Internet Explorer Policy Settings

SP2 provides enhanced capabilities for managing Internet Explorer through Group Policy. Prior to SP2, many of the Internet Explorer security-related settings could only be managed by setting user preferences. This approach provided limited manageability because users could change their preference settings by using the Internet Explorer user interface or the registry.

In SP2, Internet Explorer settings can be managed by using .adm policy settings. In contrast to user preference settings, these new policy settings are written to a secure tree in the registry so that users cannot change either by using the UI or through the registry. These are referred to as “true policies.” In Windows XP with SP2, you can manage all Internet Explorer security settings for both computer and user configurations with these new policy settings, making true policies secure and set only by an administrator.

SP2 delivers two primary areas of policy settings:

  • Security Features controls which are used to control security areas of Internet Explorer.

  • URL Actions which are used to control configurable actions (known as URL Actions) in the Internet Explorer Security tab settings.

This section focuses only on the new policy settings for Internet Explorer. For more detailed information about the Internet Explorer Security Features and URL Actions, see “Part 5: Enhanced Browsing Security” of the “Changes to Functionality in Microsoft Windows XP with Service Pack 2” guide on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=29126.

Bb457144.3squares(en-us,TechNet.10).gif

On This Page

Security Features Policy Settings
URL Actions

Security Features Policy Settings

SP2 introduces new Security Features Group Policy settings for Internet Explorer that you can use to control various security aspects of Internet Explorer. The Security Features control policy settings are included in an updated Inetres.adm file, contained in SP2. When Internet Explorer is installed, the default preferences settings for Security Features controls are registered on the computer’s registry under HKEY_LOCAL_MACHINE. The Security Features policy settings are available in both the Computer Configuration and User Configuration nodes of Group Policy Object Editor, in Administrative Templates\Windows Components\Internet Explorer\Security Features.

These policy settings provide you with more flexibility in managing specific scenarios that might affect security of Internet Explorer. In most cases, you might be trying to prevent a specific behavior from occurring in Internet Explorer, therefore you need to ensure that the security feature is enabled for the Iexplorer.exe and Explorer.exe processes. For example, it is possible for malicious code to attempt to elevate its own permissions by running code in the Local Machine zone instead of the Internet zone. To prevent such attacks, you can use the Protection from Zone Elevation policy setting.

For each of the Security Features policy settings, you can specify policy settings that control the behavior of the security features, by Internet Explorer processes, a list of defined processes, or all processes regardless of where they are initiated from. Some of the Security Features policy settings include other policy settings that provide additional controls such as Admin-approved behaviors, or Add-on list, for example. The three options for each security feature include the following policy settings:

  • Internet Explorer Processes. This enables any processes created by Internet Explorer to be restricted by this security feature control. This would be enabled for a security feature when the administrator wants to control access by any process initiated by Internet Explorer. When this policy setting is enabled, it automatically populates the process list with Explorer.exe and Iexplore.exe.

  • Process List. This specifies a list of processes, defined by the administrator, and whether each of these processes is able to utilize the security feature. This would be applicable if an administrator wants to enforce a security feature control for a specific application, such as an internally developed application or a third party component.

  • All Processes. This prevents all processes from using this security feature, no matter how they were started or under what security context.

Security Features policy settings are managed only by using Group Policy, and Security Features preferences can only be changed programmatically or by using the registry.

SP2 includes the following Internet Explorer Security Features policy settings.

~note.gif  Note
To enable or disable Internet Explorer processes for these Security Features policy settings, use the Internet Explorer Processes policy setting; do not enter Internet Explorer processes in the Process List policy setting. If you enable the All Processes policy setting, the processes configured in the Process List take precedence over the All Processes policy settings. This means that Process List settings override the settings in All Processes. This applies to all policy settings in the Security Features node.

Binary Behavior Security Restriction Policy

Internet Explorer contains dynamic binary behaviors: components that encapsulate specific functionality for the HTML elements to which they are attached. This policy setting controls whether the Binary Behavior Security Restriction setting is prevented or allowed.

In addition to the three types of policy settings described earlier, Binary Behavior Security Restriction Policy includes the following policy setting:

  • Admin-approved behaviors. Enabling this policy setting sets the list of behaviors permitted in each zone for which Script and Binary Behaviors set to 'admin-approved'. Behaviors must be entered in #package#behavior notation, for example, #default#vml.

