; } .he1 { background-color:#A0BACB; border:1px solid #BBBBBB; color:#000000; cursor:hand; display:block; font-family:MS Shell Dlg; font-size:100%; font-weight:bold; height:2.25em; margin-bottom:-1px; margin-left:10px; margin-right:0px; padding-left:8px; padding-right:5em; padding-top:4px; position:relative; width:100%; } .he2 { background-color:#C0D2DE; border:1px solid #BBBBBB; color:#000000; cursor:hand; display:block; font-family:MS Shell Dlg; font-size:100%; font-weight:bold; height:2.25em; margin-bottom:-1px; margin-left:20px; margin-right:0px; padding-left:8px; padding-right:5em; padding-top:4px; position:relative; width:100%; } .he3 { background-color:#D9E3EA; border:1px solid #BBBBBB; color:#000000; cursor:hand; display:block; font-family:MS Shell Dlg; font-size:100%; font-weight:bold; height:2.25em; margin-bottom:-1px; margin-left:30px; margin-right:0px; padding-left:11px; padding-right:5em; padding-top:4px; position:relative; width:100%; } .he4 { background-color:#E8E8E8; border:1px solid #BBBBBB; color:#000000; cursor:hand; display:block; font-family:MS Shell Dlg; font-size:100%; font-weight:bold; height:2.25em; margin-bottom:-1px; margin-left:40px; margin-right:0px; padding-left:11px; padding-right:5em; padding-top:4px; position:relative; width:100%; } .he4h { background-color:#E8E8E8; border:1px solid #BBBBBB; color:#000000; cursor:hand; display:block; font-family:MS Shell Dlg; font-size:100%; font-weight:bold; height:2.25em; margin-bottom:-1px; margin-left:45px; margin-right:0px; padding-left:11px; padding-right:5em; padding-top:4px; position:relative; width:100%; } .he4i { background-color:#F9F9F9; border:1px solid #BBBBBB; color:#000000; display:block; font-family:MS Shell Dlg; font-size:100%; margin-bottom:-1px; margin-left:45px; margin-right:0px; padding-bottom:5px; padding-left:21px; padding-top:4px; position:relative; width:100%; } .he5 { background-color:#E8E8E8; border:1px solid #BBBBBB; color:#000000; cursor:hand; display:block; font-family:MS Shell Dlg; font-size:100%; font-weight:bold; height:2.25em; margin-bottom:-1px; margin-left:50px; margin-right:0px; padding-left:11px; padding-right:5em; padding-top:4px; position:relative; width:100%; } .he5h { background-color:#E8E8E8; border:1px solid #BBBBBB; color:#000000; cursor:hand; display:block; font-family:MS Shell Dlg; font-size:100%; padding-left:11px; padding-right:5em; padding-top:4px; margin-bottom:-1px; margin-left:55px; margin-right:0px; position:relative; width:100%; } .he5i { background-color:#F9F9F9; border:1px solid #BBBBBB; color:#000000; display:block; font-family:MS Shell Dlg; font-size:100%; margin-bottom:-1px; margin-left:55px; margin-right:0px; padding-left:21px; padding-bottom:5px; padding-top: 4px; position:relative; width:100%; } DIV .expando { color:#000000; text-decoration:none; display:block; font-family:MS Shell Dlg; font-size:100%; font-weight:normal; position:absolute; right:10px; text-decoration:underline; z-index: 0; } .he0 .expando { font-size:100%; } .info, .info3, .info4, .disalign { line-height:1.6em; padding:0px,0px,0px,0px; margin:0px,0px,0px,0px; } .disalign TD { padding-bottom:5px; padding-right:10px; } .info TD { padding-right:10px; width:50%; } .info3 TD { padding-right:10px; width:33%; } .info4 TD, .info4 TH { padding-right:10px; width:25%; } .info TH, .info3 TH, .info4 TH, .disalign TH { border-bottom:1px solid #CCCCCC; padding-right:10px; } .subtable, .subtable3 { border:1px solid #CCCCCC; margin-left:0px; background:#FFFFFF; margin-bottom:10px; } .subtable TD, .subtable3 TD { padding-left:10px; padding-right:5px; padding-top:3px; padding-bottom:3px; line-height:1.1em; width:10%; } .subtable TH, .subtable3 TH { border-bottom:1px solid #CCCCCC; font-weight:normal; padding-left:10px; line-height:1.6em; } .subtable .footnote { border-top:1px solid #CCCCCC; } .subtable3 .footnote, .subtable .footnote { border-top:1px solid #CCCCCC; } .subtable_frame { background:#D9E3EA; border:1px solid #CCCCCC; margin-bottom:10px; margin-left:15px; } .subtable_frame TD { line-height:1.1em; padding-bottom:3px; padding-left:10px; padding-right:15px; padding-top:3px; } .subtable_frame TH { border-bottom:1px solid #CCCCCC; font-weight:normal; padding-left:10px; line-height:1.6em; } .subtableInnerHead { border-bottom:1px solid #CCCCCC; border-top:1px solid #CCCCCC; } .explainlink { color:#000000; text-decoration:none; cursor:hand; } .explainlink:hover { color:#0000FF; text-decoration:underline; } .spacer { background:transparent; border:1px solid #BBBBBB; color:#FFFFFF; display:block; font-family:MS Shell Dlg; font-size:100%; height:10px; margin-bottom:-1px; margin-left:43px; margin-right:0px; padding-top: 4px; position:relative; } .filler { background:transparent; border:none; color:#FFFFFF; display:block; font:100% MS Shell Dlg; line-height:8px; margin-bottom:-1px; margin-left:43px; margin-right:0px; padding-top:4px; position:relative; } .container { display:block; position:relative; } .rsopheader { background-color:#A0BACB; border-bottom:1px solid black; color:#333333; font-family:MS Shell Dlg; font-size:130%; font-weight:bold; padding-bottom:5px; text-align:center; } .rsopname { color:#333333; font-family:MS Shell Dlg; font-size:130%; font-weight:bold; padding-left:11px; } .gponame{ color:#333333; font-family:MS Shell Dlg; font-size:130%; font-weight:bold; padding-left:11px; } .gpotype{ color:#333333; font-family:MS Shell Dlg; font-size:100%; font-weight:bold; padding-left:11px; } #uri { color:#333333; font-family:MS Shell Dlg; font-size:100%; padding-left:11px; } #dtstamp{ color:#333333; font-family:MS Shell Dlg; font-size:100%; padding-left:11px; text-align:left; width:30%; } #objshowhide { color:#000000; cursor:hand; font-family:MS Shell Dlg; font-size:100%; font-weight:bold; margin-right:0px; padding-right:10px; text-align:right; text-decoration:underline; z-index:2; word-wrap:normal; } #gposummary { display:block; } #gpoinformation { display:block; } @media print { #objshowhide{ display:none; } body { color:#000000; border:1px solid #000000; } .title { color:#000000; border:1px solid #000000; } .he0_expanded { color:#000000; border:1px solid #000000; } .he1_expanded { color:#000000; border:1px solid #000000; } .he1 { color:#000000; border:1px solid #000000; } .he2 { color:#000000; background:#EEEEEE; border:1px solid #000000; } .he3 { color:#000000; border:1px solid #000000; } .he4 { color:#000000; border:1px solid #000000; } .he4h { color:#000000; border:1px solid #000000; } .he4i { color:#000000; border:1px solid #000000; } .he5 { color:#000000; border:1px solid #000000; } .he5h { color:#000000; border:1px solid #000000; } .he5i { color:#000000; border:1px solid #000000; } } v\:* {behavior:url(#default#VML);} </style> <!-- Script 1 --> <script language="vbscript"> <!-- '================================================================================ ' String "strShowHide(0/1)" ' 0 = Hide all mode. ' 1 = Show all mode. strShowHide = 1 'Localized strings strShow = "show" strHide = "hide" strShowAll = "show all" strHideAll = "hide all" strShown = "shown" strHidden = "hidden" strExpandoNumPixelsFromEdge = "10px" Function IsSectionHeader(obj) IsSectionHeader = (obj.className = "he0_expanded") Or (obj.className = "he1_expanded") Or (obj.className = "he1") Or (obj.className = "he2") Or (obj.className = "he3") Or (obj.className = "he4") Or (obj.className = "he4h") Or (obj.className = "he5") Or (obj.className = "he5h") End Function Function IsSectionExpandedByDefault(objHeader) IsSectionExpandedByDefault = (Right(objHeader.className, Len("_expanded")) = "_expanded") End Function ' strState must be show | hide | toggle Sub SetSectionState(objHeader, strState) ' Get the container object for the section. It's the first one after the header obj. i = objHeader.sourceIndex Set all = objHeader.parentElement.document.all While (all(i).className <> "container") i = i + 1 Wend Set objContainer = all(i) If strState = "toggle" Then If objContainer.style.display = "none" Then SetSectionState objHeader, "show" Else SetSectionState objHeader, "hide" End If Else Set objExpando = objHeader.children.item(1) If strState = "show" Then objContainer.style.display = "block" objExpando.innerText = strHide ElseIf strState = "hide" Then objContainer.style.display = "none" objExpando.innerText = strShow End If End If End Sub Sub ShowSection(objHeader) SetSectionState objHeader, "show" End Sub Sub HideSection(objHeader) SetSectionState objHeader, "hide" End Sub Sub ToggleSection(objHeader) SetSectionState objHeader, "toggle" End Sub '================================================================================ ' When user clicks anywhere in the document body, determine if user is clicking ' on a header element. '================================================================================ Function document_onclick() Set strsrc = window.event.srcElement While (strsrc.className = "sectionTitle" Or strsrc.className = "expando" Or strsrc.className = "vmlimage") Set strsrc = strsrc.parentElement Wend ' Only handle clicks on headers. If Not IsSectionHeader(strsrc) Then Exit Function ToggleSection strsrc window.event.returnValue = False End Function '================================================================================ ' link at the top of the page to collapse/expand all collapsable elements '================================================================================ Function objshowhide_onClick() Set objBody = document.body.all Select Case strShowHide Case 0 strShowHide = 1 objshowhide.innerText = strShowAll For Each obji In objBody If IsSectionHeader(obji) Then HideSection obji End If Next Case 1 strShowHide = 0 objshowhide.innerText = strHideAll For Each obji In objBody If IsSectionHeader(obji) Then ShowSection obji End If Next End Select End Function '================================================================================ ' onload collapse all except the first two levels of headers (he0, he1) '================================================================================ Function window_onload() ' Only initialize once. The UI may reinsert a report into the webbrowser control, ' firing onLoad multiple times. If UCase(document.documentElement.getAttribute("gpmc_reportInitialized")) <> "TRUE" Then ' Initialize sections to default expanded/collapsed state. Set objBody = document.body.all For Each obji in objBody If IsSectionHeader(obji) Then If IsSectionExpandedByDefault(obji) Then ShowSection obji Else HideSection obji End If End If Next objshowhide.innerText = strShowAll document.documentElement.setAttribute "gpmc_reportInitialized", "true" End If End Function '================================================================================ ' When direction (LTR/RTL) changes, change adjust for readability '================================================================================ Function document_onPropertyChange() If window.event.propertyName = "dir" Then Call fDetDir(UCase(document.dir)) End If End Function Function fDetDir(strDir) strDir = UCase(strDir) Select Case strDir Case "LTR" Set colRules = document.styleSheets(0).rules For i = 0 To colRules.length -1 Set nug = colRules.item(i) strClass = nug.selectorText If nug.style.textAlign = "right" Then nug.style.textAlign = "left" End If Select Case strClass Case "DIV .expando" nug.style.Left = "" nug.style.right = strExpandoNumPixelsFromEdge Case "#objshowhide" nug.style.textAlign = "right" End Select Next Case "RTL" Set colRules = document.styleSheets(0).rules For i = 0 To colRules.length -1 Set nug = colRules.item(i) strClass = nug.selectorText If nug.style.textAlign = "left" Then nug.style.textAlign = "right" End If Select Case strClass Case "DIV .expando" nug.style.Left = strExpandoNumPixelsFromEdge nug.style.right = "" Case "#objshowhide" nug.style.textAlign = "left" End Select Next End Select End Function '================================================================================ 'When printing reports, if a given section is expanded, let's says "shown" (instead of "hide" in the UI). '================================================================================ Function window_onbeforeprint() For Each obji In document.all If obji.className = "expando" Then If obji.innerText = strHide Then obji.innerText = strShown If obji.innerText = strShow Then obji.innerText = strHidden End If Next End Function '================================================================================ 'If a section is collapsed, change to "hidden" in the printout (instead of "show"). '================================================================================ Function window_onafterprint() For Each obji In document.all If obji.className = "expando" Then If obji.innerText = strShown Then obji.innerText = strHide If obji.innerText = strHidden Then obji.innerText = strShow End If Next End Function '================================================================================ ' Adding keypress support for accessibility '================================================================================ Function document_onKeyPress() If window.event.keyCode = "32" Or window.event.keyCode = "13" Or window.event.keyCode = "10" Then 'space bar (32) or carriage return (13) or line feed (10) If window.event.srcElement.className = "expando" Then Call document_onclick() : window.event.returnValue = false If window.event.srcElement.className = "sectionTitle" Then Call document_onclick() : window.event.returnValue = false If window.event.srcElement.id = "objshowhide" Then Call objshowhide_onClick() : window.event.returnValue = false End If End Function --> </script> <!-- Script 2 --> <script language="javascript"> <!-- function getExplainWindowTitle() { return document.getElementById("explainText_windowTitle").innerHTML; } function getExplainWindowStyles() { return document.getElementById("explainText_windowStyles").innerHTML; } function getExplainWindowSettingPathLabel() { return document.getElementById("explainText_settingPathLabel").innerHTML; } function getExplainWindowExplainTextLabel() { return document.getElementById("explainText_explainTextLabel").innerHTML; } function getExplainWindowPrintButton() { return document.getElementById("explainText_printButton").innerHTML; } function getExplainWindowCloseButton() { return document.getElementById("explainText_closeButton").innerHTML; } function getNoExplainTextAvailable() { return document.getElementById("explainText_noExplainTextAvailable").innerHTML; } function getExplainWindowSupportedLabel() { return document.getElementById("explainText_supportedLabel").innerHTML; } function getNoSupportedTextAvailable() { return document.getElementById("explainText_noSupportedTextAvailable").innerHTML; } function showExplainText(srcElement) { var strSettingName = srcElement.getAttribute("gpmc_settingName"); var strSettingPath = srcElement.getAttribute("gpmc_settingPath"); var strSettingDescription = srcElement.getAttribute("gpmc_settingDescription"); if (strSettingDescription == "") { strSettingDescription = getNoExplainTextAvailable(); } var strSupported = srcElement.getAttribute("gpmc_supported"); if (strSupported == "") { strSupported = getNoSupportedTextAvailable(); } var strHtml = "<html>\n"; strHtml += "<head>\n"; strHtml += "<title>" + getExplainWindowTitle() + "</title>\n"; strHtml += "<style type='text/css'>\n" + getExplainWindowStyles() + "</style>\n"; strHtml += "</head>\n"; strHtml += "<body>\n"; strHtml += "<div class='head'>" + strSettingName +"</div>\n"; strHtml += "<div class='path'><b>" + getExplainWindowSettingPathLabel() + "</b><br/>" + strSettingPath +"</div>\n"; strHtml += "<div class='path'><b>" + getExplainWindowSupportedLabel() + "</b><br/>" + strSupported +"</div>\n"; strHtml += "<div class='info'>\n"; strHtml += "<div class='hdr'>" + getExplainWindowExplainTextLabel() + "</div>\n"; strHtml += "<div class='bdy'>" + strSettingDescription + "</div>\n"; strHtml += "<div class='btn'>"; strHtml += getExplainWindowPrintButton(); strHtml += getExplainWindowCloseButton(); strHtml += "</div></body></html>"; var strDiagArgs = "height=360px, width=630px, status=no, toolbar=no, scrollbars=yes, resizable=yes "; var expWin = window.open("", "expWin", strDiagArgs); expWin.document.write(""); expWin.document.close(); expWin.document.write(strHtml); expWin.document.close(); expWin.focus(); //cancels navigation for IE. if(navigator.userAgent.indexOf("MSIE") > 0) { window.event.returnValue = false; } return false; } --> </script> </head> <body> <!-- HTML resources --> <div style="display:none;"> <div id="explainText_windowTitle">Group Policy Management</div> <div id="explainText_windowStyles"> body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } } </div> <div id="explainText_settingPathLabel">Setting Path:</div> <div id="explainText_explainTextLabel">Explanation</div> <div id="explainText_printButton"> <button name="Print" onClick="window.print()" accesskey="P"><u>P</u>rint</button> </div> <div id="explainText_closeButton"> <button name="Close" onClick="window.close()" accesskey="C"><u>C</u>lose</button> </div> <div id="explainText_noExplainTextAvailable">No explanation is available for this setting.</div> <div id="explainText_supportedLabel">Supported On:</div> <div id="explainText_noSupportedTextAvailable">Not available</div> </div><table class="title" cellpadding="0" cellspacing="0"> <tr><td colspan="2" class="rsopheader">Group Policy Modeling</td></tr> <tr><td colspan="2" class="rsopname">JR\ima on JR\IT2234-ABDUL</td></tr> <tr><td id="dtstamp">Data collected on: 4/11/2007 12:32:44 PM</td><td><div id="objshowhide" tabindex="0"></div></td></tr> </table> <div class="rsopsummary"> <div class="he0_expanded"><span class="sectionTitle" tabindex="0">Summary</span><a class="expando" href="#"></a></div> <div class="container"><div class="he1_expanded"><span class="sectionTitle" tabindex="0">Computer Configuration Summary</span><a class="expando" href="#"></a></div> <div class="container"><div class="he2"><span class="sectionTitle" tabindex="0">General</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info" cellpadding="0" cellspacing="0"> <tr><td>Computer name</td><td>JR\IT2234-ABDUL</td></tr> <tr><td>Computer container</td><td>jr.local/Client Computers/IT</td></tr> <tr><td>Domain</td><td>jr.local</td></tr> <tr><td>Site</td><td>(None)</td></tr> <tr><td>Slowlink processing</td><td>No</td></tr> </table> </div></div> <div class="he2"><span class="sectionTitle" tabindex="0">Group Policy Objects</span><a class="expando" href="#"></a></div> <div class="container"><div class="he3"><span class="sectionTitle" tabindex="0">Applied GPOs</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Name</th><th scope="col">Link Location</th><th scope="col">Revision</th></tr> <tr><td>System - Logon Message</td><td>jr.local</td><td>AD (14), Sysvol (14)</td></tr> <tr><td>System - Logon Script</td><td>jr.local</td><td>AD (2), Sysvol (2)</td></tr> <tr><td>Remote - Remote assistance</td><td>jr.local</td><td>AD (2), Sysvol (2)</td></tr> <tr><td>Default Domain Policy in use</td><td>jr.local</td><td>AD (136), Sysvol (136)</td></tr> <tr><td>System - disable usb storage device</td><td>jr.local/Client Computers</td><td>AD (12), Sysvol (12)</td></tr> <tr><td>System - WSUS - Automatic Update</td><td>jr.local/Client Computers</td><td>AD (25), Sysvol (25)</td></tr> <tr><td>System - Disable Windows Firewall</td><td>jr.local/Client Computers</td><td>AD (10), Sysvol (10)</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Denied GPOs</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Name</th><th scope="col">Link Location</th><th scope="col">Reason Denied</th></tr> <tr><td>System - Enable usb device</td><td>jr.local</td><td>Access Denied (Security Filtering)</td></tr> <tr><td>Redirect My Documents</td><td>jr.local</td><td>Disabled GPO</td></tr> <tr><td>Software - Office setting</td><td>jr.local</td><td>Empty</td></tr> <tr><td>TS - Shadow View Only Control</td><td>jr.local</td><td>Disabled GPO</td></tr> <tr><td>TS - Shadow View Only</td><td>jr.local</td><td>Disabled GPO</td></tr> <tr><td>IE - Maintenance (Homepage / Proxy / etc.)</td><td>jr.local</td><td>Disabled GPO</td></tr> </table> </div></div></div> <div class="he2"><span class="sectionTitle" tabindex="0">Simulated security group membership</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i">JR\IT2234-ABDUL$<br/>JR\Domain Computers<br/>Everyone<br/>BUILTIN\Pre-Windows 2000 Compatible Access<br/>BUILTIN\Users<br/>NT AUTHORITY\Authenticated Users<br/>NT AUTHORITY\This Organization<br/>JR\WSUS test Computer</div></div> <div class="he2"><span class="sectionTitle" tabindex="0">WMI Filters</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Name</th><th scope="col">Value</th><th scope="col">Reference GPO(s)</th></tr> <tr><td colspan="3">None</td></tr></table> </div></div> <div class="he2"><span class="sectionTitle" tabindex="0">Component Status</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info" cellpadding="0" cellspacing="0"> <tr><th scope="col">Component Name</th><th scope="col">Status</th></tr> <tr><td>Group Policy Infrastructure</td><td>Success</td></tr> <tr><td>EFS recovery</td><td>Success (no data)</td></tr> <tr><td>Registry</td><td>Success</td></tr> <tr><td>Security</td><td>Success</td></tr> </table> </div></div> </div> <div class="filler"></div> <div class="he1_expanded"><span class="sectionTitle" tabindex="0">User Configuration Summary</span><a class="expando" href="#"></a></div> <div class="container"><div class="he2"><span class="sectionTitle" tabindex="0">General</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info" cellpadding="0" cellspacing="0"> <tr><td>User name</td><td>JR\ima</td></tr> <tr><td>User container</td><td>jr.local/Sales/Corporate Sales/Managers</td></tr> <tr><td>Domain</td><td>jr.local</td></tr> <tr><td>Slowlink processing</td><td>No</td></tr> <tr><td>Loopback processing</td><td>No</td></tr> </table> </div></div> <div class="he2"><span class="sectionTitle" tabindex="0">Group Policy Objects</span><a class="expando" href="#"></a></div> <div class="container"><div class="he3"><span class="sectionTitle" tabindex="0">Applied GPOs</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Name</th><th scope="col">Link Location</th><th scope="col">Revision</th></tr> <tr><td>Redirect My Documents</td><td>jr.local</td><td>AD (7), Sysvol (7)</td></tr> <tr><td>Software - Office setting</td><td>jr.local</td><td>AD (23), Sysvol (23)</td></tr> <tr><td>System - Logon Script</td><td>jr.local</td><td>AD (4), Sysvol (4)</td></tr> <tr><td>TS - Shadow View Only Control</td><td>jr.local</td><td>AD (2), Sysvol (2)</td></tr> <tr><td>IE - Maintenance (Homepage / Proxy / etc.)</td><td>jr.local</td><td>AD (27), Sysvol (27)</td></tr> <tr><td>Default Domain Policy in use</td><td>jr.local</td><td>AD (23), Sysvol (23)</td></tr> <tr><td>System - Lock down Control Panel and Win Explorer</td><td>jr.local/Sales/Corporate Sales/Managers</td><td>AD (96), Sysvol (96)</td></tr> <tr><td>IE - Lock Down IE</td><td>jr.local/Sales/Corporate Sales/Managers</td><td>AD (115), Sysvol (115)</td></tr> <tr><td>System - remove run, find, hide drive, network, shutdown</td><td>jr.local/Sales/Corporate Sales/Managers</td><td>AD (6), Sysvol (6)</td></tr> <tr><td>System - disable registry editing</td><td>jr.local/Sales/Corporate Sales/Managers</td><td>AD (8), Sysvol (8)</td></tr> <tr><td>Software - Corporate Sales Manager</td><td>jr.local/Sales/Corporate Sales/Managers</td><td>AD (33), Sysvol (33)</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Denied GPOs</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Name</th><th scope="col">Link Location</th><th scope="col">Reason Denied</th></tr> <tr><td>System - Logon Message</td><td>jr.local</td><td>Empty</td></tr> <tr><td>System - Enable usb device</td><td>jr.local</td><td>Access Denied (Security Filtering)</td></tr> <tr><td>Remote - Remote assistance</td><td>jr.local</td><td>Empty</td></tr> <tr><td>TS - Shadow View Only</td><td>jr.local</td><td>Access Denied (Security Filtering)</td></tr> </table> </div></div></div> <div class="he2"><span class="sectionTitle" tabindex="0">Simulated security group membership</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i">JR\ima<br/>BUILTIN\Users<br/>JR\Domain Users<br/>Everyone<br/>BUILTIN\Pre-Windows 2000 Compatible Access<br/>NT AUTHORITY\Authenticated Users<br/>NT AUTHORITY\This Organization<br/>JR\Userlock Single Session Sec Grp<br/>JR\TollFree Sec Grp<br/>JR\XP Users Sec Grp<br/>JR\Titan Sec Grp<br/>JR\Corp Sales Sec Grp<br/>JR\Wise Sec Grp</div></div> <div class="he2"><span class="sectionTitle" tabindex="0">WMI Filters</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Name</th><th scope="col">Value</th><th scope="col">Reference GPO(s)</th></tr> <tr><td colspan="3">None</td></tr></table> </div></div> <div class="he2"><span class="sectionTitle" tabindex="0">Component Status</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info" cellpadding="0" cellspacing="0"> <tr><th scope="col">Component Name</th><th scope="col">Status</th></tr> <tr><td>Group Policy Infrastructure</td><td>Success</td></tr> <tr><td>Folder Redirection</td><td>Success</td></tr> <tr><td>Internet Explorer Branding</td><td>Success</td></tr> <tr><td>Internet Explorer Zonemapping</td><td>Success (no data)</td></tr> <tr><td>Registry</td><td>Success</td></tr> <tr><td>Scripts</td><td>Success</td></tr> </table> </div></div> </div></div> <div class="filler"></div> </div> <div class="rsopsettings"> <div class="he0_expanded"><span class="sectionTitle" tabindex="0">Computer Configuration</span><a class="expando" href="#"></a></div> <div class="container"><div class="he1_expanded"><span class="sectionTitle" tabindex="0">Windows Settings</span><a class="expando" href="#"></a></div> <div class="container"><div class="he2"><span class="sectionTitle" tabindex="0">Security Settings</span><a class="expando" href="#"></a></div> <div class="container"><div class="he3"><span class="sectionTitle" tabindex="0">Account Policies/Password Policy</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td>Enforce password history</td><td>3 passwords remembered</td><td>Default Domain Policy in use</td></tr> <tr><td>Maximum password age</td><td>60 days</td><td>Default Domain Policy in use</td></tr> <tr><td>Minimum password age</td><td>0 days</td><td>Default Domain Policy in use</td></tr> <tr><td>Minimum password length</td><td>8 characters</td><td>Default Domain Policy in use</td></tr> <tr><td>Password must meet complexity requirements</td><td>Enabled</td><td>Default Domain Policy in use</td></tr> <tr><td>Store passwords using reversible encryption</td><td>Disabled</td><td>Default Domain Policy in use</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Account Policies/Account Lockout Policy</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td>Account lockout threshold</td><td>0 invalid logon attempts</td><td>Default Domain Policy in use</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Account Policies/Kerberos Policy</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td>Enforce user logon restrictions</td><td>Enabled</td><td>Default Domain Policy in use</td></tr> <tr><td>Maximum lifetime for service ticket</td><td>600 minutes</td><td>Default Domain Policy in use</td></tr> <tr><td>Maximum lifetime for user ticket</td><td>10 hours</td><td>Default Domain Policy in use</td></tr> <tr><td>Maximum lifetime for user ticket renewal</td><td>7 days</td><td>Default Domain Policy in use</td></tr> <tr><td>Maximum tolerance for computer clock synchronization</td><td>5 minutes</td><td>Default Domain Policy in use</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Local Policies/User Rights Assignment</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td>Deny log on locally</td><td>JR\NT Users Sec Grp, JR\tsdev</td><td>Default Domain Policy in use</td></tr> <tr><td>Deny log on through Terminal Services</td><td>JR\NT Users Sec Grp, JR\XP Users Sec Grp</td><td>Default Domain Policy in use</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Local Policies/Security Options</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4h"><span class="sectionTitle" tabindex="0">Interactive Logon</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td>Interactive logon: Do not display last user name</td><td>Enabled</td><td>System - Logon Message</td></tr> <tr><td>Interactive logon: Message text for users attempting to log on</td><td>All use and access on this computer is monitored. J&amp;R computer systems are to be used for BUSINESS PURPOSES ONLY.</td><td>System - Logon Message</td></tr> <tr><td>Interactive logon: Message title for users attempting to log on</td><td>Welcome to the J&amp;R Active Directory network!</td><td>System - Logon Message</td></tr> </table> </div></div><div class="he4h"><span class="sectionTitle" tabindex="0">Network Security</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td>Network security: Force logoff when logon hours expire</td><td>Disabled</td><td>System - Logon Message</td></tr> </table> </div></div></div><div class="he3"><span class="sectionTitle" tabindex="0">Public Key Policies/Autoenrollment Settings</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td>Enroll certificates automatically</td><td>Enabled</td><td>[Default setting]</td></tr> <tr><td colspan="3"><table class="subtable3" cellpadding="0" cellspacing="0"> <tr><td scope="row">Renew expired certificates, update pending certificates, and remove revoked certificates</td><td>Disabled</td></tr> <tr><td scope="row">Update certificates that use certificate templates</td><td>Disabled</td></tr> </table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Public Key Policies/Encrypting File System</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4h"><span class="sectionTitle" tabindex="0">Properties</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info" cellpadding="0" cellspacing="0"> <tr><td scope="row"><b>Winning GPO</b></td><td>[Default setting]</td></tr> </table> </div><div class="he4i"><table class="subtable" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th></tr> <tr><td>Allow users to encrypt files using Encrypting File System (EFS)</td><td>Enabled</td></tr> </table></div></div><div class="he4h"><span class="sectionTitle" tabindex="0">Certificates</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"><tr><th scope="col">Issued To</th><th scope="col">Issued By</th><th scope="col">Expiration Date</th><th scope="col">Intended Purposes</th><th scope="col">Winning GPO</th></tr> <tr><td>Administrator</td><td>Administrator</td><td>2/13/2009 9:46:24 AM</td><td>File Recovery</td><td>Default Domain Policy in use</td></tr> </table> <br/>For additional information about individual settings, launch Group Policy Object Editor.