Policy CSP - InternetExplorer


InternetExplorer policies

InternetExplorer/AddSearchProvider
InternetExplorer/AllowActiveXFiltering
InternetExplorer/AllowAddOnList
InternetExplorer/AllowAutoComplete
InternetExplorer/AllowCertificateAddressMismatchWarning
InternetExplorer/AllowDeletingBrowsingHistoryOnExit
InternetExplorer/AllowEnhancedProtectedMode
InternetExplorer/AllowEnterpriseModeFromToolsMenu
InternetExplorer/AllowEnterpriseModeSiteList
InternetExplorer/AllowFallbackToSSL3
InternetExplorer/AllowInternetExplorer7PolicyList
InternetExplorer/AllowInternetExplorerStandardsMode
InternetExplorer/AllowInternetZoneTemplate
InternetExplorer/AllowIntranetZoneTemplate
InternetExplorer/AllowLocalMachineZoneTemplate
InternetExplorer/AllowLockedDownInternetZoneTemplate
InternetExplorer/AllowLockedDownIntranetZoneTemplate
InternetExplorer/AllowLockedDownLocalMachineZoneTemplate
InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate
InternetExplorer/AllowOneWordEntry
InternetExplorer/AllowSiteToZoneAssignmentList
InternetExplorer/AllowSoftwareWhenSignatureIsInvalid
InternetExplorer/AllowSuggestedSites
InternetExplorer/AllowTrustedSitesZoneTemplate
InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate
InternetExplorer/AllowsRestrictedSitesZoneTemplate
InternetExplorer/CheckServerCertificateRevocation
InternetExplorer/CheckSignaturesOnDownloadedPrograms
InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses
InternetExplorer/DisableAdobeFlash
InternetExplorer/DisableBypassOfSmartScreenWarnings
InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles
InternetExplorer/DisableConfiguringHistory
InternetExplorer/DisableCrashDetection
InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation
InternetExplorer/DisableDeletingUserVisitedWebsites
InternetExplorer/DisableEnclosureDownloading
InternetExplorer/DisableEncryptionSupport
InternetExplorer/DisableFirstRunWizard
InternetExplorer/DisableFlipAheadFeature
InternetExplorer/DisableHomePageChange
InternetExplorer/DisableIgnoringCertificateErrors
InternetExplorer/DisableInPrivateBrowsing
InternetExplorer/DisableProcessesInEnhancedProtectedMode
InternetExplorer/DisableProxyChange
InternetExplorer/DisableSearchProviderChange
InternetExplorer/DisableSecondaryHomePageChange
InternetExplorer/DisableSecuritySettingsCheck
InternetExplorer/DisableUpdateCheck
InternetExplorer/DoNotAllowActiveXControlsInProtectedMode
InternetExplorer/DoNotAllowUsersToAddSites
InternetExplorer/DoNotAllowUsersToChangePolicies
InternetExplorer/DoNotBlockOutdatedActiveXControls
InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains
InternetExplorer/IncludeAllLocalSites
InternetExplorer/IncludeAllNetworkPaths
InternetExplorer/InternetZoneAllowAccessToDataSources
InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls
InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads
InternetExplorer/InternetZoneAllowCopyPasteViaScript
InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles
InternetExplorer/InternetZoneAllowFontDownloads
InternetExplorer/InternetZoneAllowLessPrivilegedSites
InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles
InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents
InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls
InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl
InternetExplorer/InternetZoneAllowScriptInitiatedWindows
InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls
InternetExplorer/InternetZoneAllowScriptlets
InternetExplorer/InternetZoneAllowSmartScreenIE
InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript
InternetExplorer/InternetZoneAllowUserDataPersistence
InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls
InternetExplorer/InternetZoneDownloadSignedActiveXControls
InternetExplorer/InternetZoneDownloadUnsignedActiveXControls
InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter
InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows
InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows
InternetExplorer/InternetZoneEnableMIMESniffing
InternetExplorer/InternetZoneEnableProtectedMode
InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer
InternetExplorer/InternetZoneInitializeAndScriptActiveXControls
InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe
InternetExplorer/InternetZoneJavaPermissions
InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME
InternetExplorer/InternetZoneLogonOptions
InternetExplorer/InternetZoneNavigateWindowsAndFrames
InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode
InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles
InternetExplorer/InternetZoneUsePopupBlocker
InternetExplorer/IntranetZoneAllowAccessToDataSources
InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls
InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads
InternetExplorer/IntranetZoneAllowFontDownloads
InternetExplorer/IntranetZoneAllowLessPrivilegedSites
InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents
InternetExplorer/IntranetZoneAllowScriptlets
InternetExplorer/IntranetZoneAllowSmartScreenIE
InternetExplorer/IntranetZoneAllowUserDataPersistence
InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls
InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls
InternetExplorer/IntranetZoneJavaPermissions
InternetExplorer/IntranetZoneNavigateWindowsAndFrames
InternetExplorer/LocalMachineZoneAllowAccessToDataSources
InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls
InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads
InternetExplorer/LocalMachineZoneAllowFontDownloads
InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites
InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents
InternetExplorer/LocalMachineZoneAllowScriptlets
InternetExplorer/LocalMachineZoneAllowSmartScreenIE
InternetExplorer/LocalMachineZoneAllowUserDataPersistence
InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls
InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls
InternetExplorer/LocalMachineZoneJavaPermissions
InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames
InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources
InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls
InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads
InternetExplorer/LockedDownInternetZoneAllowFontDownloads
InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites
InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents
InternetExplorer/LockedDownInternetZoneAllowScriptlets
InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE
InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence
InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls
InternetExplorer/LockedDownInternetZoneJavaPermissions
InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames
InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources
InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls
InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads
InternetExplorer/LockedDownIntranetZoneAllowFontDownloads
InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites
InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents
InternetExplorer/LockedDownIntranetZoneAllowScriptlets
InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE
InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence
InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls
InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames
InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources
InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls
InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads
InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads
InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites
InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents
InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets
InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE
InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence
InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls
InternetExplorer/LockedDownLocalMachineZoneJavaPermissions
InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames
InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources
InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls
InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads
InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads
InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites
InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents
InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets
InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE
InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence
InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls
InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions
InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames
InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources
InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls
InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads
InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads
InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites
InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents
InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets
InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE
InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence
InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls
InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions
InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames
InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses
InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses
InternetExplorer/NotificationBarInternetExplorerProcesses
InternetExplorer/PreventManagingSmartScreenFilter
InternetExplorer/PreventPerUserInstallationOfActiveXControls
InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses
InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls
InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses
InternetExplorer/RestrictFileDownloadInternetExplorerProcesses
InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources
InternetExplorer/RestrictedSitesZoneAllowActiveScripting
InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls
InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads
InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors
InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript
InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles
InternetExplorer/RestrictedSitesZoneAllowFileDownloads
InternetExplorer/RestrictedSitesZoneAllowFontDownloads
InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites
InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles
InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH
InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents
InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls
InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl
InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows
InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls
InternetExplorer/RestrictedSitesZoneAllowScriptlets
InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE
InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript
InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence
InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls
InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls
InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter
InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows
InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows
InternetExplorer/RestrictedSitesZoneEnableMIMESniffing
InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer
InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls
InternetExplorer/RestrictedSitesZoneJavaPermissions
InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME
InternetExplorer/RestrictedSitesZoneLogonOptions
InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames
InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins
InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode
InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting
InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets
InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles
InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode
InternetExplorer/RestrictedSitesZoneUsePopupBlocker
InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses
InternetExplorer/SearchProviderList
InternetExplorer/SecurityZonesUseOnlyMachineSettings
InternetExplorer/SpecifyUseOfActiveXInstallerService
InternetExplorer/TrustedSitesZoneAllowAccessToDataSources
InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls
InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads
InternetExplorer/TrustedSitesZoneAllowFontDownloads
InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites
InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents
InternetExplorer/TrustedSitesZoneAllowScriptlets
InternetExplorer/TrustedSitesZoneAllowSmartScreenIE
InternetExplorer/TrustedSitesZoneAllowUserDataPersistence
InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls
InternetExplorer/TrustedSitesZoneJavaPermissions
InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames


InternetExplorer/AddSearchProvider

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.

If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.

If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Add a specific list of search providers to the user's list of search providers
  • GP name: AddSearchProvider
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowActiveXFiltering

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.

If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions.

If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on ActiveX Filtering
  • GP name: TurnOnActiveXFiltering
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowAddOnList

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.

This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied.

If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:

Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.

Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.

If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Add-on List
  • GP name: AddonManagement_AddOnList
  • GP path: Windows Components/Internet Explorer/Security Features/Add-on Management
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowAutoComplete

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on the auto-complete feature for user names and passwords on forms
  • GP name: RestrictFormSuggestPW
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowCertificateAddressMismatchWarning

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on certificate address mismatch warning
  • GP name: IZ_PolicyWarnCertMismatch
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowDeletingBrowsingHistoryOnExit

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow deleting browsing history on exit
  • GP name: DBHDisableDeleteOnExit
  • GP path: Windows Components/Internet Explorer/Delete Browsing History
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowEnhancedProtectedMode

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.

If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.

If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.

If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on Enhanced Protected Mode
  • GP name: Advanced_EnableEnhancedProtectedMode
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowEnterpriseModeFromToolsMenu

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.

If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.

If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Let users turn on and use Enterprise Mode from the Tools menu
  • GP name: EnterpriseModeEnable
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowEnterpriseModeSiteList

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.

If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.

If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Use the Enterprise Mode IE website list
  • GP name: EnterpriseModeSiteList
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowFallbackToSSL3

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow fallback to SSL 3.0 (Internet Explorer)
  • GP name: Advanced_EnableSSL3Fallback
  • GP path: Windows Components/Internet Explorer/Security Features
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowInternetExplorer7PolicyList

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.

If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify.

If you disable or do not configure this policy setting, the user can add and remove sites from the list.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Use Policy List of Internet Explorer 7 sites
  • GP name: CompatView_UsePolicyList
  • GP path: Windows Components/Internet Explorer/Compatibility View
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowInternetExplorerStandardsMode

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.

If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box.

If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.