If you enable this policy setting in both Computer Configuration and User Configuration, both lists of behaviors are allowed.

MK Protocol Security Restriction

The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol fail.

Local Machine Zone Lockdown Security

Internet Explorer places zone restrictions on each Web page it opens; these restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, and so on). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone. Local Machine zone security applies to all local files and content processed by Internet Explorer. This feature helps to mitigate attacks that use the Local Machine zone to load malicious HTML code.

Consistent MIME Handling

Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files that are received through a Web server. This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is actually an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension.

MIME Sniffing Safety Feature

This policy setting determines whether Internet Explorer MIME sniffing prevents promotion of a file of one type to a more dangerous file type. For example, it does not allow script to run from a file marked as text.

Object Caching Protection

This policy setting defines whether a reference to an object is accessible when the user navigates within the same domain or to a new domain.

Scripted Windows Security Restrictions

Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Scripted Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other title and status bars.

Protection from Zone Elevation

Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, and so on). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.

Information Bar

This policy setting allows you to manage whether the Information Bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Information Bar is displayed for Internet Explorer processes.

Restrict ActiveX Install

This policy setting enables blocking of ActiveX® control installation prompts for Internet Explorer processes.

Restrict File Download

This policy setting enables blocking of file download prompts that are not user initiated.

Add-on Management

This policy setting allows you to ensure that any Internet Explorer add-ons that are not listed in the Add-on List policy setting are denied.

Add-on Management includes the following policy settings:

  • Deny all add-ons unless specifically allowed in the Add-on List. By default, the Add-on List policy setting defines a list of add-ons to be allowed or denied through Group Policy. However, users can still use the Add-on Manager within Internet Explorer to manage add-ons not listed within the Add-on List policy setting. This policy setting effectively removes this option from users - all add-ons are assumed to be denied unless they are specifically allowed through the Add-on List policy setting.

  • Add-on List. You can use this policy setting to manage a list of add-ons to be allowed or denied by Internet Explorer. This list can be used with the related Deny all add-ons unless specifically allowed in the Add-on List policy setting, which defines whether add-ons not listed here are assumed to be denied.

    Enable this policy setting to enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information: name of the value (the class identifier, CLSID) for the add-on, and a value, which is a number which indicates whether Internet Explorer should deny or allow the add-on to be loaded.

  • Process List. This policy setting allows you to manage whether the listed processes respect add-on management user preferences (as entered into Add-on Manager) or policy settings. By default, only Internet Explorer processes use the add-on management user preferences and policy settings. This policy setting allows you to extend support for these user preferences and policy settings to specific processes listed in the process list.

  • All Processes. This policy setting allows you to manage whether processes respect add-on management user preferences (as reflected by Add-on Manager) or policy settings. By default, any process other than the Internet Explorer processes or those listed in the Process List policy setting ignore add-on management user preferences and policy settings.

Restricted Network Protocol Lockdown

The Network Protocol Lockdown security restrictions control a list of restricted protocols. The Restricted Protocols per Security Zone node in Network Protocol Lockdown provides policy settings that are used to specify a restricted protocol list for the Internet, intranet, trusted sites, restricted sites, and Local Machine security zones. You can configure these policy settings to prevent active content obtained through restricted protocols from running in an unsafe manner, either by prompting the user, or simply disabling the content. These policy settings apply to all processes which have opted in to the security restriction.

For more information about Security Features controls, see “Part 5: Enhanced Browsing Security” of the “Changes to Functionality in Microsoft Windows XP with Service Pack 2” guide on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=29126.

URL Actions

SP2 provides new policy settings for controlling actions that are configurable (URL Actions) by using the Internet Explorer Security tab. An URL Action refers to an action that a browser can take that might pose a security risk to the local computer, such as running a Java applet or an ActiveX control. URL Actions correspond to security settings in the registry that identify the action to take for that feature in the security zone where the URL resides. URL Action settings include enable, disable, prompt, and others as appropriate.