</div></div></div><div class="he3"><span class="sectionTitle" tabindex="0">Public Key Policies/Trusted Root Certification Authorities</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4h"><span class="sectionTitle" tabindex="0">Properties</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info" cellpadding="0" cellspacing="0"> <tr><td scope="row"><b>Winning GPO</b></td><td>[Default setting]</td></tr> </table> </div><div class="he4i"><table class="subtable" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th></tr> <tr><td>Allow users to select new root certification authorities (CAs) to trust</td><td>Enabled</td></tr> <tr><td>Client computers can trust the following certificate stores</td><td>Third-Party Root Certification Authorities and Enterprise Root Certification Authorities</td></tr> <tr><td>To perform certificate-based authentication of users and computers, CAs must meet the following criteria</td><td>Registered in Active Directory only</td></tr> </table> </div></div></div><div class="he3"><span class="sectionTitle" tabindex="0">Software Restriction Policies</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info" cellpadding="0" cellspacing="0"> <tr><td scope="row"><b>Winning GPO</b></td><td>Default Domain Policy in use</td></tr> </table> </div><div class="he4i"><table class="info" cellpadding="0" cellspacing="0"> <tr><td><b>Enforcement</b></td></tr> <tr><td colspan="1"> <table class="subtable3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th></tr> <tr><td>Apply software restriction policies to</td><td>All software files except libraries (such as DLLs)</td></tr> <tr><td>Apply software restriction policies to the following users</td><td>All users</td></tr> </table> </td></tr> <tr><td><b>Designated File Types</b></td></tr> <tr><td colspan="1"> <table class="subtable" cellpadding="0" cellspacing="0"><tr><th scope="col">File Extension</th><th scope="col">File Type</th></tr> <tr><td>ADE</td><td>ADE File</td></tr> <tr><td>ADP</td><td>ADP File</td></tr> <tr><td>BAS</td><td>BAS File</td></tr> <tr><td>BAT</td><td>Windows Batch File</td></tr> <tr><td>CHM</td><td>Compiled HTML Help file</td></tr> <tr><td>CMD</td><td>Windows Command Script</td></tr> <tr><td>COM</td><td>Application</td></tr> <tr><td>CPL</td><td>Control Panel extension</td></tr> <tr><td>CRT</td><td>Security Certificate</td></tr> <tr><td>EXE</td><td>Application</td></tr> <tr><td>HLP</td><td>Help File</td></tr> <tr><td>HTA</td><td>HTML Application</td></tr> <tr><td>INF</td><td>Setup Information</td></tr> <tr><td>INS</td><td>Internet Communication Settings</td></tr> <tr><td>ISP</td><td>Internet Communication Settings</td></tr> <tr><td>LNK</td><td>Shortcut</td></tr> <tr><td>MDB</td><td>MDB File</td></tr> <tr><td>MDE</td><td>MDE File</td></tr> <tr><td>MSC</td><td>Microsoft Common Console Document</td></tr> <tr><td>MSI</td><td>Windows Installer Package</td></tr> <tr><td>MSP</td><td>Windows Installer Patch</td></tr> <tr><td>MST</td><td>MST File</td></tr> <tr><td>OCX</td><td>ActiveX Control</td></tr> <tr><td>PCD</td><td>PCD File</td></tr> <tr><td>PIF</td><td>Shortcut to Program</td></tr> <tr><td>REG</td><td>Registration Entries</td></tr> <tr><td>SCR</td><td>Screen Saver</td></tr> <tr><td>SHS</td><td>Scrap object</td></tr> <tr><td>URL</td><td>Internet Shortcut</td></tr> <tr><td>VB</td><td>VB File</td></tr> <tr><td>WSC</td><td>Windows Script Component</td></tr> </table> </td></tr> <tr><td><b>Trusted Publishers</b></td></tr> <tr><td colspan="1"> <table class="subtable" cellpadding="0" cellspacing="0"> <tr><td scope="row">Allow the following users to select trusted publishers</td><td>End users</td></tr> <tr><td scope="row">Before trusting a publisher, check the following to determine if the certificate is revoked</td><td>None</td></tr> </table> </td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Software Restriction Policies/Security Levels</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td>Default Security Level</td><td>Unrestricted</td><td>Default Domain Policy in use</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Software Restriction Policies/Additional Rules</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4h"><span class="sectionTitle" tabindex="0">Path Rules</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info" cellpadding="0" cellspacing="0"> <tr><td><b>%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%</b></td></tr><tr><td><table class="subtable" cellpadding="0" cellspacing="0"> <tr><td scope="row">Security Level</td><td>Unrestricted</td></tr> <tr><td scope="row">Description</td><td></td></tr> <tr><td scope="row">Date last modified</td><td>3/8/2006 10:55:43 AM</td></tr> <tr><td scope="row">Winning GPO</td><td>Default Domain Policy in use</td></tr> </table> </td></tr><tr><td><b>%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe</b></td></tr><tr><td><table class="subtable" cellpadding="0" cellspacing="0"> <tr><td scope="row">Security Level</td><td>Unrestricted</td></tr> <tr><td scope="row">Description</td><td></td></tr> <tr><td scope="row">Date last modified</td><td>3/8/2006 10:55:43 AM</td></tr> <tr><td scope="row">Winning GPO</td><td>Default Domain Policy in use</td></tr> </table> </td></tr><tr><td><b>%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe</b></td></tr><tr><td><table class="subtable" cellpadding="0" cellspacing="0"> <tr><td scope="row">Security Level</td><td>Unrestricted</td></tr> <tr><td scope="row">Description</td><td></td></tr> <tr><td scope="row">Date last modified</td><td>3/8/2006 10:55:43 AM</td></tr> <tr><td scope="row">Winning GPO</td><td>Default Domain Policy in use</td></tr> </table> </td></tr><tr><td><b>%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%</b></td></tr><tr><td><table class="subtable" cellpadding="0" cellspacing="0"> <tr><td scope="row">Security Level</td><td>Unrestricted</td></tr> <tr><td scope="row">Description</td><td></td></tr> <tr><td scope="row">Date last modified</td><td>3/8/2006 10:55:43 AM</td></tr> <tr><td scope="row">Winning GPO</td><td>Default Domain Policy in use</td></tr> </table> </td></tr></table></div></div></div></div></div><div class="filler"></div> <div class="he1_expanded"><span class="sectionTitle" tabindex="0">Administrative Templates</span><a class="expando" href="#"></a></div> <div class="container"><div class="he3"><span class="sectionTitle" tabindex="0">Custom Policy Settings/Restrict Drives</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Disable USB Removable Drives" gpmc_settingPath="Computer Configuration/Administrative Templates/Custom Policy Settings/Restrict Drives" gpmc_settingDescription="Disables the USB Removable Drives capability by disabling the usbstor.sys driver. &lt;br/&gt;&lt;br/&gt;Select the ENABLED radiobox, then select STOPPED for the usbstore.sys driver status in the drop-down list. &lt;br/&gt;&lt;br/&gt;Note that this will only prevent usage of newly plugged-in USB Removable Drives or Flash Drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example - 2 identical Flash Disks made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. In order to successfully block them you will need to make sure no USB Removable Drive is plugged-in while you set this option. &lt;br/&gt;&lt;br/&gt;In order to re-enable the usage of USB Removable Drives select STARTED for the usbstore.sys driver status in the drop-down list." gpmc_supported="">Disable USB Removable Drives</a></td><td>Enabled</td><td>System - disable usb storage device</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>usbstore.sys driver status</td><td>Stopped</td></tr> </table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Custom Policy Settings/Write Protection</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Write Protect USB Removable Drives" gpmc_settingPath="Computer Configuration/Administrative Templates/Custom Policy Settings/Write Protection" gpmc_settingDescription="Enforces write protection on all USB Removable Drives. &lt;br/&gt;&lt;br/&gt;Select the ENABLED radiobox, then select ON for the Write Protect USB Removable Drives status in the drop-down list. &lt;br/&gt;&lt;br/&gt;In order to disable write protection on USB Removable Drives select OFF for the Write Protect USB Removable Drives status in the drop-down list." gpmc_supported="">Write Protect USB Removable Drives</a></td><td>Enabled</td><td>System - disable usb storage device</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Write Protect USB Removable Drives status</td><td>Off</td></tr> </table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Network/Network Connections</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Prohibit use of Internet Connection Firewall on your DNS domain network" gpmc_settingPath="Computer Configuration/Administrative Templates/Network/Network Connections" gpmc_settingDescription="Prohibits use of Internet Connection Firewall on your DNS domain network.&lt;br/&gt;&lt;br/&gt;Determines whether users can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a computer.&lt;br/&gt;&lt;br/&gt;Important: This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.&lt;br/&gt;&lt;br/&gt;The Internet Connection Firewall is a stateful packet filter for home and small office users to protect them from Internet network security threats.&lt;br/&gt;&lt;br/&gt;If you enable this setting, Internet Connection Firewall cannot be enabled or configured by users (including administrators), and the Internet Connection Firewall service cannot run on the computer. The option to enable the Internet Connection Firewall through the Advanced tab is removed. In addition, the Internet Connection Firewall is not enabled for remote access connections created through the Make New Connection Wizard. The Network Setup Wizard is disabled.&lt;br/&gt;&lt;br/&gt;Note: If you enable the &amp;quot;Windows Firewall: Protect all network connections&amp;quot; policy setting, the &amp;quot;Prohibit use of Internet Connection Firewall on your DNS domain network&amp;quot; policy setting has no effect on computers that are running Windows Firewall, which replaces Internet Connection Firewall when you install Windows XP Service Pack 2.&lt;br/&gt;&lt;br/&gt;If you disable this setting or do not configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled." gpmc_supported="At least Microsoft Windows XP Professional or Windows Server 2003 family">Prohibit use of Internet Connection Firewall on your DNS domain network</a></td><td>Enabled</td><td>System - Disable Windows Firewall</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Prohibit use of Internet Connection Sharing on your DNS domain network" gpmc_settingPath="Computer Configuration/Administrative Templates/Network/Network Connections" gpmc_settingDescription="Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer.&lt;br/&gt;&lt;br/&gt;Important: This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.&lt;br/&gt;&lt;br/&gt;ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network.&lt;br/&gt;&lt;br/&gt;If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled.&lt;br/&gt;&lt;br/&gt;If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.)&lt;br/&gt;&lt;br/&gt;By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS.&lt;br/&gt;&lt;br/&gt;Note: Internet Connection Sharing is only available when two or more network connections are present.&lt;br/&gt;&lt;br/&gt;Note: When the &amp;quot;Prohibit access to properties of a LAN connection,&amp;quot; &amp;quot;Ability to change properties of an all user remote access connection,&amp;quot; or &amp;quot;Prohibit changing properties of a private remote access connection&amp;quot; settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked.&lt;br/&gt;&lt;br/&gt;Note: Nonadministrators are already prohibited from configuring Internet Connection Sharing, regardless of this setting." gpmc_supported="At least Microsoft Windows 2000 Service Pack 1">Prohibit use of Internet Connection Sharing on your DNS domain network</a></td><td>Enabled</td><td>System - Disable Windows Firewall</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">System/Remote Assistance</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Offer Remote Assistance" gpmc_settingPath="Computer Configuration/Administrative Templates/System/Remote Assistance" gpmc_settingDescription="Specifies whether or not a support person or IT administrator (the &amp;quot;expert&amp;quot;) can offer remote assistance to this computer without a user explicitly requesting it first via a channel, e-mail, or Windows Messenger. If you use Windows Firewall in your organization, depending on the kind of operating system installed on the computer, you might also need to configure certain firewall policies for Offer Remote Assistance to work.&lt;br/&gt;&lt;br/&gt;Using this policy setting, an expert can offer remote assistance to this computer.&lt;br/&gt;&lt;br/&gt;The expert cannot connect to the computer unannounced or control it without permission from the user. When the expert tries to connect, the user is still given a chance to accept or deny the connection (giving the expert view-only privileges to the user's desktop), and thereafter the user has to explicitly click a button to give the expert the ability to remotely control the desktop, if remote control is enabled.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Remote Assistance can be offered to users logged on to the computer. You have two options for how experts, or  helpers, can provide Remote Assistance: &amp;quot;Allow helpers to only view the computer&amp;quot; or &amp;quot;Allow helpers to remotely control the computer.&amp;quot; In addition to making this selection, when you configure this policy setting you also specify the list of users or user groups that will be allowed to offer remote assistance. These are known as &amp;quot;helpers.&amp;quot;&lt;br/&gt;&lt;br/&gt;To configure the list of helpers, click &amp;quot;Show.&amp;quot; This opens a new window where you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:&lt;br/&gt;&lt;br/&gt;&amp;lt;Domain Name&amp;gt;\&amp;lt;User Name&amp;gt; or&lt;br/&gt;&lt;br/&gt;&amp;lt;Domain Name&amp;gt;\&amp;lt;Group Name&amp;gt;&lt;br/&gt;&lt;br/&gt;For all the computers in your organization, add the following entry to the policy setting  Windows Firewall: Define port exceptions :&lt;br/&gt;&lt;br/&gt;135:TCP:*:Enabled: Offer Remote Assistance&lt;br/&gt;&lt;br/&gt;For all the computers, add the following entries to the policy setting  Windows Firewall: Define program exceptions :&lt;br/&gt;&lt;br/&gt;%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote Assistance&lt;br/&gt;&lt;br/&gt;%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance  Windows Messenger and Voice&lt;br/&gt;&lt;br/&gt;For the computers running the Windows Server 2003 Service Pack 1 (SP1) operating system in your organization, enable the policy setting  Windows Firewall: Allow Remote Desktop Exception .&lt;br/&gt;&lt;br/&gt;For computers running the Windows XP Service Pack 2 (SP2) and Windows XP 64-bit Service Pack 1 (SP1) operating systems, add the following entry to the policy setting,  Windows Firewall: Define program exceptions :&lt;br/&gt;&lt;br/&gt;%WINDIR%\SYSTEM32\Sessmgr.exe:*: Enabled: Remote Assistance&lt;br/&gt;&lt;br/&gt;Note: Enabling the  Allow Remote Desktop Exception policy setting will work for computers running all versions of Windows on which this policy setting is supported, but it will leave port 3389 constantly open. By configuring a program exception for Sessmgr.exe, port 3389 will be opened and closed dynamically on computers running the Windows Server XP SP2 and Windows XP 64-bit SP1 operating systems. However, the Sessmgr.exe exception will not work for the Windows Server 2003 SP1 operating system; instead, the  Allow Remote Desktop Exception policy setting must be configured.&lt;br/&gt;&lt;br/&gt;If you disable or do not configure this policy setting, users or groups cannot offer unsolicited remote assistance to this computer." gpmc_supported="At least Microsoft Windows XP Professional or Windows Server 2003 family">Offer Remote Assistance</a></td><td>Enabled</td><td>Remote - Remote assistance</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Permit remote control of this computer:</td><td>Allow helpers to remotely control the computer</td></tr> <tr><td colspan="2"><table class="subtable" cellpadding="0" cellspacing="0"> <tr><th scope="col">Helpers:</th></tr> <tr><td>jr\misshadow</td></tr> <tr><td>jr\domain admins</td></tr> </table></td></tr></table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Windows Components/Windows Update</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow non-administrators to receive update notifications" gpmc_settingPath="Computer Configuration/Administrative Templates/Windows Components/Windows Update" gpmc_settingDescription="Specifies whether, when logged on, non-administrative users will receive update notifications based on the configuration settings for Automatic Updates. If Automatic Updates is configured, by policy or locally, to notify the user either before downloading or only before installation, these notifications will be offered to any non-administrator who logs onto the computer.&lt;br/&gt;&lt;br/&gt;If the status is set to Enabled, Automatic Updates will include non-administrators when determining which logged-on user should receive notification.&lt;br/&gt;&lt;br/&gt;If the status is set to Disabled or Not Configured, Automatic Updates will notify only logged-on administrators.&lt;br/&gt;&lt;br/&gt;Note: If the &amp;quot;Configure Automatic Updates&amp;quot; policy is disabled, this policy has no effect." gpmc_supported="Windows Server 2003, XP SP1, 2000 SP3">Allow non-administrators to receive update notifications</a></td><td>Disabled</td><td>System - WSUS - Automatic Update</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Automatic Updates detection frequency" gpmc_settingPath="Computer Configuration/Administrative Templates/Windows Components/Windows Update" gpmc_settingDescription="Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20 hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 and 20 hours.&lt;br/&gt;&lt;br/&gt;If the status is set to Enabled, Windows will check for available updates at the specified interval.&lt;br/&gt;&lt;br/&gt;If the status is set to Disabled or Not Configured, Windows will check for available updates at the default interval of 22 hours.&lt;br/&gt;&lt;br/&gt;Note: The &amp;quot;Specify intranet Microsoft update service location&amp;quot; setting must be enabled for this policy to have effect.&lt;br/&gt;&lt;br/&gt;Note: If the &amp;quot;Configure Automatic Updates&amp;quot; policy is disabled, this policy has no effect." gpmc_supported="Windows Server 2003, XP SP1, 2000 SP3">Automatic Updates detection frequency</a></td><td>Enabled</td><td>System - WSUS - Automatic Update</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td colspan="2">Check for updates at the following</td></tr><tr><td>interval (hours): </td><td>22</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Configure Automatic Updates" gpmc_settingPath="Computer Configuration/Administrative Templates/Windows Components/Windows Update" gpmc_settingDescription="Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.&lt;br/&gt;&lt;br/&gt;This setting lets you specify if automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:&lt;br/&gt;&lt;br/&gt;2 = Notify before downloading any updates and notify again before installing them.&lt;br/&gt;&lt;br/&gt;When Windows finds updates that apply to this computer, an icon appears in the status area with a message that updates are ready to be downloaded. Clicking the icon or message provides the option to select the specific updates to download. Windows then downloads the selected updates in the background. When the download is complete, the icon appears in the status area again, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install.&lt;br/&gt;&lt;br/&gt;3 = (Default setting) Download the updates automatically and notify when they are ready to be installed&lt;br/&gt;&lt;br/&gt;Windows finds updates that apply to your computer and downloads these updates in the background (the user is not notified or interrupted during this process). When the download is complete, the icon appears in the status area, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install.&lt;br/&gt;&lt;br/&gt;4 = Automatically download updates and install them on the schedule specified below&lt;br/&gt;&lt;br/&gt;Specify the schedule using the options in the Group Policy Setting. If no schedule is specified, the default schedule for all installations will be everyday at 3:00 AM. If any of the updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is logged on to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart.)&lt;br/&gt;&lt;br/&gt;5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates&lt;br/&gt;&lt;br/&gt;With this option, the local administrators will be allowed to use the Automatic Updates control panel to select a configuration option of their choice. For example they can choose their own scheduled installation time. Local administrators will not be allowed to disable Automatic Updates' configuration.&lt;br/&gt;&lt;br/&gt;To use this setting, click Enabled, and then select one of the options (2, 3, 4 or 5). If you select 4, you can set a recurring schedule (if no schedule is specified, all installations will occur everyday at 3:00 AM).&lt;br/&gt;&lt;br/&gt;If the status is set to Enabled, Windows recognizes when this computer is online and uses its Internet connection to search the Windows Update Web site for updates that apply to this computer.&lt;br/&gt;&lt;br/&gt;If the status is set to Disabled, any updates that are available on the Windows Update Web site must be downloaded and installed manually by going to http://windowsupdate.microsoft.com.&lt;br/&gt;&lt;br/&gt;If the status is set to Not Configured, use of Automatic Updates is not specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel." gpmc_supported="Windows Server 2003, XP SP1, 2000 SP3">Configure Automatic Updates</a></td><td>Enabled</td><td>System - WSUS - Automatic Update</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Configure automatic updating:</td><td>4 - Auto download and schedule the install</td></tr> <tr><td colspan="2">The following settings are only required</td></tr><tr><td colspan="2">and applicable if 4 is selected.</td></tr><tr><td>Scheduled install day: </td><td>4 - Every Wednesday</td></tr> <tr><td>Scheduled install time:</td><td>02:00</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Enable client-side targeting" gpmc_settingPath="Computer Configuration/Administrative Templates/Windows Components/Windows Update" gpmc_settingDescription="Specifies the target group name that should be used to receive updates from an intranet Microsoft update service.&lt;br/&gt;&lt;br/&gt;If the status is set to Enabled, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer.&lt;br/&gt;&lt;br/&gt;If the status is set to Disabled or Not Configured, no target group information will be sent to the intranet Microsoft update service.&lt;br/&gt;&lt;br/&gt;Note: This policy applies only when the intranet Microsoft update service this computer is directed to is configured to support client-side targeting. If the &amp;quot;Specify intranet Microsoft update service location&amp;quot; policy is disabled or not configured, this policy has no effect." gpmc_supported="Windows Server 2003, XP SP1, 2000 SP3">Enable client-side targeting</a></td><td>Enabled</td><td>System - WSUS - Automatic Update</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Target group name for this computer</td><td>XP Computer</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Specify intranet Microsoft update service location" gpmc_settingPath="Computer Configuration/Administrative Templates/Windows Components/Windows Update" gpmc_settingDescription="Specifies an intranet server to host updates from the Microsoft Update Web sites. You can then use this update service to automatically update computers on your network.&lt;br/&gt;&lt;br/&gt;This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.&lt;br/&gt;&lt;br/&gt;To use this setting, you must set two servername values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server.&lt;br/&gt;&lt;br/&gt;If the status is set to Enabled, the Automatic Updates client connects to the specified intranet Microsoft update service, instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them.&lt;br/&gt;&lt;br/&gt;If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.&lt;br/&gt;&lt;br/&gt;Note: If the &amp;quot;Configure Automatic Updates&amp;quot; policy is disabled, then this policy has no effect." gpmc_supported="Windows Server 2003, XP SP1, 2000 SP3">Specify intranet Microsoft update service location</a></td><td>Enabled</td><td>System - WSUS - Automatic Update</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Set the intranet update service for detecting updates:</td><td>http://jritnyc1</td></tr> <tr><td>Set the intranet statistics server:</td><td>http://jritnyc1</td></tr> <tr><td colspan="2">(example: http://IntranetUpd01)</td></tr></table></td></tr></table> </div></div></div></div> <div class="filler"></div> <div class="he0_expanded"><span class="sectionTitle" tabindex="0">User Configuration</span><a class="expando" href="#"></a></div> <div class="container"><div class="he1_expanded"><span class="sectionTitle" tabindex="0">Windows Settings</span><a class="expando" href="#"></a></div> <div class="container"><div class="he2"><span class="sectionTitle" tabindex="0">Scripts</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4"><span class="sectionTitle" tabindex="0">Logon</span><a class="expando" href="#"></a></div> <div class="container"> <div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"><tr><th scope="col">Name</th><th scope="col">Parameters</th><th scope="col">Last Run</th><th scope="col">Winning GPO</th></tr> <tr><td>\\jr.local\SysVol\jr.local\scripts\jrlogon.bat</td><td></td><td>&nbsp;</td><td>System - Logon Script</td></tr> </table> </div></div></div><div class="he2"><span class="sectionTitle" tabindex="0">Security Settings</span><a class="expando" href="#"></a></div> <div class="container"><div class="he3"><span class="sectionTitle" tabindex="0">Public Key Policies/Autoenrollment Settings</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td>Enroll certificates automatically</td><td>Enabled</td><td>[Default setting]</td></tr> <tr><td colspan="3"><table class="subtable3" cellpadding="0" cellspacing="0"> <tr><td scope="row">Renew expired certificates, update pending certificates, and remove revoked certificates</td><td>Disabled</td></tr> <tr><td scope="row">Update certificates that use certificate templates</td><td>Disabled</td></tr> </table></td></tr></table> </div></div></div><div class="he2"><span class="sectionTitle" tabindex="0">Folder Redirection</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4"><span class="sectionTitle" tabindex="0">My Documents</span><a class="expando" href="#"></a></div> <div class="container"> <div class="he4i"><table class="info" cellpadding="0" cellspacing="0"> <tr><td scope="row"><b>Winning GPO</b></td><td>Redirect My Documents</td></tr> </table> </div><div class="he4h"><span class="sectionTitle" tabindex="0">Setting: Basic (Redirect everyone's folder to the same location)</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i">Path: \\jr.local\users\ima\my documents</div></div><div class="he4h"><span class="sectionTitle" tabindex="0">Options</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info" cellpadding="0" cellspacing="0"> <tr><td scope="row">Grant user exclusive rights to My Documents</td><td>Disabled</td></tr> <tr><td scope="row">Move the contents of My Documents to the new location</td><td>Enabled</td></tr> </table> </div> <div class="he4i"> <table class="info" cellpadding="0" cellspacing="0"> <tr><td scope="row">Policy Removal Behavior</td><td>Leave contents</td></tr> </table></div></div></div><div class="he4"><span class="sectionTitle" tabindex="0">My Pictures</span><a class="expando" href="#"></a></div> <div class="container"> <div class="he4i"><table class="info" cellpadding="0" cellspacing="0"> <tr><td scope="row"><b>Winning GPO</b></td><td>Redirect My Documents</td></tr> </table> </div><div class="he4h"><span class="sectionTitle" tabindex="0">Setting: Basic (Redirect everyone's folder to the same location)</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i">Path: \\jr.local\users\ima\my documents\My Pictures</div></div><div class="he4h"><span class="sectionTitle" tabindex="0">Options</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info" cellpadding="0" cellspacing="0"> <tr><td scope="row">Grant user exclusive rights to My Pictures</td><td>Disabled</td></tr> <tr><td scope="row">Move the contents of My Pictures to the new location</td><td>Enabled</td></tr> </table> </div> <div class="he4i"> <table class="info" cellpadding="0" cellspacing="0"> <tr><td scope="row">Policy Removal Behavior</td><td>Leave contents</td></tr> </table></div></div></div></div><div class="he2"><span class="sectionTitle" tabindex="0">Internet Explorer Maintenance</span><a class="expando" href="#"></a></div> <div class="container"><div class="he3"><span class="sectionTitle" tabindex="0">Connection/Automatic Browser Configuration</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td>Automatically detect configuration settings</td><td>Not configured</td><td>N/A</td></tr> <tr><td>Automatic Browser Configuration</td><td>Enabled</td><td>IE - Maintenance (Homepage / Proxy / etc.)