If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on Internet Explorer Standards Mode for local intranet
  • GP name: CompatView_IntranetSites
  • GP path: Windows Components/Internet Explorer/Compatibility View
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowInternetZoneTemplate

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Internet Zone Template
  • GP name: IZ_PolicyInternetZoneTemplate
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowIntranetZoneTemplate

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Intranet Zone Template
  • GP name: IZ_PolicyIntranetZoneTemplate
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowLocalMachineZoneTemplate

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Local Machine Zone Template
  • GP name: IZ_PolicyLocalMachineZoneTemplate
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowLockedDownInternetZoneTemplate

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Locked-Down Internet Zone Template
  • GP name: IZ_PolicyInternetZoneLockdownTemplate
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowLockedDownIntranetZoneTemplate

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Locked-Down Intranet Zone Template
  • GP name: IZ_PolicyIntranetZoneLockdownTemplate
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowLockedDownLocalMachineZoneTemplate

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Locked-Down Local Machine Zone Template
  • GP name: IZ_PolicyLocalMachineZoneLockdownTemplate
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Locked-Down Restricted Sites Zone Template
  • GP name: IZ_PolicyRestrictedSitesZoneLockdownTemplate
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowOneWordEntry

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.

If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available.

If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Go to an intranet site for a one-word entry in the Address bar
  • GP name: UseIntranetSiteForOneWordEntry
  • GP path: Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowSiteToZoneAssignmentList

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.

Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)

If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:

Valuename A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.

Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.

If you disable or do not configure this policy, users may choose their own site-to-zone assignments.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Site to Zone Assignment List
  • GP name: IZ_Zonemaps
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowSoftwareWhenSignatureIsInvalid

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow software to run or install even if the signature is invalid
  • GP name: Advanced_InvalidSignatureBlock
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowSuggestedSites

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.

If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions.

If you disable this policy setting, the entry points and functionality associated with this feature are turned off.

If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on Suggested Sites
  • GP name: EnableSuggestedSites
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowTrustedSitesZoneTemplate

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Trusted Sites Zone Template
  • GP name: IZ_PolicyTrustedSitesZoneTemplate
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Locked-Down Trusted Sites Zone Template
  • GP name: IZ_PolicyTrustedSitesZoneLockdownTemplate
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page
  • GP ADMX file name: inetres.admx


InternetExplorer/AllowsRestrictedSitesZoneTemplate

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you do not configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Restricted Sites Zone Template
  • GP name: IZ_PolicyRestrictedSitesZoneTemplate
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page
  • GP ADMX file name: inetres.admx


InternetExplorer/CheckServerCertificateRevocation

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Check for server certificate revocation
  • GP name: Advanced_CertificateRevocation
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
  • GP ADMX file name: inetres.admx


InternetExplorer/CheckSignaturesOnDownloadedPrograms

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Check for signatures on downloaded programs
  • GP name: Advanced_DownloadSignatures
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
  • GP ADMX file name: inetres.admx


InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Internet Explorer Processes
  • GP name: IESF_PolicyExplorerProcesses_2
  • GP path: Windows Components/Internet Explorer/Security Features/Binary Behavior Security Restriction
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableAdobeFlash

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.

If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings.

If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box.

Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects
  • GP name: DisableFlashInIE
  • GP path: Windows Components/Internet Explorer/Security Features/Add-on Management
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableBypassOfSmartScreenWarnings

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious.

If you enable this policy setting, SmartScreen Filter warnings block the user.

If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Prevent bypassing SmartScreen Filter warnings
  • GP name: DisableSafetyFilterOverride
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet.

If you enable this policy setting, SmartScreen Filter warnings block the user.

If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet
  • GP name: DisableSafetyFilterOverrideForAppRepUnknown
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableConfiguringHistory

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Disable "Configuring History"
  • GP name: RestrictHistory
  • GP path: Windows Components/Internet Explorer/Delete Browsing History
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableCrashDetection

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn off Crash Detection
  • GP name: AddonManagement_RestrictCrashDetection
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).

If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.

If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.

If you do not configure this policy setting, the user can choose to participate in the CEIP.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Prevent participation in the Customer Experience Improvement Program
  • GP name: SQM_DisableCEIP
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableDeletingUserVisitedWebsites

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Prevent deleting websites that the user has visited
  • GP name: DBHDisableDeleteHistory
  • GP path: Windows Components/Internet Explorer/Delete Browsing History
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableEnclosureDownloading

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.

If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.

If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Prevent downloading of enclosures
  • GP name: Disable_Downloading_of_Enclosures
  • GP path: Windows Components/RSS Feeds
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableEncryptionSupport

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.

If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.

If you disable or do not configure this policy setting, the user can select which encryption method the browser supports.

Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn off encryption support
  • GP name: Advanced_SetWinInetProtocols
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableFirstRunWizard

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

If you enable this policy setting, you must make one of the following choices: Skip the First Run wizard, and go directly to the user's home page. Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.

Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.

If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Prevent running First Run wizard
  • GP name: NoFirstRunCustomise
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableFlipAheadFeature

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.

Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop.

If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.

If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.

If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn off the flip ahead with page prediction feature
  • GP name: Advanced_DisableFlipAhead
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableHomePageChange

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User

The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.

If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.