To provide enhanced security management of URL Actions in Internet Explorer, you can use the new Security Page Group Policy settings. By using Group Policy to control security for URL Actions, you can create standard Internet Explorer configurations for all users and computers in their organization, and then rely on the system to enforce those policy settings.

To provide stronger security, you should enable policies for all URL zones by using the security zone template policy settings, so that they can ensure that a known configuration is set by Group Policy rather than an unknown setting read from user-specified preference settings. See “URL Action Template Policy Settings,” later in this document. If you set policy settings for all zones using the security zone policy templates, you should also consider enabling the policy setting to disable the Security page, which makes the user interface in Internet Explorer unavailable. The Disable the Security page policy setting is available in the Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel node.

You can also create various user or computer configurations for URL Actions security, based on their specific business requirements. You can create separate GPOs and specify URL Actions policy settings tailored to the particular requirements of groups of users and computers. This approach allows you to fine tune the URL Actions policy settings as necessary.

You might need to disable some security features in a given security zone in some cases; this capability is intended primarily for application compatibility reasons. For example, if users need to use a particular extranet application and this application does not operate because a restriction in Windows XP with SP2 prevents it from doing so, you might set a policy setting that allows a URL Action to permit that application to run.

The policy settings for controlling URL Actions are available in both the Computer Configuration and the User Configuration nodes of Group Policy Object Editor, in Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page. The URL Actions policy settings are written to the following registry locations, in these sub-keys under Zones, \0, \1, \2, \3, and \4:

~note.gif  Note: The line has been split into multiple lines for readability. However, while trying it out on a system you must enter it as one line without breaks.

  • HKEY_LOCAL_MACHINE\ Software\Policies\Microsoft\Windows\
    CurrentVersion\Internet Settings\Zones

  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\
    CurrentVersion\Internet Settings\Zones

You should also understand the Security Features control policy settings. Some of the URL Action settings are not valid unless the corresponding Security Features control policy is enabled. Internet Explorer checks to see if the Security Feature is enabled, and if it is and the Security Feature uses URL actions, it looks for the setting for the action based on the security zone of the URL. See “Security Features Control,” earlier in this document.

In Internet Explorer version 4.0 and later, Internet Explorer divides URL namespaces into URL security zones, which are assigned different levels of trust. The security zones include the following:

  • Local Intranet zone. Users use the local Intranet zone for content located on an organization's intranet. Because the servers and information is within an organization's firewall, a user or organization can assign a higher trust level to the content on the intranet.

  • Trusted Sites zone. Users use the Trusted Sites zone for content located on Web sites that are considered more reputable or trustworthy than other sites on the Internet. Users can use this zone to assign a higher trust level to these sites to minimize the number of authentication requests. The user adds the URLs of these trusted Web sites to this zone.

  • Internet zone. Users use the Internet zone for Web sites on the Internet that do not belong to another zone. This default setting causes Internet Explorer to prompt the user whenever potentially unsafe content is ready to download. Web sites that are not mapped into other zones automatically fall into this zone.

  • Restricted Sites zone. Users use the Restricted Sites zone for Web sites that contain content that can cause, or might have previously caused, problems when downloaded. Users can use this zone to cause Internet Explorer to alert them whenever potentially unsafe content is about to download, or to prevent that content from downloading. The users add the URLs of these untrusted Web sites to this zone.

  • Local Machine zone. This is an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust.

  • Locked-down Local Machine zone. In Windows XP with SP2, the Locked-down Local Machine zone represents a highly restricted version of the security settings used for the Local Machine zone. All local files and content that is processed by Internet Explorer has additional, stringent security applied to it in the Local Machine zone. This assumes that the Local Machine Zone Lockdown Security is in effect.

    Locked-down Local Machine zone provides more control over the execution of all code content. It significantly enhances the capabilities of the Local Machine zone to block attacks that attempt to use local content to run malicious HTML code. As an example, consider zone elevation behavior. In the normal settings, any code can elevate itself to the Local Machine zone, but with Locked-down Local Machine in effect, zone elevations are blocked.

The first four zones are present in the Internet Explorer UI. The Local Machine and Local Machine Locked-down zones are only configurable by administrators.

SP2 includes URL Actions policy settings for each of the URL security zones for Internet Explorer: Internet Zone, Intranet Zone, Trusted Sites Zone, Restricted Sites Zone, Local Machine Zone, and Locked-Down Local Machine Zone.