</td></tr> <tr><td colspan="3"> <table class="subtable" cellpadding="0" cellspacing="0"> <tr><td scope="row">Interval</td><td>Not configured</td></tr> <tr><td scope="row">Auto-config URL (.INS file)</td><td></td></tr> <tr><td scope="row">Auto-proxy URL (.JS, .JVS, or .PAC file)</td><td>http://sitescope2:8080/proxyconfig_ad.pac</td></tr> </table> </td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">URLs/Important URLs</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><td colspan="3"> <table class="subtable" cellpadding="0" cellspacing="0"> <tr><th scope="col">Name</th><th scope="col">URL</th><th scope="col">Winning GPO</th></tr> <tr><td scope="row">Home page URL</td><td>http://www.jr.com</td><td>IE - Maintenance (Homepage / Proxy / etc.)</td></tr> <tr><td scope="row">Search bar URL</td><td>Not configured</td><td>N/A</td></tr> <tr><td scope="row">Online support page URL</td><td>Not configured</td><td>N/A</td></tr> </table> </td></tr> </table></div></div><div class="he3"><span class="sectionTitle" tabindex="0">URLs/Favorites and Links</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td>Place favorites and links at the top of the list in the order specified below</td><td>Not configured</td><td>N/A</td></tr> <tr><td>Delete existing Favorites and Links, if present</td><td>Not configured</td><td>N/A</td></tr> <tr><td>Delete existing channels, if present</td><td>Not configured</td><td>N/A</td></tr> </table> <table class="info" cellpadding="0" cellspacing="0"> <tr><td><b>Favorites</b></td></tr><tr><td><table class="subtable3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Name</th><th scope="col">URL</th><th scope="col">Winning GPO</th></tr><tr><td>J&amp;R Phone Lists</td><td>http://sitescope2:9000/phonelist/</td><td>IE - Maintenance (Homepage / Proxy / etc.)</td></tr></table> </td></tr></table></div></div></div></div><div class="filler"></div> <div class="he1_expanded"><span class="sectionTitle" tabindex="0">Administrative Templates</span><a class="expando" href="#"></a></div> <div class="container"><div class="he3"><span class="sectionTitle" tabindex="0">Control Panel</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Force classic Control Panel Style" gpmc_settingPath="User Configuration/Administrative Templates/Control Panel" gpmc_settingDescription="This setting affects the visual style and presentation of the Control Panel.&lt;br/&gt;&lt;br/&gt;It allows you to disable the new style of Control Panel, which is task-based, and use the Windows 2000 style, referred to as the &amp;quot;classic&amp;quot; Control Panel. The new Control Panel, referred to as the &amp;quot;simple&amp;quot; Control Panel, simplifies how users interact with settings by providing easy-to-understand tasks that help users get their work done quickly. The Control Panel allows the users to configure their computer, add or remove programs, and change settings.&lt;br/&gt;&lt;br/&gt;If you enable this setting, Control Panel sets the classic Control Panel. The user cannot switch to the new simple style.&lt;br/&gt;&lt;br/&gt;If you disable this setting, Control Panel is set to the task-based style. The user cannot switch to the classic Control Panel style.&lt;br/&gt;&lt;br/&gt;If you do not configure it, the default is the task-based style, which the user can change." gpmc_supported="At least Microsoft Windows XP Professional or Windows Server 2003 family">Force classic Control Panel Style</a></td><td>Enabled</td><td>System - Lock down Control Panel and Win Explorer</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Show only specified Control Panel applets" gpmc_settingPath="User Configuration/Administrative Templates/Control Panel" gpmc_settingDescription="Hides all Control Panel items and folders except those specified in this setting.&lt;br/&gt;&lt;br/&gt;This setting removes all Control Panel items (such as Network) and folders (such as Fonts) from the Control Panel window and the Start menu. It removes Control Panel items you have added to your system, as well the Control Panel items included in Windows 2000 and Windows XP Professional. The only items displayed in Control Panel are those you specify in this setting.&lt;br/&gt;&lt;br/&gt;To display a Control Panel item, type the file name of the item, such as Ncpa.cpl (for Network). To display a folder, type the folder name, such as Fonts.&lt;br/&gt;&lt;br/&gt;This setting affects the Start menu and Control Panel window only. It does not prevent users from running any Control Panel items.&lt;br/&gt;&lt;br/&gt;Also, see the &amp;quot;Remove Display in Control Panel&amp;quot; setting in User Configuration\Administrative Templates\Control Panel\Display.&lt;br/&gt;&lt;br/&gt;If both the &amp;quot;Hide specified Control Panel applets&amp;quot; setting and the &amp;quot;Show only specified Control Panel applets&amp;quot; setting are enabled, the &amp;quot;Show only specified Control Panel applets&amp;quot; setting is ignored.&lt;br/&gt;&lt;br/&gt;Tip: To find the file name of a Control Panel item, search for files with the .cpl file name extension in the %Systemroot%\System32 directory." gpmc_supported="At least Microsoft Windows 2000">Show only specified Control Panel applets</a></td><td>Enabled</td><td>System - Lock down Control Panel and Win Explorer</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td colspan="2"><table class="subtable" cellpadding="0" cellspacing="0"> <tr><th scope="col">List of allowed Control Panel applets</th></tr> <tr><td>Printers and Faxes</td></tr> <tr><td>Printers</td></tr> </table></td></tr><tr><td colspan="2">To create a list of allowed Control Panel applets, click Show,</td></tr><tr><td colspan="2">then Add, and enter the Control Panel file name (ends with .cpl)</td></tr><tr><td colspan="2">or the name displayed under that item in the Control Panel.</td></tr><tr><td colspan="2">(e.g., desk.cpl, powercfg.cpl, Printers)</td></tr></table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Control Panel/Display</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Remove Display in Control Panel" gpmc_settingPath="User Configuration/Administrative Templates/Control Panel/Display" gpmc_settingDescription="Disables Display in Control Panel.&lt;br/&gt;&lt;br/&gt;If you enable this setting, Display in Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action.&lt;br/&gt;&lt;br/&gt;Also, see the &amp;quot;Prohibit access to the Control Panel&amp;quot; (User Configuration\Administrative Templates\Control Panel) and &amp;quot;Remove programs on Settings menu&amp;quot; (User Configuration\Administrative Templates\Start Menu &amp;amp; Taskbar) settings." gpmc_supported="At least Microsoft Windows 2000">Remove Display in Control Panel</a></td><td>Enabled</td><td>System - Lock down Control Panel and Win Explorer</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Control Panel/Printers</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Point and Print Restrictions" gpmc_settingPath="User Configuration/Administrative Templates/Control Panel/Printers" gpmc_settingDescription="This policy setting restricts the servers that a client can connect to for point and print. The policy setting applies only to non Print Administrators clients, and only to machines that are members of a domain.&lt;br/&gt;&lt;br/&gt;When the policy setting is enabled, the client can be restricted to only point and print to a server within its own forest, and/or to a list of explicitly trusted servers.&lt;br/&gt;&lt;br/&gt;When the policy setting is not-configured, it defaults to allowing point and print only within the client s forest.&lt;br/&gt;&lt;br/&gt;When the policy setting is disabled, client machines can point and print to any server." gpmc_supported="At least Microsoft Windows XP Professional with SP1 or Windows Server 2003 family">Point and Print Restrictions</a></td><td>Disabled</td><td>Default Domain Policy in use</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Desktop</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Hide My Network Places icon on desktop" gpmc_settingPath="User Configuration/Administrative Templates/Desktop" gpmc_settingDescription="Removes the My Network Places icon from the desktop.&lt;br/&gt;&lt;br/&gt;This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network." gpmc_supported="At least Microsoft Windows 2000">Hide My Network Places icon on desktop</a></td><td>Enabled</td><td>System - remove run, find, hide drive, network, shutdown</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Remove My Computer icon on the desktop" gpmc_settingPath="User Configuration/Administrative Templates/Desktop" gpmc_settingDescription="This setting hides My Computer from the desktop and from the new Start menu. It also hides links to My Computer in the Web view of all Explorer windows, and it hides My Computer in the Explorer folder tree pane. If the user navigates into My Computer via the &amp;quot;Up&amp;quot; button while this setting is enabled, they view an empty My Computer folder. This setting allows administrators to restrict their users from seeing My Computer in the shell namespace, allowing them to present their users with a simpler desktop environment.&lt;br/&gt;&lt;br/&gt;If you enable this setting, My Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to My Computer, the folder will be empty.&lt;br/&gt;&lt;br/&gt;If you disable this setting, My Computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting.&lt;br/&gt;&lt;br/&gt;If you do not configure this setting, the default is to display My Computer as usual.&lt;br/&gt;&lt;br/&gt;Note: Hiding My Computer and its contents does not hide the contents of the child folders of My Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled." gpmc_supported="At least Microsoft Windows XP Professional or Windows Server 2003 family">Remove My Computer icon on the desktop</a></td><td>Enabled</td><td>System - remove run, find, hide drive, network, shutdown</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Microsoft Office 2003/Assistant/General</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Choose Assistant file" gpmc_settingPath="User Configuration/Administrative Templates/Microsoft Office 2003/Assistant/General" gpmc_settingDescription="" gpmc_supported="">Choose Assistant file</a></td><td>Disabled</td><td>Software - Office setting</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Microsoft Office 2003/Assistant/Options Tab</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Use the Office Assistant" gpmc_settingPath="User Configuration/Administrative Templates/Microsoft Office 2003/Assistant/Options Tab" gpmc_settingDescription="" gpmc_supported="">Use the Office Assistant</a></td><td>Disabled</td><td>Software - Office setting</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Microsoft Office Outlook 2003/Disable items in user interface/Custom</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Disable command bar buttons and menu items" gpmc_settingPath="User Configuration/Administrative Templates/Microsoft Office Outlook 2003/Disable items in user interface/Custom" gpmc_settingDescription="" gpmc_supported="">Disable command bar buttons and menu items</a></td><td>Enabled</td><td>Software - Office setting</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td colspan="2"><table class="subtable" cellpadding="0" cellspacing="0"> <tr><th scope="col">Enter a command bar ID to disable</th></tr> <tr><td>1886</td></tr> <tr><td>1004</td></tr> </table></td></tr></table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Microsoft Office Outlook 2003/Disable items in user interface/Predefined</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Disable command bar buttons and menu items" gpmc_settingPath="User Configuration/Administrative Templates/Microsoft Office Outlook 2003/Disable items in user interface/Predefined" gpmc_settingDescription="" gpmc_supported="">Disable command bar buttons and menu items</a></td><td>Enabled</td><td>Software - Office setting</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>All folders and items: Tools | Speech</td><td>Disabled</td></tr> <tr><td>All folders and items: Tools | Tools on the Web...</td><td>Disabled</td></tr> <tr><td>All folders and items: Tools | Customize</td><td>Disabled</td></tr> <tr><td>All folders and items: Tools | Forms | Design Options</td><td>Disabled</td></tr> <tr><td>All folders and items: Help | Microsoft Office Online</td><td>Enabled</td></tr> <tr><td>All folders and items: Help | Activate Product...</td><td>Enabled</td></tr> <tr><td>All folders and items: Help | Detect and Repair</td><td>Enabled</td></tr> <tr><td>All folders: Go menu</td><td>Disabled</td></tr> <tr><td>All folders: Go | Internet Call</td><td>Disabled</td></tr> <tr><td>Inbox: Tools | E-mail Accounts...</td><td>Disabled</td></tr> <tr><td>Mail item: View | Bcc Field</td><td>Disabled</td></tr> <tr><td>Mail item: View | From Field</td><td>Disabled</td></tr> <tr><td>Contact item: Actions | Display Map of Address</td><td>Disabled</td></tr> <tr><td>Web toolbar: Refresh Current Page</td><td>Disabled</td></tr> <tr><td>Web toolbar: Start Page</td><td>Disabled</td></tr> <tr><td>Web toolbar: Search the Web</td><td>Disabled</td></tr> <tr><td>Web toolbar: Address</td><td>Disabled</td></tr> </table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Microsoft Office Outlook 2003/Tools | Options.../Other/AutoArchive</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="AutoArchive Settings" gpmc_settingPath="User Configuration/Administrative Templates/Microsoft Office Outlook 2003/Tools | Options.../Other/AutoArchive" gpmc_settingDescription="" gpmc_supported="">AutoArchive Settings</a></td><td>Enabled</td><td>Software - Office setting</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Turn on AutoArchive</td><td>Disabled</td></tr> <tr><td>Run AutoArchive every &lt;x&gt; days</td><td>60</td></tr> <tr><td>Prompt before AutoArchive runs</td><td>Enabled</td></tr> <tr><td colspan="2"> </td></tr><tr><td colspan="2">During AutoArchive:</td></tr><tr><td>Delete expired items (e-mail folders only)</td><td>Enabled</td></tr> <tr><td>Archive or delete old items</td><td>Enabled</td></tr> <tr><td>Show archive folder in folder list</td><td>Enabled</td></tr> <tr><td>Clean out items older than</td><td>6</td></tr> <tr><td> </td><td>Months</td></tr> <tr><td>Permanently delete old items</td><td>Disabled</td></tr> </table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Microsoft Office Outlook 2003/Tools | Options.../Security</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Enable links in e-mail messages" gpmc_settingPath="User Configuration/Administrative Templates/Microsoft Office Outlook 2003/Tools | Options.../Security" gpmc_settingDescription="" gpmc_supported="">Enable links in e-mail messages</a></td><td>Enabled</td><td>Software - Office setting</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Check to enforce setting on; uncheck to enforce setting off</td><td>Enabled</td></tr> </table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Start Menu and Taskbar</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Force classic Start Menu" gpmc_settingPath="User Configuration/Administrative Templates/Start Menu and Taskbar" gpmc_settingDescription="This setting effects the presentation of the Start menu.&lt;br/&gt;&lt;br/&gt;The classic Start menu in Windows 2000 Professional allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Start menu is used, the following icons are placed on the desktop: My Documents, My Pictures, My Music, My Computer, and My Network Places. The new Start menu starts them directly.&lt;br/&gt;&lt;br/&gt;If you enable this setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons.&lt;br/&gt;&lt;br/&gt;If you disable this setting, the Start menu only displays in the new style, meaning the desktop icons are now on the Start page.&lt;br/&gt;&lt;br/&gt;If you do not configure this setting, the default is the new style, and the user can change the view." gpmc_supported="At least Microsoft Windows XP Professional or Windows Server 2003 family">Force classic Start Menu</a></td><td>Disabled</td><td>System - Lock down Control Panel and Win Explorer</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Remove and prevent access to the Shut Down command" gpmc_settingPath="User Configuration/Administrative Templates/Start Menu and Taskbar" gpmc_settingDescription="Prevents users from shutting down or restarting Windows.&lt;br/&gt;&lt;br/&gt;This setting removes the Shut Down option from the Start menu and disables the Shut Down button on the Windows Security dialog box, which appears when you press CTRL+ALT+DEL.&lt;br/&gt;&lt;br/&gt;This setting prevents users from using the Windows user interface to shut down the system, although it does not prevent them from running programs that shut down Windows. &lt;br/&gt;&lt;br/&gt;If you disable this setting or do not configure it, the Shut Down menu option appears, and the Shut Down button is enabled.&lt;br/&gt;&lt;br/&gt;Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting." gpmc_supported="At least Microsoft Windows 2000">Remove and prevent access to the Shut Down command</a></td><td>Enabled</td><td>System - remove run, find, hide drive, network, shutdown</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Remove My Network Places icon from Start Menu" gpmc_settingPath="User Configuration/Administrative Templates/Start Menu and Taskbar" gpmc_settingDescription="Removes the My Network Places icon from the Start Menu." gpmc_supported="At least Microsoft Windows XP Professional or Windows Server 2003 family">Remove My Network Places icon from Start Menu</a></td><td>Enabled</td><td>System - remove run, find, hide drive, network, shutdown</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Remove Run menu from Start Menu" gpmc_settingPath="User Configuration/Administrative Templates/Start Menu and Taskbar" gpmc_settingDescription="Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager.&lt;br/&gt;&lt;br/&gt;If you enable this setting, the following changes occur:&lt;br/&gt;&lt;br/&gt;(1) The Run command is removed from the Start menu.&lt;br/&gt;&lt;br/&gt;(2) The New Task (Run) command is removed from Task Manager.&lt;br/&gt;&lt;br/&gt;(3) The user will be blocked from entering the following into the Internet Explorer Address Bar:&lt;br/&gt;&lt;br/&gt;--- A UNC path: \\&amp;lt;server&amp;gt;\&amp;lt;share&amp;gt; &lt;br/&gt;&lt;br/&gt;---Accessing local drives: e.g., C:&lt;br/&gt;&lt;br/&gt;--- Accessing local folders: e.g., \temp&amp;gt;&lt;br/&gt;&lt;br/&gt;Also, users with extended keyboards will no longer be able to display the Run dialog box by pressing the Application key (the key with the Windows logo) + R.&lt;br/&gt;&lt;br/&gt;If you disable or do not configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use the Internet Explorer Address Bar.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;Note:This setting affects the specified interface only. It does not prevent users from using other methods to run programs.&lt;br/&gt;&lt;br/&gt;Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting." gpmc_supported="At least Microsoft Windows 2000">Remove Run menu from Start Menu</a></td><td>Enabled</td><td>System - remove run, find, hide drive, network, shutdown</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Remove Search menu from Start Menu" gpmc_settingPath="User Configuration/Administrative Templates/Start Menu and Taskbar" gpmc_settingDescription="Removes the Search item from the Start menu, and disables some Windows Explorer search elements.&lt;br/&gt;&lt;br/&gt;This setting removes the Search item from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the key with the Windows logo)+ F.&lt;br/&gt;&lt;br/&gt;In Windows Explorer, the Search item still appears on the Standard buttons toolbar, but the system does not respond when the user presses Ctrl+F. Also, Search does not appear in the context menu when you right-click an icon representing a drive or a folder.&lt;br/&gt;&lt;br/&gt;This setting affects the specified user interface elements only. It does not affect Internet Explorer and does not prevent the user from using other methods to search.&lt;br/&gt;&lt;br/&gt;Also, see the &amp;quot;Remove Search button from Windows Explorer&amp;quot; setting in User Configuration\Administrative Templates\Windows Components\Windows Explorer.&lt;br/&gt;&lt;br/&gt;Note:&lt;br/&gt;&lt;br/&gt;This setting also prevents the user from using the F3 key." gpmc_supported="At least Microsoft Windows 2000">Remove Search menu from Start Menu</a></td><td>Enabled</td><td>System - remove run, find, hide drive, network, shutdown</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">System</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Prevent access to registry editing tools" gpmc_settingPath="User Configuration/Administrative Templates/System" gpmc_settingDescription="Disables the Windows registry editor Regedit.exe.&lt;br/&gt;&lt;br/&gt;If this setting is enabled and the user tries to start a registry editor, a message appears explaining that a setting prevents the action.&lt;br/&gt;&lt;br/&gt;To prevent users from using other administrative tools, use the &amp;quot;Run only allowed Windows applications&amp;quot; setting." gpmc_supported="At least Microsoft Windows 2000">Prevent access to registry editing tools</a></td><td>Enabled</td><td>System - disable registry editing</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Disable regedit from running silently?</td><td>No</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run only allowed Windows applications" gpmc_settingPath="User Configuration/Administrative Templates/System" gpmc_settingDescription="Limits the Windows programs that users have permission to run on the computer.&lt;br/&gt;&lt;br/&gt;If you enable this setting, users can only run programs that you add to the List of Allowed Applications.&lt;br/&gt;&lt;br/&gt;This setting only prevents users from running programs that are started by the Windows Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt, Cmd.exe, this setting does not prevent them from starting programs in the command window that they are not permitted to start by using Windows Explorer.&lt;br/&gt;&lt;br/&gt;Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. Note: To create a list of allowed applications, click Show, click Add, and then enter the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe)." gpmc_supported="At least Microsoft Windows 2000">Run only allowed Windows applications</a></td><td>Enabled</td><td>Software - Corporate Sales Manager</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td colspan="2"><table class="subtable" cellpadding="0" cellspacing="0"> <tr><th scope="col">List of allowed applications</th></tr> <tr><td>tt.exe</td></tr> <tr><td>mstsc.exe</td></tr> <tr><td>winword.exe</td></tr> <tr><td>desktop.exe</td></tr> <tr><td>iexplore.exe</td></tr> <tr><td>ishadowu.exe</td></tr> <tr><td>rundll32.exe</td></tr> <tr><td>shimgvw.dll</td></tr> <tr><td>outlook.exe</td></tr> <tr><td>jrlogon.bat</td></tr> <tr><td>excel.exe</td></tr> <tr><td>MSPVIEW.EXE</td></tr> <tr><td>notepad.exe</td></tr> <tr><td>calc.exe</td></tr> <tr><td>wmplayer.exe</td></tr> <tr><td>ifmember.exe</td></tr> <tr><td>acrord32.exe</td></tr> <tr><td>firefox.exe</td></tr> <tr><td>pptview.exe</td></tr> <tr><td>jrishadownyc1.rdp</td></tr> <tr><td>ishadowm.exe</td></tr> <tr><td>mspaint.exe</td></tr> <tr><td>ishadow.exe</td></tr> <tr><td>ois.exe</td></tr> <tr><td>wordpad.exe</td></tr> <tr><td>prowin32.exe</td></tr> <tr><td>powerpnt.exe</td></tr> <tr><td>inetinfo.exe</td></tr> <tr><td>jrishadowqe1.rdp</td></tr> <tr><td>ishadowdesktop.exe</td></tr> </table></td></tr></table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Windows Components/Internet Explorer</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Disable changing Profile Assistant settings" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer" gpmc_settingDescription="Prevents users from changing Profile Assistant settings.&lt;br/&gt;&lt;br/&gt;If you enable this policy, the My Profile button appears dimmed in the Personal Information area on the Content tab in the Internet Options dialog box.&lt;br/&gt;&lt;br/&gt;If you disable this policy or do not configure it, users can change their profile information, such as their street and e-mail addresses.&lt;br/&gt;&lt;br/&gt;The &amp;quot;Disable the Connections page&amp;quot; policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Connections tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored." gpmc_supported="at least Internet Explorer v5.0">Disable changing Profile Assistant settings</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Do not allow users to enable or disable add-ons" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer" gpmc_settingDescription="This policy setting allows you to manage whether users have the ability to allow or deny add-ons through Add-On Manager.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users cannot enable or disable add-ons through Add-On Manager. The only exception occurs if an add-on has been specifically entered into the 'Add-On List' policy setting in such a way as to allow users to continue to manage the add-on. In this case, the user can still manage the add-on through the Add-On Manager.&lt;br/&gt;&lt;br/&gt;If you disable or do not configure this policy setting, the appropriate controls in the Add-On Manager will be available to the user." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Do not allow users to enable or disable add-ons</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Turn off Crash Detection" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer" gpmc_settingDescription="This policy setting allows you to manage the crash detection feature of add-on Management.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply.&lt;br/&gt;&lt;br/&gt;If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Turn off Crash Detection</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Windows Components/Internet Explorer/Browser menus</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Help menu: Remove 'For Netscape Users' menu option" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Browser menus" gpmc_settingDescription="Prevents users from displaying tips for users who are switching from Netscape.&lt;br/&gt;&lt;br/&gt;If you enable this policy, the For Netscape Users command is removed from the Help menu.&lt;br/&gt;&lt;br/&gt;If you disable this policy or do not configure it, users can display content about switching from Netscape by clicking the For Netscape Users command on the Help menu.&lt;br/&gt;&lt;br/&gt;Caution: Enabling this policy does not remove the tips for Netscape users from the Microsoft Internet Explorer Help file." gpmc_supported="at least Internet Explorer v5.0">Help menu: Remove 'For Netscape Users' menu option</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Help menu: Remove 'Send Feedback' menu option" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Browser menus" gpmc_settingDescription="Prevents users from sending feedback to Microsoft by clicking the Send Feedback command on the Help menu.&lt;br/&gt;&lt;br/&gt;If you enable this policy, the Send Feedback command is removed from the Help menu.&lt;br/&gt;&lt;br/&gt;If you disable this policy or do not configure it, users can fill out an Internet form to provide feedback about Microsoft products." gpmc_supported="at least Internet Explorer v5.0">Help menu: Remove 'Send Feedback' menu option</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Help menu: Remove 'Tip of the Day' menu option" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Browser menus" gpmc_settingDescription="Prevents users from viewing or changing the Tip of the Day interface in Microsoft Internet Explorer.&lt;br/&gt;&lt;br/&gt;If you enable this policy, the Tip of the Day command is removed from the Help menu.&lt;br/&gt;&lt;br/&gt;If you disable this policy or do not configure it, users can enable or disable the Tip of the Day, which appears at the bottom of the browser." gpmc_supported="at least Internet Explorer v5.0">Help menu: Remove 'Tip of the Day' menu option</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Help menu: Remove 'Tour' menu option" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Browser menus" gpmc_settingDescription="Prevents users from running the Internet Explorer Tour from the Help menu in Internet Explorer.&lt;br/&gt;&lt;br/&gt;If you enable this policy, the Tour command is removed from the Help menu.