If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Disable changing home page settings
  • GP name: RestrictHomePage
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableIgnoringCertificateErrors

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Prevent ignoring certificate errors
  • GP name: NoCertError
  • GP path: Windows Components/Internet Explorer/Internet Control Panel
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableInPrivateBrowsing

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn off InPrivate Browsing
  • GP name: DisableInPrivateBrowsing
  • GP path: Windows Components/Internet Explorer/Privacy
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableProcessesInEnhancedProtectedMode

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows
  • GP name: Advanced_EnableEnhancedProtectedMode64Bit
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableProxyChange

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting specifies if a user can change proxy settings.

If you enable this policy setting, the user will not be able to configure proxy settings.

If you disable or do not configure this policy setting, the user can configure proxy settings.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Prevent changing proxy settings
  • GP name: RestrictProxy
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableSearchProviderChange

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.

If you enable this policy setting, the user cannot change the default search provider.

If you disable or do not configure this policy setting, the user can change the default search provider.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Prevent changing the default search provider
  • GP name: NoSearchProvider
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableSecondaryHomePageChange

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.

If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages.

If you disable or do not configure this policy setting, the user can add secondary home pages.

Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Disable changing secondary home page settings
  • GP name: SecondaryHomePages
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableSecuritySettingsCheck

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn off the Security Settings Check feature
  • GP name: Disable_Security_Settings_Check
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/DisableUpdateCheck

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Prevents Internet Explorer from checking whether a new version of the browser is available.

If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available.

If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available.

This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Disable Periodic Check for Internet Explorer software updates
  • GP name: NoUpdateCheck
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/DoNotAllowActiveXControlsInProtectedMode

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled
  • GP name: Advanced_DisableEPMCompat
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
  • GP ADMX file name: inetres.admx


InternetExplorer/DoNotAllowUsersToAddSites

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.

If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.)

If you disable this policy or do not configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone.

This policy prevents users from changing site management settings for security zones established by the administrator.

Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored.

Also, see the "Security zones: Use only machine settings" policy.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Security Zones: Do not allow users to add/delete sites
  • GP name: Security_zones_map_edit
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/DoNotAllowUsersToChangePolicies

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.

If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.

If you disable this policy or do not configure it, users can change the settings for security zones.

This policy prevents users from changing security zone settings established by the administrator.

Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.

Also, see the "Security zones: Use only machine settings" policy.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Security Zones: Do not allow users to change policies
  • GP name: Security_options_edit
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/DoNotBlockOutdatedActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.

If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.

For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn off blocking of outdated ActiveX controls for Internet Explorer
  • GP name: VerMgmtDisable
  • GP path: Windows Components/Internet Explorer/Security Features/Add-on Management
  • GP ADMX file name: inetres.admx


InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:

  1. "domain.name.TLD". For example, if you want to include .contoso.com/, use "contoso.com"
  2. "hostname". For example, if you want to include http://example, use "example"
  3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm"

If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.

For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains
  • GP name: VerMgmtDomainAllowlist
  • GP path: Windows Components/Internet Explorer/Security Features/Add-on Management
  • GP ADMX file name: inetres.admx


InternetExplorer/IncludeAllLocalSites

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.

If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone.

If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone).

If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Intranet Sites: Include all local (intranet) sites not listed in other zones
  • GP name: IZ_IncludeUnspecifiedLocalSites
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page
  • GP ADMX file name: inetres.admx


InternetExplorer/IncludeAllNetworkPaths

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.

If you enable this policy setting, all network paths are mapped into the Intranet Zone.

If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).

If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Intranet Sites: Include all network paths (UNCs)
  • GP name: IZ_UNCAsIntranet
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowAccessToDataSources

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Access data sources across domains
  • GP name: IZ_PolicyAccessDataSourcesAcrossDomains_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for ActiveX controls
  • GP name: IZ_PolicyNotificationBarActiveXURLaction_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for file downloads
  • GP name: IZ_PolicyNotificationBarDownloadURLaction_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowCopyPasteViaScript

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow cut, copy or paste operations from the clipboard via script
  • GP name: IZ_PolicyAllowPasteViaScript_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow drag and drop or copy and paste files
  • GP name: IZ_PolicyDropOrPasteFiles_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowFontDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow font downloads
  • GP name: IZ_PolicyFontDownload_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowLessPrivilegedSites

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Web sites in less privileged Web content zones can navigate into this zone
  • GP name: IZ_PolicyZoneElevationURLaction_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow loading of XAML files
  • GP name: IZ_Policy_XAML_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Run .NET Framework-reliant components not signed with Authenticode
  • GP name: IZ_PolicyUnsignedFrameworkComponentsURLaction_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow only approved domains to use ActiveX controls without prompt
  • GP name: IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow only approved domains to use the TDC ActiveX control
  • GP name: IZ_PolicyAllowTDCControl_Both_Internet
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowScriptInitiatedWindows

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow script-initiated windows without size or position constraints
  • GP name: IZ_PolicyWindowsRestrictionsURLaction_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow scripting of Internet Explorer WebBrowser controls
  • GP name: IZ_Policy_WebBrowserControl_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowScriptlets

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow scriptlets
  • GP name: IZ_Policy_AllowScriptlets_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowSmartScreenIE

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on SmartScreen Filter scan
  • GP name: IZ_Policy_Phishing_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow updates to status bar via script
  • GP name: IZ_Policy_ScriptStatusBar_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneAllowUserDataPersistence

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Userdata persistence
  • GP name: IZ_PolicyUserdataPersistence_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Don't run antimalware programs against ActiveX controls
  • GP name: IZ_PolicyAntiMalwareCheckingOfActiveXControls_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneDownloadSignedActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Download signed ActiveX controls
  • GP name: IZ_PolicyDownloadSignedActiveX_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneDownloadUnsignedActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Download unsigned ActiveX controls
  • GP name: IZ_PolicyDownloadUnsignedActiveX_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on Cross-Site Scripting Filter
  • GP name: IZ_PolicyTurnOnXSSFilter_Both_Internet
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Enable dragging of content from different domains across windows
  • GP name: IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Enable dragging of content from different domains within a window
  • GP name: IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneEnableMIMESniffing

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Enable MIME Sniffing
  • GP name: IZ_PolicyMimeSniffingURLaction_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneEnableProtectedMode

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on Protected Mode
  • GP name: IZ_Policy_TurnOnProtectedMode_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Include local path when user is uploading files to a server
  • GP name: IZ_Policy_LocalPathForUpload_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneInitializeAndScriptActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Initialize and script ActiveX controls not marked as safe
  • GP name: IZ_PolicyScriptActiveXNotMarkedSafe_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark1 check mark1 check mark1 check mark1 check mark1 check mark1


InternetExplorer/InternetZoneJavaPermissions

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Java permissions
  • GP name: IZ_PolicyJavaPermissions_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Launching applications and files in an IFRAME
  • GP name: IZ_PolicyLaunchAppsAndFilesInIFRAME_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneLogonOptions

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Logon options
  • GP name: IZ_PolicyLogon_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneNavigateWindowsAndFrames

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Navigate windows and frames across different domains
  • GP name: IZ_PolicyNavigateSubframesAcrossDomains_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Run .NET Framework-reliant components signed with Authenticode
  • GP name: IZ_PolicySignedFrameworkComponentsURLaction_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Show security warning for potentially unsafe files
  • GP name: IZ_Policy_UnsafeFiles_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/InternetZoneUsePopupBlocker

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Use Pop-up Blocker
  • GP name: IZ_PolicyBlockPopupWindows_1
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/IntranetZoneAllowAccessToDataSources

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Access data sources across domains
  • GP name: IZ_PolicyAccessDataSourcesAcrossDomains_3
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for ActiveX controls
  • GP name: IZ_PolicyNotificationBarActiveXURLaction_3
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for file downloads
  • GP name: IZ_PolicyNotificationBarDownloadURLaction_3
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/IntranetZoneAllowFontDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow font downloads
  • GP name: IZ_PolicyFontDownload_3
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/IntranetZoneAllowLessPrivilegedSites

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Web sites in less privileged Web content zones can navigate into this zone
  • GP name: IZ_PolicyZoneElevationURLaction_3
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Run .NET Framework-reliant components not signed with Authenticode
  • GP name: IZ_PolicyUnsignedFrameworkComponentsURLaction_3
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/IntranetZoneAllowScriptlets

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow scriptlets
  • GP name: IZ_Policy_AllowScriptlets_3
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/IntranetZoneAllowSmartScreenIE

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on SmartScreen Filter scan
  • GP name: IZ_Policy_Phishing_3
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/IntranetZoneAllowUserDataPersistence

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Userdata persistence
  • GP name: IZ_PolicyUserdataPersistence_3
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Don't run antimalware programs against ActiveX controls
  • GP name: IZ_PolicyAntiMalwareCheckingOfActiveXControls_3
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Initialize and script ActiveX controls not marked as safe
  • GP name: IZ_PolicyScriptActiveXNotMarkedSafe_3
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/IntranetZoneJavaPermissions

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Java permissions
  • GP name: IZ_PolicyJavaPermissions_3
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/IntranetZoneNavigateWindowsAndFrames

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Navigate windows and frames across different domains
  • GP name: IZ_PolicyNavigateSubframesAcrossDomains_3
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LocalMachineZoneAllowAccessToDataSources

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Access data sources across domains
  • GP name: IZ_PolicyAccessDataSourcesAcrossDomains_9
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for ActiveX controls
  • GP name: IZ_PolicyNotificationBarActiveXURLaction_9
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for file downloads
  • GP name: IZ_PolicyNotificationBarDownloadURLaction_9
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LocalMachineZoneAllowFontDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow font downloads
  • GP name: IZ_PolicyFontDownload_9
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Web sites in less privileged Web content zones can navigate into this zone
  • GP name: IZ_PolicyZoneElevationURLaction_9
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Run .NET Framework-reliant components not signed with Authenticode
  • GP name: IZ_PolicyUnsignedFrameworkComponentsURLaction_9
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LocalMachineZoneAllowScriptlets

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow scriptlets
  • GP name: IZ_Policy_AllowScriptlets_9
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LocalMachineZoneAllowSmartScreenIE

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on SmartScreen Filter scan
  • GP name: IZ_Policy_Phishing_9
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LocalMachineZoneAllowUserDataPersistence