Each of these URL security zone policy settings includes a set of URL actions, and each URL action has a default value that determines how that URL action is handled for that security zone. For example, if you do not configure the Open files based on content, not file extension policy setting, files are opened based on content for every zone, except the Restricted Sites zone. Note that these default values are set in the registry as preferences if you do not configure the policy setting, and users are then able to make changes to these values in the Internet Explorer UI or through the registry.

URL Actions in the Security Zones Policy Settings

Each URL Action has a default that is set in each URL security zone and set when a specified template policy is applied. Table 3 lists the URL Actions.

Table 3   URL Actions in URL Security Zones Policy Settings

Security Setting User UI

Description

Download signed ActiveX controls

Manages the download of signed ActiveX Controls from the URL zone of the HTML page that contains the control.

Download unsigned ActiveX controls

Manages the download of unsigned ActiveX Controls from the URL zone of the HTML page that contains the control.

Initialize and script ActiveX controls not marked as safe

Manages the execution of ActiveX Controls and plug-ins from HTML pages in the zone.

Run ActiveX controls and plugins

Determines if the ActiveX control object safety is overridden or enforced for pages in the URL security zone. Object safety should be overridden only if all ActiveX Controls and scripts that might interact with them on pages in the zone can be trusted not to breach security. This is an aggregate of URLACTION_ACTIVEX_OVERRIDE_DATA_SAFETY and URLACTION_ACTIVEX_OVERRIDE_SCRIPT_SAFETY.

Allow active scripting

Determines if script code on the pages in the URL security zone is run or not.

Scripting of Java applets

Determines whether or not script code on HTML pages in the URL security zone is allowed to use Java applets if the properties, methods, and events of the applet are exposed to scripts.

Script ActiveX controls marked safe for scripting

Determines if scripting of safe ActiveX Controls is allowed.

Access data sources across domains

Determines if the resource is allowed to access data sources across domains.

Allow paste operations via script

Determines if scripts can do paste operations.

Submit non-encrypted form data

Determines if HTML forms on pages in the URL security zone, or submitted to servers in the zone, are allowed. Aggregate of the URLACTION_HTML_SUBMIT_FORMS_FROM and URLACTION_HTML_SUBMIT_FORMS_TO flags.

Allow font downloads

Determines if HTML font downloads are allowed.

Userdata persistence

Determines if user data persistence is enabled.

Navigate sub-frames across different domains

Determines if subframes are allowed to navigate across different domains.

Allow META REFRESH

Determines whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.

Display mixed content

Determines whether users can display nonsecure items and controls whether users receive a security information message to display pages containing both secure and non-secure items.

Allow installation of desktop items

Determines if desktop items can be installed.

Allow drag and drop or copy and paste files

Determines if Move or Copy operations are allowed.

Allow file downloads

Determines if file downloads are permitted from the URL security zone of the HTML page with the link that is causing the download.

Launching applications and files in an IFRAME

Determines if launching of applications and files is permitted from the URL security zone.

Use Pop-up Blocker

Determines whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.

Logon options

Minimum value for URL action network flags.

Do not prompt for client certificate selection when no certificates or only one certificate exists

Determines whether users are prompted to select a certificate when no certificate or only one certificate exists.

Java permissions

Determines the Java permissions for the zone.

Software channel permissions

Determines the level of trust placed on Software Update Channels.

Allow binary and script behaviors

Controls dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.

Run .NET Framework-reliant components signed with Authenticode

Determines whether .NET Framework components that are signed with Authenticode can run from Internet Explorer.

Run .NET Framework-reliant components not signed with Authenticode

Determines whether .NET Framework components that are not signed with Authenticode can run from Internet Explorer.

Open files based on content, not file extension

Controls MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.

Web sites in less privileged Web content zones can navigate into this zone

Determines whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

Allow script-initiated windows without size or position constraints

Controls restrictions on script-initiated pop-up windows and windows that include the title and status bars.

Automatic prompting for file downloads

Determines whether users are prompted for non user-initiated file downloads. Regardless of this setting, users receive file download dialogs for user-initiated downloads.