&lt;br/&gt;&lt;br/&gt;If you disable this policy or do not configure it, users can run the tour from the Help menu." gpmc_supported="">Help menu: Remove 'Tour' menu option</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="View menu: Disable Full Screen menu option" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Browser menus" gpmc_settingDescription="Prevents users from displaying the browser in full-screen (kiosk) mode, without the standard toolbar.&lt;br/&gt;&lt;br/&gt;If you enable this policy, the Full Screen command on the View menu will appear dimmed, and pressing F11 will not display the browser in a full screen.&lt;br/&gt;&lt;br/&gt;If you disable this policy or do not configure it, users can display the browser in a full screen.&lt;br/&gt;&lt;br/&gt;This policy is intended to prevent users from displaying the browser without toolbars, which might be confusing for some beginning users." gpmc_supported="at least Internet Explorer v5.0">View menu: Disable Full Screen menu option</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="View menu: Disable Source menu option" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Browser menus" gpmc_settingDescription="Prevents users from viewing the HTML source of Web pages by clicking the Source command on the View menu.&lt;br/&gt;&lt;br/&gt;If you enable this policy, the Source command on the View menu will appear dimmed.&lt;br/&gt;&lt;br/&gt;If you disable this policy or do not configure it, then users can view the HTML source of Web pages from the browser View menu.&lt;br/&gt;&lt;br/&gt;Caution: This policy does not prevent users from viewing the HTML source of a Web page by right-clicking a Web page to open the shortcut menu, and then clicking View Source. To prevent users from viewing the HTML source of a Web page from the shortcut menu, set the &amp;quot;Disable context menu&amp;quot; policy, which disables the entire shortcut menu." gpmc_supported="at least Internet Explorer v5.0">View menu: Disable Source menu option</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Windows Components/Internet Explorer/Internet Control Panel</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Disable the Connections page" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel" gpmc_settingDescription="Removes the Connections tab from the interface in the Internet Options dialog box.&lt;br/&gt;&lt;br/&gt;If you enable this policy, users are prevented from seeing and changing connection and proxy settings.&lt;br/&gt;&lt;br/&gt;If you disable this policy or do not configure it, users can see and change these settings.&lt;br/&gt;&lt;br/&gt;When you set this policy, you do not need to set the following policies for the Content tab, because this policy removes the Connections tab from the interface:&lt;br/&gt;&lt;br/&gt;&amp;quot;Disable Internet Connection Wizard&amp;quot;&lt;br/&gt;&lt;br/&gt;&amp;quot;Disable changing connection settings&amp;quot;&lt;br/&gt;&lt;br/&gt;&amp;quot;Disable changing proxy settings&amp;quot;&lt;br/&gt;&lt;br/&gt;&amp;quot;Disable changing Automatic Configuration settings&amp;quot;" gpmc_supported="at least Internet Explorer v5.0">Disable the Connections page</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Disable the General page" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel" gpmc_settingDescription="Removes the General tab from the interface in the Internet Options dialog box.&lt;br/&gt;&lt;br/&gt;If you enable this policy, users are unable to see and change settings for the home page, the cache, history, Web page appearance, and accessibility.&lt;br/&gt;&lt;br/&gt;If you disable this policy or do not configure it, users can see and change these settings.&lt;br/&gt;&lt;br/&gt;When you set this policy, you do not need to set the following Internet Explorer policies (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\), because this policy removes the General tab from the interface:&lt;br/&gt;&lt;br/&gt;&amp;quot;Disable changing home page settings&amp;quot;&lt;br/&gt;&lt;br/&gt;&amp;quot;Disable changing Temporary Internet files settings&amp;quot;&lt;br/&gt;&lt;br/&gt;&amp;quot;Disable changing history settings&amp;quot;&lt;br/&gt;&lt;br/&gt;&amp;quot;Disable changing color settings&amp;quot;&lt;br/&gt;&lt;br/&gt;&amp;quot;Disable changing link color settings&amp;quot;&lt;br/&gt;&lt;br/&gt;&amp;quot;Disable changing font settings&amp;quot;&lt;br/&gt;&lt;br/&gt;&amp;quot;Disable changing language settings&amp;quot;&lt;br/&gt;&lt;br/&gt;&amp;quot;Disable changing accessibility settings&amp;quot;" gpmc_supported="at least Internet Explorer v5.0">Disable the General page</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Disable the Privacy page" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel" gpmc_settingDescription="Removes the Privacy tab from the interface in the Internet Options dialog box.&lt;br/&gt;&lt;br/&gt;If you enable this policy, users are prevented from seeing and changing default settings for privacy.&lt;br/&gt;&lt;br/&gt;If you disable this policy or do not configure it, users can see and change these settings." gpmc_supported="at least Internet Explorer v5.0">Disable the Privacy page</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Disable the Programs page" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel" gpmc_settingDescription="Removes the Programs tab from the interface in the Internet Options dialog box.&lt;br/&gt;&lt;br/&gt;If you enable this policy, users are prevented from seeing and changing default settings for Internet programs.&lt;br/&gt;&lt;br/&gt;If you disable this policy or do not configure it, users can see and change these settings.&lt;br/&gt;&lt;br/&gt;When you set this policy, you do not need to set the following policies for the Programs tab, because this policy removes the Programs tab from the interface:&lt;br/&gt;&lt;br/&gt;&amp;quot;Disable changing Messaging settings&amp;quot;&lt;br/&gt;&lt;br/&gt;&amp;quot;Disable changing Calendar and Contact settings&amp;quot;&lt;br/&gt;&lt;br/&gt;&amp;quot;Disable the Reset Web Settings feature&amp;quot;&lt;br/&gt;&lt;br/&gt;&amp;quot;Disable changing default browser check&amp;quot;" gpmc_supported="at least Internet Explorer v5.0">Disable the Programs page</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Disable the Security page" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel" gpmc_settingDescription="Removes the Security tab from the interface in the Internet Options dialog box.&lt;br/&gt;&lt;br/&gt;If you enable this policy, it prevents users from seeing and changing settings for security zones, such as scripting, downloads, and user authentication.&lt;br/&gt;&lt;br/&gt;If you disable this policy or do not configure it, users can see and change these settings.&lt;br/&gt;&lt;br/&gt;When you set this policy, you do not need to set the following Internet Explorer policies, because this policy removes the Security tab from the interface:&lt;br/&gt;&lt;br/&gt;&amp;quot;Security zones: Do not allow users to change policies&amp;quot;&lt;br/&gt;&lt;br/&gt;&amp;quot;Security zones: Do not allow users to add/delete sites&amp;quot;" gpmc_supported="at least Internet Explorer v5.0">Disable the Security page</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Windows Components/Internet Explorer/Internet Control Panel/Advanced Page</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Empty Temporary Internet Files folder when browser is closed" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Advanced Page" gpmc_settingDescription="This policy setting allows you to manage whether Internet Explorer deletes the contents of the Temporary Internet Files folder after all browser windows are closed. This protects against storing dangerous files on the computer, or storing sensitive files that other users could see, in addition to managing total disk space usage.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer will delete the contents of the user's Temporary Internet Files folder when all browser windows are closed.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer will not delete the contents of the user's Temporary Internet Files folder when browser windows are closed.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy, Internet Explorer will not delete the contents of the Temporary Internet Files folder when browser windows are closed." gpmc_supported="at least Internet Explorer v6.0 in Windows 2003 Service Pack 1">Empty Temporary Internet Files folder when browser is closed</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> </table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Windows Components/Internet Explorer/Internet Control Panel/Security Page</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Internet Zone Template" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page" gpmc_settingDescription="This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.&lt;br/&gt;&lt;br/&gt;If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. &lt;br/&gt;&lt;br/&gt;If you disable this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;If you do not configure this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.&lt;br/&gt;&lt;br/&gt;Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Internet Zone Template</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Internet</td><td>&nbsp;</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Intranet Zone Template" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page" gpmc_settingDescription="This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.&lt;br/&gt;&lt;br/&gt;If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. &lt;br/&gt;&lt;br/&gt;If you disable this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;If you do not configure this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.&lt;br/&gt;&lt;br/&gt;Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Intranet Zone Template</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Intranet</td><td>Medium Low</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Local Machine Zone Template" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page" gpmc_settingDescription="This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.&lt;br/&gt;&lt;br/&gt;If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. &lt;br/&gt;&lt;br/&gt;If you disable this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;If you do not configure this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.&lt;br/&gt;&lt;br/&gt;Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Local Machine Zone Template</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Local Machine Zone</td><td>Medium</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Locked-Down Internet Zone Template" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page" gpmc_settingDescription="This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.&lt;br/&gt;&lt;br/&gt;If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. &lt;br/&gt;&lt;br/&gt;If you disable this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;If you do not configure this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.&lt;br/&gt;&lt;br/&gt;Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Locked-Down Internet Zone Template</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Locked-Down Internet</td><td>&nbsp;</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Locked-Down Intranet Zone Template" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page" gpmc_settingDescription="This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.&lt;br/&gt;&lt;br/&gt;If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. &lt;br/&gt;&lt;br/&gt;If you disable this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;If you do not configure this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.&lt;br/&gt;&lt;br/&gt;Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Locked-Down Intranet Zone Template</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Locked-Down Intranet</td><td>Medium Low</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Locked-Down Local Machine Zone Template" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page" gpmc_settingDescription="This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.&lt;br/&gt;&lt;br/&gt;If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. &lt;br/&gt;&lt;br/&gt;If you disable this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;If you do not configure this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.&lt;br/&gt;&lt;br/&gt;Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Locked-Down Local Machine Zone Template</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Locked-Down Local Machine Zone</td><td>Medium</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Locked-Down Restricted Sites Zone Template" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page" gpmc_settingDescription="This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.&lt;br/&gt;&lt;br/&gt;If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. &lt;br/&gt;&lt;br/&gt;If you disable this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;If you do not configure this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.&lt;br/&gt;&lt;br/&gt;Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Locked-Down Restricted Sites Zone Template</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Locked-Down Restricted Sites</td><td>Medium</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Locked-Down Trusted Sites Zone Template" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page" gpmc_settingDescription="This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.&lt;br/&gt;&lt;br/&gt;If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. &lt;br/&gt;&lt;br/&gt;If you disable this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;If you do not configure this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.&lt;br/&gt;&lt;br/&gt;Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Locked-Down Trusted Sites Zone Template</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Locked-Down Trusted Sites</td><td>Medium Low</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Restricted Sites Zone Template" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page" gpmc_settingDescription="This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.&lt;br/&gt;&lt;br/&gt;If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. &lt;br/&gt;&lt;br/&gt;If you disable this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;If you do not configure this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.&lt;br/&gt;&lt;br/&gt;Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Restricted Sites Zone Template</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Restricted Sites</td><td>Medium</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Trusted Sites Zone Template" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page" gpmc_settingDescription="This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.&lt;br/&gt;&lt;br/&gt;If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. &lt;br/&gt;&lt;br/&gt;If you disable this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;If you do not configure this template policy setting, no security level is configured.&lt;br/&gt;&lt;br/&gt;Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.&lt;br/&gt;&lt;br/&gt;Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Trusted Sites Zone Template</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Trusted Sites</td><td>Medium Low</td></tr> </table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Access data sources across domains" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Access data sources across domains</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Access data sources across domains</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow active content over restricted protocols to access my computer" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether a resource hosted on an admin-restricted protocol in the Intranet Zone can run active content such as script, ActiveX, Java and Binary Behaviors. The list of restricted protocols may be set in the Intranet Zone Restricted Protocols section under Network Protocol Lockdown policy.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, no Intranet Zone content accessed is affected, even for protocols on the restricted list. If you select Prompt from the drop-down box, the Information Bar will appear to allow control over questionable content accessed over any restricted protocols; content over other protocols is unaffected.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, all attempts to access such content over the restricted protocols is blocked.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the Information Bar will appear to allow control over questionable content accessed over any restricted protocols when the Network Protocol Lockdown security feature is enabled." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow active content over restricted protocols to access my computer</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow active content over restricted protocols to access my computer</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow active scripting" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether script code on pages in the zone is run.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, script code on pages in the zone is prevented from running.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, script code on pages in the zone can run automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow active scripting</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow active scripting</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow binary and script behaviors" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, binary and script behaviors are available." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow binary and script behaviors</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow Binary and Script Behaviors</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow drag and drop or copy and paste files" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow drag and drop or copy and paste files</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow drag and drop or copy and paste files</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow file downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, files can be downloaded from the zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, files are prevented from being downloaded from the zone.&lt;br/&gt;&lt;br/&gt; If you do not configure this policy setting, files can be downloaded from the zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow file downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow file downloads</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow font downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether pages of the zone may download HTML fonts.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, HTML fonts are prevented from downloading.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, HTML fonts can be downloaded automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow font downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow font downloads</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow installation of desktop items" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this option are: If you enable this policy setting, users can install desktop items from this zone automatically.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to install desktop items from this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from installing desktop items from this zone. &lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to install desktop items from this zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow installation of desktop items</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow installation of desktop items</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow META REFRESH" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. &lt;br/&gt;&lt;br/&gt;If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow META REFRESH</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow META REFRESH</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow paste operations via script" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, a script can perform a clipboard operation.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, a script cannot perform a clipboard operation.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, a script can perform a clipboard operation." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow paste operations via script</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow paste operations via script</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow script-initiated windows without size or position constraints" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow script-initiated windows without size or position constraints</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow script-initiated windows without size or position constraints</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Automatic prompting for ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting manages whether users will be automatically prompted for ActiveX control installations.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, ActiveX control installations will be blocked using the Information Bar. Users can click on the Information Bar to allow the ActiveX control prompt.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, ActiveX control installations will be blocked using the Information Bar. Users can click on the Information Bar to allow the ActiveX control prompt." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Automatic prompting for ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Automatic prompting for ActiveX controls</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Automatic prompting for file downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.&lt;br/&gt;&lt;br/&gt;If you enable this setting, users will receive a file download dialog for automatic download attempts.&lt;br/&gt;&lt;br/&gt;If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Information Bar instead of the file download dialog. Users can then click the Information Bar to allow the file download prompt." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Automatic prompting for file downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Automatic prompting for file downloads</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Display mixed content" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security information message to display pages containing both secure and nonsecure items.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, and the drop-down box is set to Enable, the user does not receive a security information message (This page contains both secure and nonsecure items. Do you want to display the nonsecure items?) and nonsecure content can be displayed.&lt;br/&gt;&lt;br/&gt;If the drop-down box is set to Prompt, the user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot receive the security information message and nonsecure content cannot be displayed.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Display mixed content</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Display mixed content</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Do not prompt for client certificate selection when no certificates or only one certificate exists." gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users are prompted to select a certificate when no certificate or only one certificate exists.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer does not prompt users with a &amp;quot;Client Authentication&amp;quot; message when they connect to a Web site that has no certificate or only one certificate.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer prompts users with a &amp;quot;Client Authentication&amp;quot; message when they connect to a Web site that has no certificate or only one certificate.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer prompts users with a Client Authentication message when they connect to a Web site that has no certificate or only one certificate." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Do not prompt for client certificate selection when no certificates or only one certificate exists.</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Do not prompt for client certificate selection when no certificates or only one certificate exists.</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Download signed ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.&lt;br/&gt;&lt;br/&gt;If you disable the policy setting, signed controls cannot be downloaded.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Download signed ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Download signed ActiveX controls</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Download unsigned ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot run unsigned controls.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users cannot run unsigned controls." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Download unsigned ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Download unsigned ActiveX controls</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Initialize and script ActiveX controls not marked as safe" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage ActiveX controls not marked as safe.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Initialize and script ActiveX controls not marked as safe</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Initialize and script ActiveX controls not marked as safe</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Java permissions" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage permissions for Java applets.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.&lt;br/&gt;&lt;br/&gt;Low Safety enables applets to perform all operations.&lt;br/&gt;&lt;br/&gt;Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. &lt;br/&gt;&lt;br/&gt;High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Java applets cannot run.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the permission is set to High Safety." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Java permissions</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Java permissions</td><td>High safety</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Launching applications and files in an IFRAME" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. &lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Launching applications and files in an IFRAME</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Launching applications and files in an IFRAME</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Logon options" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage settings for logon options.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose from the following logon options.&lt;br/&gt;&lt;br/&gt;Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.&lt;br/&gt;&lt;br/&gt;Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.&lt;br/&gt;&lt;br/&gt;Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.&lt;br/&gt;&lt;br/&gt;Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Logon options</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Logon options</td><td>Automatic logon only in Intranet zone</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Navigate sub-frames across different domains" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage the opening of sub-frames and access of applications across different domains.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can open sub-frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow sub-frames or access to applications from other domains.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot open sub-frames or access applications from different domains.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can open sub-frames from other domains and access applications from other domains." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Navigate sub-frames across different domains</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Navigate sub-frames across different domains</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Open files based on content, not file extension" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Open files based on content, not file extension</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Open files based on content, not file extension</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run .NET Framework-reliant components not signed with Authenticode" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer will not execute unsigned managed components.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer will execute unsigned managed components." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run .NET Framework-reliant components not signed with Authenticode</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run .NET Framework-reliant components not signed with Authenticode</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run .NET Framework-reliant components signed with Authenticode" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer will not execute signed managed components.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer will execute signed managed components." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run .NET Framework-reliant components signed with Authenticode</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run .NET Framework-reliant components signed with Authenticode</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run ActiveX controls and plugins" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, controls and plug-ins can run without user intervention.&lt;br/&gt;&lt;br/&gt;If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, controls and plug-ins are prevented from running.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, controls and plug-ins can run without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run ActiveX controls and plugins</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run ActiveX controls and plugins</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Script ActiveX controls marked safe for scripting" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, script interaction can occur automatically without user intervention.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, script interaction is prevented from occurring.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, script interaction can occur automatically without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Script ActiveX controls marked safe for scripting</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Script ActiveX controls marked safe for scripting</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Scripting of Java applets" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether applets are exposed to scripts within the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, scripts can access applets automatically without user intervention.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, scripts are prevented from accessing applets.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, scripts can access applets automatically without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Scripting of Java applets</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Scripting of Java applets</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Software channel permissions" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage software channel permissions.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose the following options from the drop-down box.&lt;br/&gt;&lt;br/&gt;Low safety to allow users to be notified of software updates by e-mail, software packages to be automatically downloaded to users' computers, and software packages to be automatically installed on users' computers.&lt;br/&gt;&lt;br/&gt;Medium safety to allow users to be notified of software updates by e-mail and software packages to be automatically downloaded to (but not installed on) users' computers.&lt;br/&gt;&lt;br/&gt;High safety to prevent users from being notified of software updates by e-mail, software packages from being automatically downloaded to users' computers, and software packages from being automatically installed on users' computers.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, permissions are set to high safety.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, permissions are set to Medium safety." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Software channel permissions</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Software channel permissions</td><td>Medium safety</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Submit non-encrypted form data" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether data on HTML forms on pages in the zone may be submitted. Forms sent with SSL (Secure Sockets Layer) encryption are always allowed; this setting only affects non-SSL form data submission.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, information using HTML forms on pages in this zone can be submitted automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow information using HTML forms on pages in this zone to be submitted.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, information using HTML forms on pages in this zone is prevented from being submitted.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to allow information using HTML forms on pages in this zone to be submitted." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Submit non-encrypted form data</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Submit non-encrypted form data</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Use Pop-up Blocker" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, pop-up windows are not prevented from appearing.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Use Pop-up Blocker</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Use Pop-up Blocker</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Userdata persistence" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Userdata persistence</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Userdata persistence</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Web sites in less privileged Web content zones can navigate into this zone" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Web sites in less privileged Web content zones can navigate into this zone</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Web sites in less privileged Web content zones can navigate into this zone</td><td>Enable</td></tr> </table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Access data sources across domains" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Access data sources across domains</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Access data sources across domains</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow active content over restricted protocols to access my computer" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether a resource hosted on an admin-restricted protocol in the Intranet Zone can run active content such as script, ActiveX, Java and Binary Behaviors. The list of restricted protocols may be set in the Intranet Zone Restricted Protocols section under Network Protocol Lockdown policy.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, no Intranet Zone content accessed is affected, even for protocols on the restricted list. If you select Prompt from the drop-down box, the Information Bar will appear to allow control over questionable content accessed over any restricted protocols; content over other protocols is unaffected.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, all attempts to access such content over the restricted protocols is blocked.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the Information Bar will appear to allow control over questionable content accessed over any restricted protocols when the Network Protocol Lockdown security feature is enabled." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow active content over restricted protocols to access my computer</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow active content over restricted protocols to access my computer</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow active scripting" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether script code on pages in the zone is run.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, script code on pages in the zone is prevented from running.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, script code on pages in the zone can run automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow active scripting</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow active scripting</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow binary and script behaviors" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, binary and script behaviors are available." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow binary and script behaviors</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow Binary and Script Behaviors</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow drag and drop or copy and paste files" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow drag and drop or copy and paste files</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow drag and drop or copy and paste files</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow file downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, files can be downloaded from the zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, files are prevented from being downloaded from the zone.&lt;br/&gt;&lt;br/&gt; If you do not configure this policy setting, files can be downloaded from the zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow file downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow file downloads</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow font downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether pages of the zone may download HTML fonts.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, HTML fonts are prevented from downloading.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, HTML fonts can be downloaded automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow font downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow font downloads</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow installation of desktop items" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this option are: If you enable this policy setting, users can install desktop items from this zone automatically.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to install desktop items from this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from installing desktop items from this zone. &lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to install desktop items from this zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow installation of desktop items</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow installation of desktop items</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow META REFRESH" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. &lt;br/&gt;&lt;br/&gt;If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow META REFRESH</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow META REFRESH</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow paste operations via script" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, a script can perform a clipboard operation.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, a script cannot perform a clipboard operation.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, a script can perform a clipboard operation." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow paste operations via script</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow paste operations via script</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow script-initiated windows without size or position constraints" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow script-initiated windows without size or position constraints</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow script-initiated windows without size or position constraints</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Automatic prompting for ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting manages whether users will be automatically prompted for ActiveX control installations.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, ActiveX control installations will be blocked using the Information Bar. Users can click on the Information Bar to allow the ActiveX control prompt.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Automatic prompting for ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Automatic prompting for ActiveX controls</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Automatic prompting for file downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.&lt;br/&gt;&lt;br/&gt;If you enable this setting, users will receive a file download dialog for automatic download attempts.&lt;br/&gt;&lt;br/&gt;If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Automatic prompting for file downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Automatic prompting for file downloads</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Display mixed content" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security information message to display pages containing both secure and nonsecure items.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, and the drop-down box is set to Enable, the user does not receive a security information message (This page contains both secure and nonsecure items. Do you want to display the nonsecure items?) and nonsecure content can be displayed.&lt;br/&gt;&lt;br/&gt;If the drop-down box is set to Prompt, the user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot receive the security information message and nonsecure content cannot be displayed.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Display mixed content</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Display mixed content</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Do not prompt for client certificate selection when no certificates or only one certificate exists." gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users are prompted to select a certificate when no certificate or only one certificate exists.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer does not prompt users with a &amp;quot;Client Authentication&amp;quot; message when they connect to a Web site that has no certificate or only one certificate.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer prompts users with a &amp;quot;Client Authentication&amp;quot; message when they connect to a Web site that has no certificate or only one certificate.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer does not prompt users with a &amp;quot;Client Authentication&amp;quot; message when they connect to a Web site that has no certificate or only one certificate." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Do not prompt for client certificate selection when no certificates or only one certificate exists.</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Do not prompt for client certificate selection when no certificates or only one certificate exists.</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Download signed ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.&lt;br/&gt;&lt;br/&gt;If you disable the policy setting, signed controls cannot be downloaded.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Download signed ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Download signed ActiveX controls</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Download unsigned ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot run unsigned controls.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users cannot run unsigned controls." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Download unsigned ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Download unsigned ActiveX controls</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Initialize and script ActiveX controls not marked as safe" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage ActiveX controls not marked as safe.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Initialize and script ActiveX controls not marked as safe</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Initialize and script ActiveX controls not marked as safe</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Java permissions" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage permissions for Java applets.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.&lt;br/&gt;&lt;br/&gt;Low Safety enables applets to perform all operations.&lt;br/&gt;&lt;br/&gt;Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.&lt;br/&gt;&lt;br/&gt;High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Java applets cannot run.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the permission is set to Medium Safety." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Java permissions</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Java permissions</td><td>Medium safety</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Launching applications and files in an IFRAME" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. &lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Launching applications and files in an IFRAME</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Launching applications and files in an IFRAME</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Logon options" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage settings for logon options.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose from the following logon options.&lt;br/&gt;&lt;br/&gt;Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.&lt;br/&gt;&lt;br/&gt;Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.&lt;br/&gt;&lt;br/&gt;Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.&lt;br/&gt;&lt;br/&gt;Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Logon options</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Logon options</td><td>Automatic logon only in Intranet zone</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Navigate sub-frames across different domains" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage the opening of sub-frames and access of applications across different domains.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can open sub-frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow sub-frames or access to applications from other domains.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot open sub-frames or access applications from different domains.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can open sub-frames from other domains and access applications from other domains." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Navigate sub-frames across different domains</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Navigate sub-frames across different domains</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Open files based on content, not file extension" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Open files based on content, not file extension</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Open files based on content, not file extension</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run .NET Framework-reliant components not signed with Authenticode" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer will not execute unsigned managed components.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer will execute unsigned managed components." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run .NET Framework-reliant components not signed with Authenticode</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run .NET Framework-reliant components not signed with Authenticode</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run .NET Framework-reliant components signed with Authenticode" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer will not execute signed managed components.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer will execute signed managed components." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run .NET Framework-reliant components signed with Authenticode</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run .NET Framework-reliant components signed with Authenticode</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run ActiveX controls and plugins" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, controls and plug-ins can run without user intervention.&lt;br/&gt;&lt;br/&gt;If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, controls and plug-ins are prevented from running.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, controls and plug-ins can run without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run ActiveX controls and plugins</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run ActiveX controls and plugins</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Script ActiveX controls marked safe for scripting" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, script interaction can occur automatically without user intervention.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, script interaction is prevented from occurring.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, script interaction can occur automatically without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Script ActiveX controls marked safe for scripting</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Script ActiveX controls marked safe for scripting</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Scripting of Java applets" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether applets are exposed to scripts within the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, scripts can access applets automatically without user intervention.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, scripts are prevented from accessing applets.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, scripts can access applets automatically without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Scripting of Java applets</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Scripting of Java applets</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Software channel permissions" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage software channel permissions.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose the following options from the drop-down box.&lt;br/&gt;&lt;br/&gt;Low safety to allow users to be notified of software updates by e-mail, software packages to be automatically downloaded to users' computers, and software packages to be automatically installed on users' computers.&lt;br/&gt;&lt;br/&gt;Medium safety to allow users to be notified of software updates by e-mail and software packages to be automatically downloaded to (but not installed on) users' computers.&lt;br/&gt;&lt;br/&gt;High safety to prevent users from being notified of software updates by e-mail, software packages from being automatically downloaded to users' computers, and software packages from being automatically installed on users' computers.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, permissions are set to high safety.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, permissions are set to Medium safety." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Software channel permissions</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Software channel permissions</td><td>Medium safety</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Submit non-encrypted form data" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether data on HTML forms on pages in the zone may be submitted. Forms sent with SSL (Secure Sockets Layer) encryption are always allowed; this setting only affects non-SSL form data submission.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, information using HTML forms on pages in this zone can be submitted automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow information using HTML forms on pages in this zone to be submitted.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, information using HTML forms on pages in this zone is prevented from being submitted.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, information using HTML forms on pages in this zone can be submitted automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Submit non-encrypted form data</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Submit non-encrypted form data</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Use Pop-up Blocker" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, pop-up windows are not prevented from appearing.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, pop-up windows are not prevented from appearing." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Use Pop-up Blocker</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Use Pop-up Blocker</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Userdata persistence" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Userdata persistence</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Userdata persistence</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Web sites in less privileged Web content zones can navigate into this zone" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Web sites in less privileged Web content zones can navigate into this zone</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Web sites in less privileged Web content zones can navigate into this zone</td><td>Enable</td></tr> </table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Access data sources across domains" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Access data sources across domains</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Access data sources across domains</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow active content over restricted protocols to access my computer" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether a resource hosted on an admin-restricted protocol in the Intranet Zone can run active content such as script, ActiveX, Java and Binary Behaviors. The list of restricted protocols may be set in the Intranet Zone Restricted Protocols section under Network Protocol Lockdown policy.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, no Intranet Zone content accessed is affected, even for protocols on the restricted list. If you select Prompt from the drop-down box, the Information Bar will appear to allow control over questionable content accessed over any restricted protocols; content over other protocols is unaffected.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, all attempts to access such content over the restricted protocols is blocked.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the Information Bar will appear to allow control over questionable content accessed over any restricted protocols when the Network Protocol Lockdown security feature is enabled." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow active content over restricted protocols to access my computer</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow active content over restricted protocols to access my computer</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow active scripting" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether script code on pages in the zone is run.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, script code on pages in the zone is prevented from running.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, script code on pages in the zone can run automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow active scripting</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow active scripting</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow binary and script behaviors" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, binary and script behaviors are available." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow binary and script behaviors</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow Binary and Script Behaviors</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow drag and drop or copy and paste files" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow drag and drop or copy and paste files</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow drag and drop or copy and paste files</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow file downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, files can be downloaded from the zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, files are prevented from being downloaded from the zone.&lt;br/&gt;&lt;br/&gt; If you do not configure this policy setting, files can be downloaded from the zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow file downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow file downloads</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow font downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether pages of the zone may download HTML fonts.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, HTML fonts are prevented from downloading.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, HTML fonts can be downloaded automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow font downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow font downloads</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow installation of desktop items" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this option are: If you enable this policy setting, users can install desktop items from this zone automatically.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to install desktop items from this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from installing desktop items from this zone. &lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can install desktop items from this zone automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow installation of desktop items</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow installation of desktop items</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow META REFRESH" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. &lt;br/&gt;&lt;br/&gt;If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow META REFRESH</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow META REFRESH</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow paste operations via script" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, a script can perform a clipboard operation.