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Userdata persistence
  • GP name: IZ_PolicyUserdataPersistence_9
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Don't run antimalware programs against ActiveX controls
  • GP name: IZ_PolicyAntiMalwareCheckingOfActiveXControls_9
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Initialize and script ActiveX controls not marked as safe
  • GP name: IZ_PolicyScriptActiveXNotMarkedSafe_9
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LocalMachineZoneJavaPermissions

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Java permissions
  • GP name: IZ_PolicyJavaPermissions_9
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Navigate windows and frames across different domains
  • GP name: IZ_PolicyNavigateSubframesAcrossDomains_9
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Access data sources across domains
  • GP name: IZ_PolicyAccessDataSourcesAcrossDomains_2
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for ActiveX controls
  • GP name: IZ_PolicyNotificationBarActiveXURLaction_2
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for file downloads
  • GP name: IZ_PolicyNotificationBarDownloadURLaction_2
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownInternetZoneAllowFontDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow font downloads
  • GP name: IZ_PolicyFontDownload_2
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Web sites in less privileged Web content zones can navigate into this zone
  • GP name: IZ_PolicyZoneElevationURLaction_2
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Run .NET Framework-reliant components not signed with Authenticode
  • GP name: IZ_PolicyUnsignedFrameworkComponentsURLaction_2
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownInternetZoneAllowScriptlets

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow scriptlets
  • GP name: IZ_Policy_AllowScriptlets_2
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on SmartScreen Filter scan
  • GP name: IZ_Policy_Phishing_2
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Userdata persistence
  • GP name: IZ_PolicyUserdataPersistence_2
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Initialize and script ActiveX controls not marked as safe
  • GP name: IZ_PolicyScriptActiveXNotMarkedSafe_2
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownInternetZoneJavaPermissions

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Java permissions
  • GP name: IZ_PolicyJavaPermissions_2
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Navigate windows and frames across different domains
  • GP name: IZ_PolicyNavigateSubframesAcrossDomains_2
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Access data sources across domains
  • GP name: IZ_PolicyAccessDataSourcesAcrossDomains_4
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for ActiveX controls
  • GP name: IZ_PolicyNotificationBarActiveXURLaction_4
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for file downloads
  • GP name: IZ_PolicyNotificationBarDownloadURLaction_4
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownIntranetZoneAllowFontDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow font downloads
  • GP name: IZ_PolicyFontDownload_4
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Web sites in less privileged Web content zones can navigate into this zone
  • GP name: IZ_PolicyZoneElevationURLaction_4
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Run .NET Framework-reliant components not signed with Authenticode
  • GP name: IZ_PolicyUnsignedFrameworkComponentsURLaction_4
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownIntranetZoneAllowScriptlets

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow scriptlets
  • GP name: IZ_Policy_AllowScriptlets_4
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on SmartScreen Filter scan
  • GP name: IZ_Policy_Phishing_4
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Userdata persistence
  • GP name: IZ_PolicyUserdataPersistence_4
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Initialize and script ActiveX controls not marked as safe
  • GP name: IZ_PolicyScriptActiveXNotMarkedSafe_4
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Navigate windows and frames across different domains
  • GP name: IZ_PolicyNavigateSubframesAcrossDomains_4
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Access data sources across domains
  • GP name: IZ_PolicyAccessDataSourcesAcrossDomains_10
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for ActiveX controls
  • GP name: IZ_PolicyNotificationBarActiveXURLaction_10
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for file downloads
  • GP name: IZ_PolicyNotificationBarDownloadURLaction_10
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow font downloads
  • GP name: IZ_PolicyFontDownload_10
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Web sites in less privileged Web content zones can navigate into this zone
  • GP name: IZ_PolicyZoneElevationURLaction_10
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Run .NET Framework-reliant components not signed with Authenticode
  • GP name: IZ_PolicyUnsignedFrameworkComponentsURLaction_10
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow scriptlets
  • GP name: IZ_Policy_AllowScriptlets_10
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on SmartScreen Filter scan
  • GP name: IZ_Policy_Phishing_10
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Userdata persistence
  • GP name: IZ_PolicyUserdataPersistence_10
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Initialize and script ActiveX controls not marked as safe
  • GP name: IZ_PolicyScriptActiveXNotMarkedSafe_10
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownLocalMachineZoneJavaPermissions

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Java permissions
  • GP name: IZ_PolicyJavaPermissions_10
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Navigate windows and frames across different domains
  • GP name: IZ_PolicyNavigateSubframesAcrossDomains_10
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Access data sources across domains
  • GP name: IZ_PolicyAccessDataSourcesAcrossDomains_8
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for ActiveX controls
  • GP name: IZ_PolicyNotificationBarActiveXURLaction_8
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for file downloads
  • GP name: IZ_PolicyNotificationBarDownloadURLaction_8
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow font downloads
  • GP name: IZ_PolicyFontDownload_8
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Web sites in less privileged Web content zones can navigate into this zone
  • GP name: IZ_PolicyZoneElevationURLaction_8
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Run .NET Framework-reliant components not signed with Authenticode
  • GP name: IZ_PolicyUnsignedFrameworkComponentsURLaction_8
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow scriptlets
  • GP name: IZ_Policy_AllowScriptlets_8
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on SmartScreen Filter scan
  • GP name: IZ_Policy_Phishing_8
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Userdata persistence
  • GP name: IZ_PolicyUserdataPersistence_8
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Initialize and script ActiveX controls not marked as safe
  • GP name: IZ_PolicyScriptActiveXNotMarkedSafe_8
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Java permissions
  • GP name: IZ_PolicyJavaPermissions_8
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.