Automatic prompting for ActiveX controls

Controls whether users are automatically prompted for ActiveX control installations.

Allow active content over restricted protocols to access my computer

Controls whether a resource hosted on a page accessed through a protocol restricted in a particular URL zone can run active content such as script, ActiveX, Java and Binary Behaviors. The list of restricted protocols for each zone can be set in the Restricted Protocols section under Network Protocol Lockdown policy.

Including Local Intranet Sites and Network Paths in the Intranet Zone

SP2 provides advanced policy settings that you can use to specify intranet sites and network paths (UNC paths) for inclusion into the local Intranet security zone. For this purpose, you can use the following policy settings in the Internet Control Panel\Security Page node:

  • Intranet Sites: Include all local (intranet) sites not listed in other zones. This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.

  • Intranet Sites: Include all network paths (UNC). This policy setting controls whether URLs representing UNC paths are mapped into the local Intranet security zone.

  • Intranet Sites: Include all sites that bypass the proxy server. This policy setting controls whether sites which bypass the proxy server are mapped into the local Intranet security zone.

Mapping Sites to Security Zones

SP2 provides a new Group Policy setting that allows you to manage security restrictions for selected sites on a site-by-site basis, by associating a URL with a security zone and then setting the security settings for that zone through other policy settings. The Site to Zone Assignment List policy setting allows you to manage a list of sites that you want to associate with a particular security zone. There are zone numbers which have associated security settings that apply to all of the sites in the zone.

The Site to Zone Assignment List policy setting associates sites to zones, using the following values for the Internet Security zones: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. If you set this policy setting to Enabled, you can enter a list of sites and their related zone numbers. The association of a site with a zone ensures that the security settings for the specified zone are applied to the site. See the Explain text for this policy setting for more information.

If you configure the Site to Zone Assignment List policy setting for both Computer Configuration and User Configuration, both of these lists are used. If you set this policy setting for either computers or users, lists that are stored as preferences are ignored.

In Windows XP with SP2, in addition to using individual policy settings for managing URL Actions, you can control URL Actions by using template policy settings which provide standard policy settings for all URL Actions in a particular Internet Explorer security zone. You can then specify a security level for the template, as explained in the next section.

~note.gif  Note
If you set individual URL Action policy settings in a security zone, and then set a security template for that zone, this overwrites the values for individual URL Action policy settings.

URL Action Template Policy Settings

SP2 provides a set of standard, pre-configured policy settings for controlling URL Actions in the form of template policy settings for URL security zones in Internet Explorer. You can use the following template policy settings for controlling each of the URL security zones in Internet Explorer:

  • Internet Zone Template

  • Intranet Zone Template

  • Trusted Sites Zone Template

  • Restricted Sites Zone Template

  • Local Machine Zone Template

  • Locked-Down Local Machine Zone Template

For each of the URL Action template policy settings, you can specify one of the following security levels:

  • Low. This is typically used for URL security zones that contain Web sites that are fully trusted by the user. This is the default security level for the Trusted Sites zone.

  • Medium-low. This might be used for URL security zones that contain Web sites that are unlikely to cause damage to your computer or data. This is the default security level for the Intranet zone.

  • Medium. This might be used for URL security zones that contain Web sites that are neither trusted nor untrusted. This is the default security level for the Internet zone.

  • High. This is used for URL security zones that contain Web sites that could potentially cause damage to users’ computers or data. This is the default security level for Restricted Sites zone.

By using these URL security zones policy templates, you can specify a security level for the zone, which provides a standard configuration for all the URL Actions. Doing this helps prevent users from lowering security to unacceptable levels.

If you need to specify individual URL Actions that differ from those in a given security zones policy template, you can configure individual policy settings to control that URL Action. It is expected that doing so would be primarily to address application compatibility issues, which might require disabling an Internet Explorer functionality to allow an application to run.

~note.gif  Note
Local Machine Zone Lockdown Security operates by comparing the settings in the Local Machine Zone against those in the Locked-Down Local Machine Zone. If you select a security level for one of these zones (including selecting no security), the same change should be made to the other zone.

The template policy settings for URL Actions are available in both Computer Configuration and User Configuration, in the Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page node of Group Policy Object Editor.

Table 4 lists the default URL Actions values for the URL security zone policy templates.