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, a script cannot perform a clipboard operation.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, a script can perform a clipboard operation." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow paste operations via script</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow paste operations via script</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow script-initiated windows without size or position constraints" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow script-initiated windows without size or position constraints</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow script-initiated windows without size or position constraints</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Automatic prompting for ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting manages whether users will be automatically prompted for ActiveX control installations.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, ActiveX control installations will be blocked using the Information Bar. Users can click on the Information Bar to allow the ActiveX control prompt.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Automatic prompting for ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Automatic prompting for ActiveX controls</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Automatic prompting for file downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.&lt;br/&gt;&lt;br/&gt;If you enable this setting, users will receive a file download dialog for automatic download attempts.&lt;br/&gt;&lt;br/&gt;If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Automatic prompting for file downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Automatic prompting for file downloads</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Display mixed content" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security information message to display pages containing both secure and nonsecure items.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, and the drop-down box is set to Enable, the user does not receive a security information message (This page contains both secure and nonsecure items. Do you want to display the nonsecure items?) and nonsecure content can be displayed.&lt;br/&gt;&lt;br/&gt;If the drop-down box is set to Prompt, the user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot receive the security information message and nonsecure content cannot be displayed.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Display mixed content</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Display mixed content</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Do not prompt for client certificate selection when no certificates or only one certificate exists." gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether users are prompted to select a certificate when no certificate or only one certificate exists.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer does not prompt users with a &amp;quot;Client Authentication&amp;quot; message when they connect to a Web site that has no certificate or only one certificate.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer prompts users with a &amp;quot;Client Authentication&amp;quot; message when they connect to a Web site that has no certificate or only one certificate.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer does not prompt users with a &amp;quot;Client Authentication&amp;quot; message when they connect to a Web site that has no certificate or only one certificate." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Do not prompt for client certificate selection when no certificates or only one certificate exists.</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Do not prompt for client certificate selection when no certificates or only one certificate exists.</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Download signed ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.&lt;br/&gt;&lt;br/&gt;If you disable the policy setting, signed controls cannot be downloaded.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can download signed controls without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Download signed ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Download signed ActiveX controls</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Download unsigned ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot run unsigned controls.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can run unsigned controls without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Download unsigned ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Download unsigned ActiveX controls</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Initialize and script ActiveX controls not marked as safe" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage ActiveX controls not marked as safe.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Initialize and script ActiveX controls not marked as safe</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Initialize and script ActiveX controls not marked as safe</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Java permissions" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage permissions for Java applets.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.&lt;br/&gt;&lt;br/&gt;Low Safety enables applets to perform all operations.&lt;br/&gt;&lt;br/&gt;Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.&lt;br/&gt;&lt;br/&gt;High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Java applets cannot run.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the permission is set to Medium Safety." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Java permissions</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Java permissions</td><td>High safety</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Launching applications and files in an IFRAME" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. &lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Launching applications and files in an IFRAME</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Launching applications and files in an IFRAME</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Logon options" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage settings for logon options.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose from the following logon options.&lt;br/&gt;&lt;br/&gt;Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.&lt;br/&gt;&lt;br/&gt;Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.&lt;br/&gt;&lt;br/&gt;Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.&lt;br/&gt;&lt;br/&gt;Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, logon is set to Automatic logon with current username and password." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Logon options</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Logon options</td><td>Automatic logon only in Intranet zone</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Navigate sub-frames across different domains" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage the opening of sub-frames and access of applications across different domains.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can open sub-frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow sub-frames or access to applications from other domains.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot open sub-frames or access applications from different domains.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can open sub-frames from other domains and access applications from other domains." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Navigate sub-frames across different domains</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Navigate sub-frames across different domains</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Open files based on content, not file extension" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Open files based on content, not file extension</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Open files based on content, not file extension</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run .NET Framework-reliant components not signed with Authenticode" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer will not execute unsigned managed components.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run .NET Framework-reliant components not signed with Authenticode</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run .NET Framework-reliant components not signed with Authenticode</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run .NET Framework-reliant components signed with Authenticode" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer will not execute signed managed components.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer will not execute signed managed components." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run .NET Framework-reliant components signed with Authenticode</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run .NET Framework-reliant components signed with Authenticode</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run ActiveX controls and plugins" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, controls and plug-ins can run without user intervention.&lt;br/&gt;&lt;br/&gt;If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, controls and plug-ins are prevented from running.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, controls and plug-ins can run without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run ActiveX controls and plugins</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run ActiveX controls and plugins</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Script ActiveX controls marked safe for scripting" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, script interaction can occur automatically without user intervention.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, script interaction is prevented from occurring.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, script interaction can occur automatically without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Script ActiveX controls marked safe for scripting</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Script ActiveX controls marked safe for scripting</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Scripting of Java applets" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether applets are exposed to scripts within the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, scripts can access applets automatically without user intervention.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, scripts are prevented from accessing applets.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, scripts can access applets automatically without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Scripting of Java applets</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Scripting of Java applets</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Software channel permissions" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage software channel permissions.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose the following options from the drop-down box.&lt;br/&gt;&lt;br/&gt;Low safety to allow users to be notified of software updates by e-mail, software packages to be automatically downloaded to users' computers, and software packages to be automatically installed on users' computers.&lt;br/&gt;&lt;br/&gt;Medium safety to allow users to be notified of software updates by e-mail and software packages to be automatically downloaded to (but not installed on) users' computers.&lt;br/&gt;&lt;br/&gt;High safety to prevent users from being notified of software updates by e-mail, software packages from being automatically downloaded to users' computers, and software packages from being automatically installed on users' computers.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, permissions are set to high safety.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, permissions are set to Low safety." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Software channel permissions</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Software channel permissions</td><td>Medium safety</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Submit non-encrypted form data" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether data on HTML forms on pages in the zone may be submitted. Forms sent with SSL (Secure Sockets Layer) encryption are always allowed; this setting only affects non-SSL form data submission.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, information using HTML forms on pages in this zone can be submitted automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow information using HTML forms on pages in this zone to be submitted.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, information using HTML forms on pages in this zone is prevented from being submitted.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, information using HTML forms on pages in this zone can be submitted automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Submit non-encrypted form data</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Submit non-encrypted form data</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Use Pop-up Blocker" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, pop-up windows are not prevented from appearing.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, pop-up windows are not prevented from appearing." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Use Pop-up Blocker</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Use Pop-up Blocker</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Userdata persistence" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Userdata persistence</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Userdata persistence</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Web sites in less privileged Web content zones can navigate into this zone" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Web sites in less privileged Web content zones can navigate into this zone</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Web sites in less privileged Web content zones can navigate into this zone</td><td>Enable</td></tr> </table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Access data sources across domains" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Access data sources across domains</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Access data sources across domains</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow active scripting" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether script code on pages in the zone is run.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, script code on pages in the zone is prevented from running.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to allow script code on pages in the Local Machine zone to run." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow active scripting</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow active scripting</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow binary and script behaviors" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow binary and script behaviors</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow Binary and Script Behaviors</td><td>Administrator approved</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow drag and drop or copy and paste files" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow drag and drop or copy and paste files</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow drag and drop or copy and paste files</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow file downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, files can be downloaded from the zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, files are prevented from being downloaded from the zone.&lt;br/&gt;&lt;br/&gt; If you do not configure this policy setting, files can be downloaded from the zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow file downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow file downloads</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow font downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether pages of the zone may download HTML fonts.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, HTML fonts are prevented from downloading.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, HTML fonts can be downloaded automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow font downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow font downloads</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow installation of desktop items" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this option are: If you enable this policy setting, users can install desktop items from this zone automatically.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to install desktop items from this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from installing desktop items from this zone. &lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to install desktop items from this zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow installation of desktop items</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow installation of desktop items</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow META REFRESH" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. &lt;br/&gt;&lt;br/&gt;If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow META REFRESH</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow META REFRESH</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow paste operations via script" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, a script can perform a clipboard operation.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, a script cannot perform a clipboard operation.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, a script can perform a clipboard operation." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow paste operations via script</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow paste operations via script</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow script-initiated windows without size or position constraints" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow script-initiated windows without size or position constraints</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow script-initiated windows without size or position constraints</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Automatic prompting for ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting manages whether users will be automatically prompted for ActiveX control installations.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, ActiveX control installations will be blocked using the Information Bar. Users can click on the Information Bar to allow the ActiveX control prompt.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, ActiveX control installations will be blocked using the Information Bar. Users can click on the Information Bar to allow the ActiveX control prompt." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Automatic prompting for ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Automatic prompting for ActiveX controls</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Automatic prompting for file downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.&lt;br/&gt;&lt;br/&gt;If you enable this setting, users will receive a file download dialog for automatic download attempts.&lt;br/&gt;&lt;br/&gt;If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Information Bar instead of the file download dialog. Users can then click the Information Bar to allow the file download prompt." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Automatic prompting for file downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Automatic prompting for file downloads</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Display mixed content" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security information message to display pages containing both secure and nonsecure items.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, and the drop-down box is set to Enable, the user does not receive a security information message (This page contains both secure and nonsecure items. Do you want to display the nonsecure items?) and nonsecure content can be displayed.&lt;br/&gt;&lt;br/&gt;If the drop-down box is set to Prompt, the user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot receive the security information message and nonsecure content cannot be displayed.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Display mixed content</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Display mixed content</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Do not prompt for client certificate selection when no certificates or only one certificate exists." gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users are prompted to select a certificate when no certificate or only one certificate exists.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer does not prompt users with a &amp;quot;Client Authentication&amp;quot; message when they connect to a Web site that has no certificate or only one certificate.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer prompts users with a &amp;quot;Client Authentication&amp;quot; message when they connect to a Web site that has no certificate or only one certificate.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer prompts users with a Client Authentication message when they connect to a Web site that has no certificate or only one certificate." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Do not prompt for client certificate selection when no certificates or only one certificate exists.</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Do not prompt for client certificate selection when no certificates or only one certificate exists.</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Download signed ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.&lt;br/&gt;&lt;br/&gt;If you disable the policy setting, signed controls cannot be downloaded.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Download signed ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Download signed ActiveX controls</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Download unsigned ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot run unsigned controls.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users cannot run unsigned controls." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Download unsigned ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Download unsigned ActiveX controls</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Initialize and script ActiveX controls not marked as safe" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage ActiveX controls not marked as safe.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Initialize and script ActiveX controls not marked as safe</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Initialize and script ActiveX controls not marked as safe</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Java permissions" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage permissions for Java applets.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.&lt;br/&gt;&lt;br/&gt;Low Safety enables applets to perform all operations.&lt;br/&gt;&lt;br/&gt;Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. &lt;br/&gt;&lt;br/&gt;High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Java applets cannot run.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Java applets are disabled." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Java permissions</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Java permissions</td><td>Disable Java</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Launching applications and files in an IFRAME" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. &lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Launching applications and files in an IFRAME</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Launching applications and files in an IFRAME</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Logon options" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage settings for logon options.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose from the following logon options.&lt;br/&gt;&lt;br/&gt;Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.&lt;br/&gt;&lt;br/&gt;Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.&lt;br/&gt;&lt;br/&gt;Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.&lt;br/&gt;&lt;br/&gt;Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Logon options</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Logon options</td><td>Automatic logon only in Intranet zone</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Navigate sub-frames across different domains" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage the opening of sub-frames and access of applications across different domains.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can open sub-frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow sub-frames or access to applications from other domains.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot open sub-frames or access applications from different domains.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can open sub-frames from other domains and access applications from other domains." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Navigate sub-frames across different domains</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Navigate sub-frames across different domains</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Open files based on content, not file extension" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Open files based on content, not file extension</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Open files based on content, not file extension</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run .NET Framework-reliant components not signed with Authenticode" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer will not execute unsigned managed components.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run .NET Framework-reliant components not signed with Authenticode</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run .NET Framework-reliant components not signed with Authenticode</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run .NET Framework-reliant components signed with Authenticode" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer will not execute signed managed components.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer will not execute signed managed components." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run .NET Framework-reliant components signed with Authenticode</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run .NET Framework-reliant components signed with Authenticode</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run ActiveX controls and plugins" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, controls and plug-ins can run without user intervention.&lt;br/&gt;&lt;br/&gt;If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, controls and plug-ins are prevented from running.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, controls and plug-ins are prevented from running." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run ActiveX controls and plugins</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run ActiveX controls and plugins</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Script ActiveX controls marked safe for scripting" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, script interaction can occur automatically without user intervention.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, script interaction is prevented from occurring.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, script interaction can occur automatically without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Script ActiveX controls marked safe for scripting</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Script ActiveX controls marked safe for scripting</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Scripting of Java applets" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether applets are exposed to scripts within the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, scripts can access applets automatically without user intervention.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, scripts are prevented from accessing applets.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, scripts can access applets automatically without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Scripting of Java applets</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Scripting of Java applets</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Software channel permissions" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage software channel permissions.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose the following options from the drop-down box.&lt;br/&gt;&lt;br/&gt;Low safety to allow users to be notified of software updates by e-mail, software packages to be automatically downloaded to users' computers, and software packages to be automatically installed on users' computers.