If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Navigate windows and frames across different domains
  • GP name: IZ_PolicyNavigateSubframesAcrossDomains_8
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Access data sources across domains
  • GP name: IZ_PolicyAccessDataSourcesAcrossDomains_6
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for ActiveX controls
  • GP name: IZ_PolicyNotificationBarActiveXURLaction_6
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for file downloads
  • GP name: IZ_PolicyNotificationBarDownloadURLaction_6
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow font downloads
  • GP name: IZ_PolicyFontDownload_6
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Web sites in less privileged Web content zones can navigate into this zone
  • GP name: IZ_PolicyZoneElevationURLaction_6
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Run .NET Framework-reliant components not signed with Authenticode
  • GP name: IZ_PolicyUnsignedFrameworkComponentsURLaction_6
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow scriptlets
  • GP name: IZ_Policy_AllowScriptlets_6
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on SmartScreen Filter scan
  • GP name: IZ_Policy_Phishing_6
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Userdata persistence
  • GP name: IZ_PolicyUserdataPersistence_6
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Initialize and script ActiveX controls not marked as safe
  • GP name: IZ_PolicyScriptActiveXNotMarkedSafe_6
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Java permissions
  • GP name: IZ_PolicyJavaPermissions_6
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Navigate windows and frames across different domains
  • GP name: IZ_PolicyNavigateSubframesAcrossDomains_6
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Internet Explorer Processes
  • GP name: IESF_PolicyExplorerProcesses_3
  • GP path: Windows Components/Internet Explorer/Security Features/MK Protocol Security Restriction
  • GP ADMX file name: inetres.admx


InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Internet Explorer Processes
  • GP name: IESF_PolicyExplorerProcesses_6
  • GP path: Windows Components/Internet Explorer/Security Features/Mime Sniffing Safety Feature
  • GP ADMX file name: inetres.admx


InternetExplorer/NotificationBarInternetExplorerProcesses

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Internet Explorer Processes
  • GP name: IESF_PolicyExplorerProcesses_10
  • GP path: Windows Components/Internet Explorer/Security Features/Notification bar
  • GP ADMX file name: inetres.admx


InternetExplorer/PreventManagingSmartScreenFilter

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Prevent managing SmartScreen Filter
  • GP name: Disable_Managing_Safety_Filter_IE9
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/PreventPerUserInstallationOfActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Prevent per-user installation of ActiveX controls
  • GP name: DisablePerUserActiveXInstall
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: All Processes
  • GP name: IESF_PolicyAllProcesses_9
  • GP path: Windows Components/Internet Explorer/Security Features/Protection From Zone Elevation
  • GP ADMX file name: inetres.admx


InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer *
  • GP name: VerMgmtDisableRunThisTime
  • GP path: Windows Components/Internet Explorer/Security Features/Add-on Management
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: All Processes
  • GP name: IESF_PolicyAllProcesses_11
  • GP path: Windows Components/Internet Explorer/Security Features/Restrict ActiveX Install
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictFileDownloadInternetExplorerProcesses

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: All Processes
  • GP name: IESF_PolicyAllProcesses_12
  • GP path: Windows Components/Internet Explorer/Security Features/Restrict File Download
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Access data sources across domains
  • GP name: IZ_PolicyAccessDataSourcesAcrossDomains_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowActiveScripting

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow active scripting
  • GP name: IZ_PolicyActiveScripting_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for ActiveX controls
  • GP name: IZ_PolicyNotificationBarActiveXURLaction_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for file downloads
  • GP name: IZ_PolicyNotificationBarDownloadURLaction_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow binary and script behaviors
  • GP name: IZ_PolicyBinaryBehaviors_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow cut, copy or paste operations from the clipboard via script
  • GP name: IZ_PolicyAllowPasteViaScript_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow drag and drop or copy and paste files
  • GP name: IZ_PolicyDropOrPasteFiles_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowFileDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow file downloads
  • GP name: IZ_PolicyFileDownload_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowFontDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow font downloads
  • GP name: IZ_PolicyFontDownload_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Web sites in less privileged Web content zones can navigate into this zone
  • GP name: IZ_PolicyZoneElevationURLaction_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow loading of XAML files
  • GP name: IZ_Policy_XAML_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow META REFRESH
  • GP name: IZ_PolicyAllowMETAREFRESH_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Run .NET Framework-reliant components not signed with Authenticode
  • GP name: IZ_PolicyUnsignedFrameworkComponentsURLaction_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow only approved domains to use ActiveX controls without prompt
  • GP name: IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow only approved domains to use the TDC ActiveX control
  • GP name: IZ_PolicyAllowTDCControl_Both_Restricted
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow script-initiated windows without size or position constraints
  • GP name: IZ_PolicyWindowsRestrictionsURLaction_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow scripting of Internet Explorer WebBrowser controls
  • GP name: IZ_Policy_WebBrowserControl_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowScriptlets

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow scriptlets
  • GP name: IZ_Policy_AllowScriptlets_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on SmartScreen Filter scan
  • GP name: IZ_Policy_Phishing_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow updates to status bar via script
  • GP name: IZ_Policy_ScriptStatusBar_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Userdata persistence
  • GP name: IZ_PolicyUserdataPersistence_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Don't run antimalware programs against ActiveX controls
  • GP name: IZ_PolicyAntiMalwareCheckingOfActiveXControls_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Download signed ActiveX controls
  • GP name: IZ_PolicyDownloadSignedActiveX_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Download unsigned ActiveX controls
  • GP name: IZ_PolicyDownloadUnsignedActiveX_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on Cross-Site Scripting Filter
  • GP name: IZ_PolicyTurnOnXSSFilter_Both_Restricted
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Enable dragging of content from different domains across windows
  • GP name: IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Enable dragging of content from different domains within a window
  • GP name: IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneEnableMIMESniffing

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Enable MIME Sniffing
  • GP name: IZ_PolicyMimeSniffingURLaction_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Include local path when user is uploading files to a server
  • GP name: IZ_Policy_LocalPathForUpload_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Initialize and script ActiveX controls not marked as safe
  • GP name: IZ_PolicyScriptActiveXNotMarkedSafe_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneJavaPermissions

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Java permissions
  • GP name: IZ_PolicyJavaPermissions_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Launching applications and files in an IFRAME
  • GP name: IZ_PolicyLaunchAppsAndFilesInIFRAME_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneLogonOptions

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Logon options
  • GP name: IZ_PolicyLogon_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.

If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Navigate windows and frames across different domains
  • GP name: IZ_PolicyNavigateSubframesAcrossDomains_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Run ActiveX controls and plugins
  • GP name: IZ_PolicyRunActiveXControls_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Run .NET Framework-reliant components signed with Authenticode
  • GP name: IZ_PolicySignedFrameworkComponentsURLaction_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Script ActiveX controls marked safe for scripting
  • GP name: IZ_PolicyScriptActiveXMarkedSafe_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Scripting of Java applets
  • GP name: IZ_PolicyScriptingOfJavaApplets_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Show security warning for potentially unsafe files
  • GP name: IZ_Policy_UnsafeFiles_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on Protected Mode
  • GP name: IZ_Policy_TurnOnProtectedMode_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/RestrictedSitesZoneUsePopupBlocker

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Use Pop-up Blocker
  • GP name: IZ_PolicyBlockPopupWindows_7
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: All Processes
  • GP name: IESF_PolicyAllProcesses_8
  • GP path: Windows Components/Internet Explorer/Security Features/Scripted Window Security Restrictions
  • GP ADMX file name: inetres.admx


InternetExplorer/SearchProviderList

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.

If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.

If you disable or do not configure this policy setting, the user can configure his or her list of search providers.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Restrict search providers to a specific list
  • GP name: SpecificSearchProvider
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/SecurityZonesUseOnlyMachineSettings

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: *Security Zones: Use only machine settings *
  • GP name: Security_HKLM_only
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/SpecifyUseOfActiveXInstallerService

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Specify use of ActiveX Installer Service for installation of ActiveX controls
  • GP name: OnlyUseAXISForActiveXInstall
  • GP path: Windows Components/Internet Explorer
  • GP ADMX file name: inetres.admx


InternetExplorer/TrustedSitesZoneAllowAccessToDataSources

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Access data sources across domains
  • GP name: IZ_PolicyAccessDataSourcesAcrossDomains_5
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for ActiveX controls
  • GP name: IZ_PolicyNotificationBarActiveXURLaction_5
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Automatic prompting for file downloads
  • GP name: IZ_PolicyNotificationBarDownloadURLaction_5
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/TrustedSitesZoneAllowFontDownloads

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow font downloads
  • GP name: IZ_PolicyFontDownload_5
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Web sites in less privileged Web content zones can navigate into this zone
  • GP name: IZ_PolicyZoneElevationURLaction_5
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Run .NET Framework-reliant components not signed with Authenticode
  • GP name: IZ_PolicyUnsignedFrameworkComponentsURLaction_5
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/TrustedSitesZoneAllowScriptlets

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user cannot run scriptlets.

If you do not configure this policy setting, the user can enable or disable scriptlets.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Allow scriptlets
  • GP name: IZ_Policy_AllowScriptlets_5
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/TrustedSitesZoneAllowSmartScreenIE

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Turn on SmartScreen Filter scan
  • GP name: IZ_Policy_Phishing_5
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/TrustedSitesZoneAllowUserDataPersistence

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Userdata persistence
  • GP name: IZ_PolicyUserdataPersistence_5
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Don't run antimalware programs against ActiveX controls
  • GP name: IZ_PolicyAntiMalwareCheckingOfActiveXControls_5
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Initialize and script ActiveX controls not marked as safe
  • GP name: IZ_PolicyScriptActiveXNotMarkedSafe_5
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/TrustedSitesZoneJavaPermissions

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Java permissions
  • GP name: IZ_PolicyJavaPermissions_5
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
  • GP ADMX file name: inetres.admx


InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • User
  • Device

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ADMX Info:

  • GP English name: Navigate windows and frames across different domains
  • GP name: IZ_PolicyNavigateSubframesAcrossDomains_5
  • GP path: Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
  • GP ADMX file name: inetres.admx

Footnote:

  • 1 - Added in Windows 10, version 1607.
  • 2 - Added in Windows 10, version 1703.
  • 3 - Added in Windows 10, version 1709.