Table 4   Default Values for URL Action Security Template Policy

Security Setting User UI

High Security Template

Medium Security Template

Medium-low Security Template

Low Security Template

Local Machine Zone Security Template

Locked-down Local Machine Zone Security Template

Download signed ActiveX controls 

Disable

Prompt

Prompt

Enable

Enable

Standard defaults for selected security level*

Download unsigned ActiveX controls 

Disable

Disable

Disable

Prompt

Enable

Disable

Initialize and script ActiveX controls not marked as safe 

Disable

Disable

Disable

Prompt

Prompt

Disable

Run ActiveX controls and plug-ins 

Disable

Enable

Enable

Enable

Enable

Disable

Allow active scripting 

Disable

Enable

Enable

Enable

Enable

Disable

Scripting of Java applets 

Disable

Enable

Enable

Enable

Enable

Standard defaults for selected security level*

Script ActiveX controls marked safe for scripting 

Disable

Enable

Enable

Enable

Enable

Standard defaults for selected security level*

Access data sources across domains 

Disable

Disable

Prompt

Enable

Enable

Standard defaults for selected security level*

Allow paste operations via script 

Disable

Enable

Enable

Enable

Enable

Standard defaults for selected security level*

Submit non-encrypted form data 

Prompt

Prompt

Enable

Enable

Enable

Standard defaults for selected security level*

Allow font downloads 

Prompt

Enable

Enable

Enable

Enable

Standard defaults for selected security level*

Userdata persistence 

Disable

Enable

Enable

Enable

Enable

Standard defaults for selected security level*

Navigate sub-frames across different domains 

Disable

Enable

Enable

Enable

Enable

Standard defaults for selected security level*

Allow META REFRESH 

Disable

Enable

Enable

Enable

Enable

Standard defaults for selected security level*

Display mixed content 

Prompt

Prompt

Prompt

Prompt

Prompt

Standard defaults for selected security level*

Allow installation of desktop items 

Disable

Prompt

Prompt

Enable

Enable

Standard defaults for selected security level*

Allow drag and drop or copy and paste files 

Prompt

Enable

Enable

Enable

Enable

Uses default value for the security zone selected*

Allow file downloads

Disable

Enable

Enable

Enable

Enable

Standard defaults for selected security level*

Launching applications and files in an IFRAME 

Disable

Prompt

Prompt

Enable

Enable

Standard defaults for selected security level*

Use Pop-up blocker 

Enable

Enable

Disable

Disable

Disable

Standard defaults for selected security level*

Logon options

High safety

Medium safety

Medium safety

Enable

Enable

Standard defaults for selected security level*

Do not prompt for client certificate selection when no certificates or only one certificate exists 

Disable

Disable

Enable

Enable

Enable

Disable

Java permissions 

Disable

High safety

Medium safety

Low safety

Medium safety

Disable

Software channel permissions 

High safety

Medium safety

Medium safety

Low safety

Low safety

Standard defaults for selected security level*

Allow binary and script behaviors

Disable

Enable

Enable

Enable

Enable

High safety

Run .NET Framework-reliant components signed with Authenticode 

Disable

Enable

Enable

Enable

Disable

Disable

Run .NET Framework-reliant components not signed with Authenticode 

Disable

Enable

Enable

Enable

Disable

Disable

Open files based on content, not file extension 

Disable

Enable

Enable

Enable

Enable

Disable

Web sites in less privileged Web content zones can navigate into this zone 

Disable

Enable

Enable

Prompt

Disable

Disable

Allow script-initiated windows without size or position constraints 

Disable

Disable

Enable

Enable

Enable

Disable

Automatic prompting for file downloads 

Disable

Disable

Enable

Enable

Enable

Disable

Automatic prompting for ActiveX controls 

Disable

Disable

Enable

Enable

Enable

Disable

Allow active content over restricted protocols to access my computer 

Disable

Prompt

Prompt

Prompt

Prompt

N/A

* Standard defaults for selected security level: This means that if you enable the Locked-down Local Machine Zone Template policy setting and set its security level to High, for example, it uses the standard template default values used for the high-level security zone. The only exceptions are the URL Actions that have fixed defaults, as indicated in the Table 4. By default, the high security level is used for the Restricted Sites zone

For more information about URL Action settings and how they relate to security zones, see “About URL Security Zones Templates” on the MSDN Web site at https://go.microsoft.com/fwlink/?LinkId=26001.