&lt;br/&gt;&lt;br/&gt;Medium safety to allow users to be notified of software updates by e-mail and software packages to be automatically downloaded to (but not installed on) users' computers.&lt;br/&gt;&lt;br/&gt;High safety to prevent users from being notified of software updates by e-mail, software packages from being automatically downloaded to users' computers, and software packages from being automatically installed on users' computers.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, permissions are set to high safety.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, permissions are set to Low safety." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Software channel permissions</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Software channel permissions</td><td>Medium safety</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Submit non-encrypted form data" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether data on HTML forms on pages in the zone may be submitted. Forms sent with SSL (Secure Sockets Layer) encryption are always allowed; this setting only affects non-SSL form data submission.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, information using HTML forms on pages in this zone can be submitted automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow information using HTML forms on pages in this zone to be submitted.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, information using HTML forms on pages in this zone is prevented from being submitted.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to allow information using HTML forms on pages in this zone to be submitted." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Submit non-encrypted form data</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Submit non-encrypted form data</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Use Pop-up Blocker" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, pop-up windows are not prevented from appearing.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Use Pop-up Blocker</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Use Pop-up Blocker</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Userdata persistence" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Userdata persistence</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Userdata persistence</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Web sites in less privileged Web content zones can navigate into this zone" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone" gpmc_settingDescription="This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Web sites in less privileged Web content zones can navigate into this zone</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Web sites in less privileged Web content zones can navigate into this zone</td><td>Disable</td></tr> </table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Access data sources across domains" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Access data sources across domains</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Access data sources across domains</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow active scripting" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether script code on pages in the zone is run.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, script code on pages in the zone is prevented from running.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to allow script code on pages in the Local Machine zone to run." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow active scripting</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow active scripting</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow binary and script behaviors" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow binary and script behaviors</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow Binary and Script Behaviors</td><td>Administrator approved</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow drag and drop or copy and paste files" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow drag and drop or copy and paste files</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow drag and drop or copy and paste files</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow file downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, files can be downloaded from the zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, files are prevented from being downloaded from the zone.&lt;br/&gt;&lt;br/&gt; If you do not configure this policy setting, files can be downloaded from the zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow file downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow file downloads</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow font downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether pages of the zone may download HTML fonts.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, HTML fonts are prevented from downloading.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, HTML fonts can be downloaded automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow font downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow font downloads</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow installation of desktop items" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this option are: If you enable this policy setting, users can install desktop items from this zone automatically.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to install desktop items from this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from installing desktop items from this zone. &lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to install desktop items from this zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow installation of desktop items</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow installation of desktop items</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow META REFRESH" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. &lt;br/&gt;&lt;br/&gt;If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow META REFRESH</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow META REFRESH</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow paste operations via script" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, a script can perform a clipboard operation.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, a script cannot perform a clipboard operation.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, a script can perform a clipboard operation." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow paste operations via script</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow paste operations via script</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow script-initiated windows without size or position constraints" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow script-initiated windows without size or position constraints</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow script-initiated windows without size or position constraints</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Automatic prompting for ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting manages whether users will be automatically prompted for ActiveX control installations.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, ActiveX control installations will be blocked using the Information Bar. Users can click on the Information Bar to allow the ActiveX control prompt.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, ActiveX control installations will be blocked using the Information Bar. Users can click on the Information Bar to allow the ActiveX control prompt." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Automatic prompting for ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Automatic prompting for ActiveX controls</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Automatic prompting for file downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.&lt;br/&gt;&lt;br/&gt;If you enable this setting, users will receive a file download dialog for automatic download attempts.&lt;br/&gt;&lt;br/&gt;If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Information Bar instead of the file download dialog. Users can then click the Information Bar to allow the file download prompt." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Automatic prompting for file downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Automatic prompting for file downloads</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Display mixed content" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security information message to display pages containing both secure and nonsecure items.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, and the drop-down box is set to Enable, the user does not receive a security information message (This page contains both secure and nonsecure items. Do you want to display the nonsecure items?) and nonsecure content can be displayed.&lt;br/&gt;&lt;br/&gt;If the drop-down box is set to Prompt, the user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot receive the security information message and nonsecure content cannot be displayed.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Display mixed content</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Display mixed content</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Do not prompt for client certificate selection when no certificates or only one certificate exists." gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users are prompted to select a certificate when no certificate or only one certificate exists.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer does not prompt users with a &amp;quot;Client Authentication&amp;quot; message when they connect to a Web site that has no certificate or only one certificate.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer prompts users with a &amp;quot;Client Authentication&amp;quot; message when they connect to a Web site that has no certificate or only one certificate.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer prompts users with a Client Authentication message when they connect to a Web site that has no certificate or only one certificate." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Do not prompt for client certificate selection when no certificates or only one certificate exists.</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Do not prompt for client certificate selection when no certificates or only one certificate exists.</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Download signed ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.&lt;br/&gt;&lt;br/&gt;If you disable the policy setting, signed controls cannot be downloaded.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Download signed ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Download signed ActiveX controls</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Download unsigned ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot run unsigned controls.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users cannot run unsigned controls." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Download unsigned ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Download unsigned ActiveX controls</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Initialize and script ActiveX controls not marked as safe" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage ActiveX controls not marked as safe.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Initialize and script ActiveX controls not marked as safe</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Initialize and script ActiveX controls not marked as safe</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Java permissions" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage permissions for Java applets.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.&lt;br/&gt;&lt;br/&gt;Low Safety enables applets to perform all operations.&lt;br/&gt;&lt;br/&gt;Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. &lt;br/&gt;&lt;br/&gt;High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Java applets cannot run.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Java applets are disabled." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Java permissions</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Java permissions</td><td>Disable Java</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Launching applications and files in an IFRAME" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. &lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Launching applications and files in an IFRAME</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Launching applications and files in an IFRAME</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Logon options" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage settings for logon options.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose from the following logon options.&lt;br/&gt;&lt;br/&gt;Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.&lt;br/&gt;&lt;br/&gt;Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.&lt;br/&gt;&lt;br/&gt;Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.&lt;br/&gt;&lt;br/&gt;Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Logon options</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Logon options</td><td>Automatic logon only in Intranet zone</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Navigate sub-frames across different domains" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage the opening of sub-frames and access of applications across different domains.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can open sub-frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow sub-frames or access to applications from other domains.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot open sub-frames or access applications from different domains.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can open sub-frames from other domains and access applications from other domains." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Navigate sub-frames across different domains</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Navigate sub-frames across different domains</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Open files based on content, not file extension" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Open files based on content, not file extension</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Open files based on content, not file extension</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run .NET Framework-reliant components not signed with Authenticode" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer will not execute unsigned managed components.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run .NET Framework-reliant components not signed with Authenticode</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run .NET Framework-reliant components not signed with Authenticode</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run .NET Framework-reliant components signed with Authenticode" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer will not execute signed managed components.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer will not execute signed managed components." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run .NET Framework-reliant components signed with Authenticode</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run .NET Framework-reliant components signed with Authenticode</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run ActiveX controls and plugins" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, controls and plug-ins can run without user intervention.&lt;br/&gt;&lt;br/&gt;If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, controls and plug-ins are prevented from running.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, controls and plug-ins are prevented from running." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run ActiveX controls and plugins</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run ActiveX controls and plugins</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Script ActiveX controls marked safe for scripting" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, script interaction can occur automatically without user intervention.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, script interaction is prevented from occurring.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, script interaction can occur automatically without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Script ActiveX controls marked safe for scripting</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Script ActiveX controls marked safe for scripting</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Scripting of Java applets" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether applets are exposed to scripts within the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, scripts can access applets automatically without user intervention.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, scripts are prevented from accessing applets.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, scripts can access applets automatically without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Scripting of Java applets</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Scripting of Java applets</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Software channel permissions" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage software channel permissions.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose the following options from the drop-down box.&lt;br/&gt;&lt;br/&gt;Low safety to allow users to be notified of software updates by e-mail, software packages to be automatically downloaded to users' computers, and software packages to be automatically installed on users' computers.&lt;br/&gt;&lt;br/&gt;Medium safety to allow users to be notified of software updates by e-mail and software packages to be automatically downloaded to (but not installed on) users' computers.&lt;br/&gt;&lt;br/&gt;High safety to prevent users from being notified of software updates by e-mail, software packages from being automatically downloaded to users' computers, and software packages from being automatically installed on users' computers.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, permissions are set to high safety.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, permissions are set to Low safety." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Software channel permissions</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Software channel permissions</td><td>Medium safety</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Submit non-encrypted form data" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether data on HTML forms on pages in the zone may be submitted. Forms sent with SSL (Secure Sockets Layer) encryption are always allowed; this setting only affects non-SSL form data submission.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, information using HTML forms on pages in this zone can be submitted automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow information using HTML forms on pages in this zone to be submitted.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, information using HTML forms on pages in this zone is prevented from being submitted.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, information using HTML forms on pages in this zone can be submitted automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Submit non-encrypted form data</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Submit non-encrypted form data</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Use Pop-up Blocker" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, pop-up windows are not prevented from appearing.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, pop-up windows are not prevented from appearing." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Use Pop-up Blocker</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Use Pop-up Blocker</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Userdata persistence" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Userdata persistence</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Userdata persistence</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Web sites in less privileged Web content zones can navigate into this zone" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone" gpmc_settingDescription="This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Web sites in less privileged Web content zones can navigate into this zone</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Web sites in less privileged Web content zones can navigate into this zone</td><td>Disable</td></tr> </table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Access data sources across domains" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Access data sources across domains</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Access data sources across domains</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow active scripting" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether script code on pages in the zone is run.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, script code on pages in the zone is prevented from running.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to allow script code on pages in the Local Machine zone to run." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow active scripting</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow active scripting</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow binary and script behaviors" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow binary and script behaviors</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow Binary and Script Behaviors</td><td>Administrator approved</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow drag and drop or copy and paste files" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow drag and drop or copy and paste files</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow drag and drop or copy and paste files</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow file downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, files can be downloaded from the zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, files are prevented from being downloaded from the zone.&lt;br/&gt;&lt;br/&gt; If you do not configure this policy setting, files can be downloaded from the zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow file downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow file downloads</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow font downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether pages of the zone may download HTML fonts.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, HTML fonts are prevented from downloading.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, HTML fonts can be downloaded automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow font downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow font downloads</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow installation of desktop items" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this option are: If you enable this policy setting, users can install desktop items from this zone automatically.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to install desktop items from this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from installing desktop items from this zone. &lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can install desktop items from this zone automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow installation of desktop items</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow installation of desktop items</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow META REFRESH" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. &lt;br/&gt;&lt;br/&gt;If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow META REFRESH</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow META REFRESH</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow paste operations via script" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, a script can perform a clipboard operation.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, a script cannot perform a clipboard operation.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, a script can perform a clipboard operation." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow paste operations via script</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow paste operations via script</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow script-initiated windows without size or position constraints" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow script-initiated windows without size or position constraints</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow script-initiated windows without size or position constraints</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Automatic prompting for ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting manages whether users will be automatically prompted for ActiveX control installations.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, ActiveX control installations will be blocked using the Information Bar. Users can click on the Information Bar to allow the ActiveX control prompt.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, ActiveX control installations will be blocked using the Information Bar. Users can click on the Information Bar to allow the ActiveX control prompt." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Automatic prompting for ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Automatic prompting for ActiveX controls</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Automatic prompting for file downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.&lt;br/&gt;&lt;br/&gt;If you enable this setting, users will receive a file download dialog for automatic download attempts.&lt;br/&gt;&lt;br/&gt;If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Information Bar instead of the file download dialog. Users can then click the Information Bar to allow the file download prompt." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Automatic prompting for file downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Automatic prompting for file downloads</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Display mixed content" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security information message to display pages containing both secure and nonsecure items.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, and the drop-down box is set to Enable, the user does not receive a security information message (This page contains both secure and nonsecure items. Do you want to display the nonsecure items?) and nonsecure content can be displayed.&lt;br/&gt;&lt;br/&gt;If the drop-down box is set to Prompt, the user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot receive the security information message and nonsecure content cannot be displayed.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Display mixed content</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Display mixed content</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Do not prompt for client certificate selection when no certificates or only one certificate exists." gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether users are prompted to select a certificate when no certificate or only one certificate exists.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer does not prompt users with a &amp;quot;Client Authentication&amp;quot; message when they connect to a Web site that has no certificate or only one certificate.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer prompts users with a &amp;quot;Client Authentication&amp;quot; message when they connect to a Web site that has no certificate or only one certificate.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer prompts users with a Client Authentication message when they connect to a Web site that has no certificate or only one certificate." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Do not prompt for client certificate selection when no certificates or only one certificate exists.</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Do not prompt for client certificate selection when no certificates or only one certificate exists.</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Download signed ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.&lt;br/&gt;&lt;br/&gt;If you disable the policy setting, signed controls cannot be downloaded.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can download signed controls without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Download signed ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Download signed ActiveX controls</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Download unsigned ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot run unsigned controls.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users cannot run unsigned controls." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Download unsigned ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Download unsigned ActiveX controls</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Initialize and script ActiveX controls not marked as safe" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage ActiveX controls not marked as safe.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Initialize and script ActiveX controls not marked as safe</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Initialize and script ActiveX controls not marked as safe</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Java permissions" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage permissions for Java applets.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.&lt;br/&gt;&lt;br/&gt;Low Safety enables applets to perform all operations.&lt;br/&gt;&lt;br/&gt;Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. &lt;br/&gt;&lt;br/&gt;High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Java applets cannot run.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Java applets are disabled." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Java permissions</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Java permissions</td><td>Disable Java</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Launching applications and files in an IFRAME" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. &lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Launching applications and files in an IFRAME</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Launching applications and files in an IFRAME</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Logon options" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage settings for logon options.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose from the following logon options.&lt;br/&gt;&lt;br/&gt;Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.&lt;br/&gt;&lt;br/&gt;Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.&lt;br/&gt;&lt;br/&gt;Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.&lt;br/&gt;&lt;br/&gt;Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, logon is set to Automatic logon with current username and password." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Logon options</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Logon options</td><td>Automatic logon only in Intranet zone</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Navigate sub-frames across different domains" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage the opening of sub-frames and access of applications across different domains.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can open sub-frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow sub-frames or access to applications from other domains.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot open sub-frames or access applications from different domains.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can open sub-frames from other domains and access applications from other domains." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Navigate sub-frames across different domains</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Navigate sub-frames across different domains</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Open files based on content, not file extension" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Open files based on content, not file extension</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Open files based on content, not file extension</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run .NET Framework-reliant components not signed with Authenticode" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer will not execute unsigned managed components.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run .NET Framework-reliant components not signed with Authenticode</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run .NET Framework-reliant components not signed with Authenticode</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run .NET Framework-reliant components signed with Authenticode" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer will not execute signed managed components.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer will not execute signed managed components." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run .NET Framework-reliant components signed with Authenticode</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run .NET Framework-reliant components signed with Authenticode</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run ActiveX controls and plugins" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, controls and plug-ins can run without user intervention.&lt;br/&gt;&lt;br/&gt;If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, controls and plug-ins are prevented from running.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, controls and plug-ins are prevented from running." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run ActiveX controls and plugins</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run ActiveX controls and plugins</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Script ActiveX controls marked safe for scripting" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, script interaction can occur automatically without user intervention.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, script interaction is prevented from occurring.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, script interaction can occur automatically without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Script ActiveX controls marked safe for scripting</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Script ActiveX controls marked safe for scripting</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Scripting of Java applets" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether applets are exposed to scripts within the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, scripts can access applets automatically without user intervention.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, scripts are prevented from accessing applets.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, scripts can access applets automatically without user intervention." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Scripting of Java applets</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Scripting of Java applets</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Software channel permissions" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage software channel permissions.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose the following options from the drop-down box.&lt;br/&gt;&lt;br/&gt;Low safety to allow users to be notified of software updates by e-mail, software packages to be automatically downloaded to users' computers, and software packages to be automatically installed on users' computers.&lt;br/&gt;&lt;br/&gt;Medium safety to allow users to be notified of software updates by e-mail and software packages to be automatically downloaded to (but not installed on) users' computers.&lt;br/&gt;&lt;br/&gt;High safety to prevent users from being notified of software updates by e-mail, software packages from being automatically downloaded to users' computers, and software packages from being automatically installed on users' computers.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, permissions are set to high safety.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, permissions are set to Low safety." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Software channel permissions</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Software channel permissions</td><td>Medium safety</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Submit non-encrypted form data" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether data on HTML forms on pages in the zone may be submitted. Forms sent with SSL (Secure Sockets Layer) encryption are always allowed; this setting only affects non-SSL form data submission.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, information using HTML forms on pages in this zone can be submitted automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow information using HTML forms on pages in this zone to be submitted.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, information using HTML forms on pages in this zone is prevented from being submitted.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, information using HTML forms on pages in this zone can be submitted automatically." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Submit non-encrypted form data</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Submit non-encrypted form data</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Use Pop-up Blocker" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, pop-up windows are not prevented from appearing.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, pop-up windows are not prevented from appearing." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Use Pop-up Blocker</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Use Pop-up Blocker</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Userdata persistence" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Userdata persistence</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Userdata persistence</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Web sites in less privileged Web content zones can navigate into this zone" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone" gpmc_settingDescription="This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Web sites in less privileged Web content zones can navigate into this zone</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Web sites in less privileged Web content zones can navigate into this zone</td><td>Disable</td></tr> </table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Access data sources across domains" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Access data sources across domains</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Access data sources across domains</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow active scripting" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether script code on pages in the zone is run.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, script code on pages in the zone is prevented from running.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, script code on pages in the zone is prevented from running." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow active scripting</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow active scripting</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow binary and script behaviors" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow binary and script behaviors</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow Binary and Script Behaviors</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow drag and drop or copy and paste files" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow drag and drop or copy and paste files</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow drag and drop or copy and paste files</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow file downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, files can be downloaded from the zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, files are prevented from being downloaded from the zone.&lt;br/&gt;&lt;br/&gt; If you do not configure this policy setting, files are prevented from being downloaded from the zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow file downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow file downloads</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow font downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether pages of the zone may download HTML fonts.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, HTML fonts are prevented from downloading.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried whether to allow HTML fonts to download." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow font downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow font downloads</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow installation of desktop items" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this option are: If you enable this policy setting, users can install desktop items from this zone automatically.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to install desktop items from this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from installing desktop items from this zone. &lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are prevented from installing desktop items from this zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow installation of desktop items</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow installation of desktop items</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow META REFRESH" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. &lt;br/&gt;&lt;br/&gt;If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow META REFRESH</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow META REFRESH</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow paste operations via script" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, a script can perform a clipboard operation.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, a script cannot perform a clipboard operation.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, a script cannot perform a clipboard operation." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow paste operations via script</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow paste operations via script</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Allow script-initiated windows without size or position constraints" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Allow script-initiated windows without size or position constraints</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Allow script-initiated windows without size or position constraints</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Automatic prompting for ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting manages whether users will be automatically prompted for ActiveX control installations.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, ActiveX control installations will be blocked using the Information Bar. Users can click on the Information Bar to allow the ActiveX control prompt.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, ActiveX control installations will be blocked using the Information Bar. Users can click on the Information Bar to allow the ActiveX control prompt." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Automatic prompting for ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Automatic prompting for ActiveX controls</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Automatic prompting for file downloads" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.&lt;br/&gt;&lt;br/&gt;If you enable this setting, users will receive a file download dialog for automatic download attempts.&lt;br/&gt;&lt;br/&gt;If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Information Bar instead of the file download dialog. Users can then click the Information Bar to allow the file download prompt." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Automatic prompting for file downloads</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Automatic prompting for file downloads</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Display mixed content" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security information message to display pages containing both secure and nonsecure items.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, and the drop-down box is set to Enable, the user does not receive a security information message (This page contains both secure and nonsecure items. Do you want to display the nonsecure items?) and nonsecure content can be displayed.&lt;br/&gt;&lt;br/&gt;If the drop-down box is set to Prompt, the user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot receive the security information message and nonsecure content cannot be displayed.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Display mixed content</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Display mixed content</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Do not prompt for client certificate selection when no certificates or only one certificate exists." gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether users are prompted to select a certificate when no certificate or only one certificate exists.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer does not prompt users with a &amp;quot;Client Authentication&amp;quot; message when they connect to a Web site that has no certificate or only one certificate.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer prompts users with a &amp;quot;Client Authentication&amp;quot; message when they connect to a Web site that has no certificate or only one certificate.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer prompts users with a Client Authentication message when they connect to a Web site that has no certificate or only one certificate." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Do not prompt for client certificate selection when no certificates or only one certificate exists.</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Do not prompt for client certificate selection when no certificates or only one certificate exists.</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Download signed ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.&lt;br/&gt;&lt;br/&gt;If you disable the policy setting, signed controls cannot be downloaded.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, signed controls cannot be downloaded." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Download signed ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Download signed ActiveX controls</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Download unsigned ActiveX controls" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot run unsigned controls.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users cannot run unsigned controls." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Download unsigned ActiveX controls</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Download unsigned ActiveX controls</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Initialize and script ActiveX controls not marked as safe" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage ActiveX controls not marked as safe.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Initialize and script ActiveX controls not marked as safe</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Initialize and script ActiveX controls not marked as safe</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Java permissions" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage permissions for Java applets.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.&lt;br/&gt;&lt;br/&gt;Low Safety enables applets to perform all operations.&lt;br/&gt;&lt;br/&gt;Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. &lt;br/&gt;&lt;br/&gt;High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Java applets cannot run.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Java applets are disabled." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Java permissions</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Java permissions</td><td>Disable Java</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Launching applications and files in an IFRAME" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. &lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Launching applications and files in an IFRAME</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Launching applications and files in an IFRAME</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Logon options" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage settings for logon options.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose from the following logon options.&lt;br/&gt;&lt;br/&gt;Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.&lt;br/&gt;&lt;br/&gt;Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.&lt;br/&gt;&lt;br/&gt;Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.&lt;br/&gt;&lt;br/&gt;Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, logon is set to Prompt for username and password." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Logon options</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Logon options</td><td>Automatic logon only in Intranet zone</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Navigate sub-frames across different domains" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage the opening of sub-frames and access of applications across different domains.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can open additional sub-frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional sub-frames or access to applications from other domains.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot open other sub-frames or access applications from different domains.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users cannot open other sub-frames or access applications from different domains." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Navigate sub-frames across different domains</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Navigate sub-frames across different domains</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Open files based on content, not file extension" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Open files based on content, not file extension</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Open files based on content, not file extension</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run .NET Framework-reliant components not signed with Authenticode" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer will not execute unsigned managed components.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run .NET Framework-reliant components not signed with Authenticode</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run .NET Framework-reliant components not signed with Authenticode</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run .NET Framework-reliant components signed with Authenticode" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, Internet Explorer will not execute signed managed components.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, Internet Explorer will not execute signed managed components." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run .NET Framework-reliant components signed with Authenticode</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run .NET Framework-reliant components signed with Authenticode</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Run ActiveX controls and plugins" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, controls and plug-ins can run without user intervention.&lt;br/&gt;&lt;br/&gt;If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, controls and plug-ins are prevented from running.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, controls and plug-ins are prevented from running." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Run ActiveX controls and plugins</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Run ActiveX controls and plugins</td><td>Disable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Script ActiveX controls marked safe for scripting" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, script interaction can occur automatically without user intervention.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, script interaction is prevented from occurring.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, script interaction is prevented from occurring." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Script ActiveX controls marked safe for scripting</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Script ActiveX controls marked safe for scripting</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Scripting of Java applets" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether applets are exposed to scripts within the zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, scripts can access applets automatically without user intervention.&lt;br/&gt;&lt;br/&gt;If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, scripts are prevented from accessing applets.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, scripts are prevented from accessing applets." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Scripting of Java applets</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Scripting of Java applets</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Software channel permissions" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage software channel permissions.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, you can choose the following options from the drop-down box.&lt;br/&gt;&lt;br/&gt;Low safety to allow users to be notified of software updates by e-mail, software packages to be automatically downloaded to users' computers, and software packages to be automatically installed on users' computers.&lt;br/&gt;&lt;br/&gt;Medium safety to allow users to be notified of software updates by e-mail and software packages to be automatically downloaded to (but not installed on) users' computers.&lt;br/&gt;&lt;br/&gt;High safety to prevent users from being notified of software updates by e-mail, software packages from being automatically downloaded to users' computers, and software packages from being automatically installed on users' computers.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, permissions are set to high safety.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, permissions are set to Low safety." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Software channel permissions</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Software channel permissions</td><td>Medium safety</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Submit non-encrypted form data" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether data on HTML forms on pages in the zone may be submitted. Forms sent with SSL (Secure Sockets Layer) encryption are always allowed; this setting only affects non-SSL form data submission.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, information using HTML forms on pages in this zone can be submitted automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow information using HTML forms on pages in this zone to be submitted.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, information using HTML forms on pages in this zone is prevented from being submitted.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users are queried to choose whether to allow information using HTML forms on pages in this zone to be submitted." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Submit non-encrypted form data</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Submit non-encrypted form data</td><td>Prompt</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Use Pop-up Blocker" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, pop-up windows are not prevented from appearing.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Use Pop-up Blocker</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Use Pop-up Blocker</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Userdata persistence" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Userdata persistence</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Userdata persistence</td><td>Enable</td></tr> </table></td></tr><tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Web sites in less privileged Web content zones can navigate into this zone" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Web sites in less privileged Web content zones can navigate into this zone</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Web sites in less privileged Web content zones can navigate into this zone</td><td>Disable</td></tr> </table></td></tr></table> </div></div><div class="he3"><span class="sectionTitle" tabindex="0">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone</span><a class="expando" href="#"></a></div> <div class="container"><div class="he4i"><table class="info3" cellpadding="0" cellspacing="0"> <tr><th scope="col">Policy</th><th scope="col">Setting</th><th scope="col">Winning GPO</th></tr> <tr><td><a class="explainlink" href="javascript:void();" onclick="javascript:showExplainText(this); return false;" gpmc_settingName="Access data sources across domains" gpmc_settingPath="User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone" gpmc_settingDescription="This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).&lt;br/&gt;&lt;br/&gt;If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.&lt;br/&gt;&lt;br/&gt;If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.&lt;br/&gt;&lt;br/&gt;If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone." gpmc_supported="at least Internet Explorer v6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1">Access data sources across domains</a></td><td>Enabled</td><td>IE - Lock Down IE</td></tr> <tr><td colspan="3"><table class="subtable_frame" cellpadding="0" cellspacing="0"> <tr><td>Access data