For more information about URL policy flags and URL Action flags for Internet Explorer, see “URL Policy Flags” in the MSDN Web site at https://go.microsoft.com/fwlink/?LinkId=32832., and “URL Action Flags” in the MSDN section on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=32833.

Configuring Separate GPOs for Zone Templates and URL Action Policy Settings

You may need to apply individual URL action policies to specific groups of users or computers but have the zone template policy settings apply to all other objects. If you want to do this, you must configure template policy settings in one GPO, and configure any related individual policy settings in a separate GPO. You can then apply such GPOs to specific groups of users or computers by using security group filtering to target the GPO to such groups. If necessary, you can also use the Enforced option for the GPO link to ensure that the settings in that GPO take precedence over the settings in a GPO linked to a child Active Directory container (such as an organizational unit).

For more information about filtering the scope of application of Group Policy by using security groups and the inheritance rules for Group Policy, see the “Windows Server 2003 Group Policy Infrastructure” white paper on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=14950, and see the Group Policy Management Console online Help.

Application of Preferences and Policy Settings

In cases where users set a preference and the administrator specifies a policy setting that contradicts the user-defined setting, the Group Policy settings override user-defined settings. User-defined settings and policy settings are stored in different areas of the registry.

Internet Explorer looks for a policy setting in the following order:

  • HKEY_LOCAL_MACHINE policy hive

  • HKEY_CURRENT_USER policy hive

  • HKEY_CURRENT_USER preference hive

  • HKEY_LOCAL_MACHINE preference hive

The settings are applied as follows:

  • Computer policies are applied when the computer starts.

  • After computer policies, the user policies are applied when the user logs on.

  • If neither computer nor user policy settings have been specified, then user preferences are applied.

    ~note.gif  Note
    By default, the Internet Option control panel displays policy settings when opened, and users can interact with the user interface and appear to change their preferences. However, while these preferences are stored in the registry when policy is unset, they do not override Group Policy settings.
    It is possible to set a policy setting to prevent users from seeing and changing settings for security zones. To do this, you can use the Disable the Security page policy setting, which removes the Security tab from the Internet Options dialog box. However, you must use this policy setting judiciously. If you have deployed template policy settings for controlling each of the URL security zones in Internet Explorer, it might be appropriate to use this policy. If you are managing only a few URL Actions with policy settings, then using this setting might not be appropriate.

Scenarios for Implementing

There are many ways to configure policy settings for Internet Explorer. The new policy settings provide you with a great deal of flexibility in managing Internet Explorer. How you do so depends on your overall approach for managing users and computers and your specific business requirements. You can begin by assessing the decisions in the following diagram.

~mangxp09_big.gif

Group Policy and Internet Explorer Administration Kit

Group Policy is the recommended tool for managing Internet Explorer for client computers on a corporate network. Internet Explorer supports Group Policy management for all new functionality in SP2, and for all Security tab URL Actions. Development of the Internet Explorer Administration Kit (IEAK) ended with the release of IEAK 6 Service Pack 1.

For computers running Windows 2000 or later versions of the operating system and that are not participating in an Active Directory domain, it is recommended that administrators and application developers use Internet Explorer Administration Kit 6 Service Pack 1 to customize Internet Explorer for their end users. For more information, see “Microsoft Internet Explorer 6 Administration Kit Service Pack 1” on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=26002.

Internet Explorer Administration Kit provides several key functions that are not currently managed with Group Policy. For these areas, you need to use IEAK:

  • Single-disk branding. For computers that are currently running Internet Explorer 4.01 SP1 or later, you can use the Customization Wizard to create a single floppy disk containing your custom text and logo information.

  • Custom components and add-ons. You can add up to 16 custom components that your users can install at the same time that they install the browser. These components can be compressed cabinet (.cab) files or self-extracting executable (.exe) files. You can specify the version of a Microsoft component that your users install, and you can install the latest version available using Automatic Version Synchronization (AVS).

  • Configuration of options in the Internet Explorer Advanced tab.