共用方式為


Group Policy Settings

Applies To: Windows 7

This section describes each of the Group Policy settings that are listed in the section Windows SteadyState. For each Group Policy setting, this section lists the location within the Group Policy Editor, the recommended values, and a description of the policy.

Windows SteadyState defines three security levels—High, Medium, and Low. These security levels provide a shortcut for configuring the many settings that it exposed. For example, clicking the High security level might enable a setting, whereas clicking the Medium or Low security level would disable the setting. The recommendations for most of the Group Policy settings represented in this section are based on Windows SteadyState security levels.

Add Logoff to the Start Menu

Note

Location

Always open All Control Panel Items when opening Control Panel

Location

User Configuration\Administrative Templates\Control Panel

Recommended

High: Disabled

Medium: Disabled

Low: Disabled

Description

This policy sets All Control Panel Items as the default Control Panel view.

If the policy is disabled, Control Panel Home is the default view.

Disable AutoComplete for forms

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

The AutoComplete feature suggests possible matches when users are filling in forms.

If you enable this setting, the user does not receive suggested matches when filling in forms. The user cannot change this setting.

If you disable this setting, the user receives suggested matches when filling in forms.

If you do not configure this setting, the user has the freedom to turn on the AutoComplete feature for forms.

To display this option, users can open the Internet Options dialog box, click the Contents tab, and then click Settings.

Disable changing home page settings

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer

Recommended

https://www.bing.com/

Description

The home page that is specified on the General tab of the Internet Options dialog box is the default webpage that Internet Explorer® loads whenever it is run.

If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the users’ computers. For computers that are Internet Explorer 7 or Internet Explorer 8, the home page can be set within this policy to override other home page policies.

If you disable or do not configure this policy setting, the home page box is enabled and users can choose their own home page.

Disable Context menu

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus

Recommended

High: Disabled

Medium: Disabled

Low: Disabled

Description

This setting prevents the shortcut menu from appearing when users click the right mouse button while using the browser.

If you enable this policy, the shortcut menu will not appear when users point to a webpage, and then click the right mouse button.

If you disable this policy or do not configure it, users can use the shortcut menu.

You can use this policy to ensure that users do not use the shortcut menu as an alternate method of running commands that have been removed from other parts of the interface.

Disable customizing browser toolbar buttons

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Toolbars

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This policy prevents users from determining which buttons appear on the Internet Explorer and Windows Explorer standard toolbars. The buttons that appear on the toolbar can be customized with the Customize option. This is present on the Toolbars submenu of the View menu in Internet Explorer 6 and under the Toolbars submenu on the Tools menu in the Command bar in Internet Explorer 7 and Internet Explorer 8.

If you enable this policy, the Customize option will be removed from the menu.

If you disable this policy or do not configure it, users can customize which buttons appear on the Internet Explorer and Windows Explorer toolbars.

This policy can be used in coordination with the "Disable customizing browser toolbars" policy, which prevents users from determining which toolbars are displayed in Internet Explorer and Windows Explorer.

Disable customizing browser toolbars

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Toolbars

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting prevents users from determining which toolbars are displayed in Internet Explorer and Windows Explorer.

If you enable this policy, the list of toolbars, which users can display by clicking the View menu and pointing to Toolbars, will appear unavailable.

If you disable this policy or do not configure it, users can determine which toolbars are displayed in Internet Explorer and Windows Explorer.

This policy can be used in coordination with the "Disable customizing browser toolbar buttons" policy, which prevents users from adding or removing toolbars from Internet Explorer.

Disable the Advanced page

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the Advanced tab from the interface in the Internet Options dialog box.

If you enable this policy, users are prevented from seeing and changing advanced Internet settings, such as security, multimedia, and printing.

If you disable this policy or do not configure it, users can see and change these settings.

When you set this policy, you do not need to set the "Disable changing Advanced page settings" policy (located in \User Configuration\Administrative Templates\Administrative Templates\Windows Components\Internet Explorer), because this policy removes the Advanced tab from the interface.

Disable the Connections page

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This policy setting removes the Connections tab from the interface in the Internet Options dialog box.

If you enable this policy, users are prevented from seeing and changing connection and proxy settings.

If you disable this policy or do not configure it, users can see and change these settings.

When you set this policy, you do not need to set the following policies for the Connections tab, because this policy removes the Connections tab from the interface:

  • "Disable Internet Connection Wizard"

  • "Disable changing connection settings"

  • "Disable changing proxy settings"

  • "Disable changing Automatic Configuration settings"

Disable the Content page

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

If you enable this policy setting, users are prevented from seeing and changing ratings, certificates, AutoComplete, Wallet, and Profile Assistant settings.

If you disable this policy or do not configure it, users can see and change these settings.

Disable the General page

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting removes the General tab from the interface in the Internet Options dialog box.

If you enable this policy, users are unable to see and change settings for the home page, the cache, history, webpage appearance, and accessibility.

If you disable this policy or do not configure it, users can see and change these settings.

When you set this policy, you do not need to set the following Internet Explorer policies (located in \User Configuration\Administrative Templates\Administrative Templates\Windows Components\Internet Explorer), because this policy removes the General tab from the interface:

  • "Disable changing home page settings"

  • "Disable changing Temporary Internet files settings"

  • "Disable changing history settings"

  • "Disable changing color settings"

  • "Disable changing link color settings"

  • "Disable changing font settings"

  • "Disable changing language settings"

  • "Disable changing accessibility settings"

Disable the Privacy page

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the Privacy tab from the interface in the Internet Options dialog box.

If you enable this policy, users are prevented from seeing and changing default settings for privacy.

If you disable this policy or do not configure it, users can see and change these settings.

Disable the Programs page

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting removes the Programs tab from the interface in the Internet Options dialog box.

If you enable this policy, users are prevented from seeing and changing default settings for Internet programs.

If you disable this policy or do not configure it, users can see and change these settings.

When you set this policy, you do not need to set the following policies for the Programs tab, because this policy removes the Programs tab from the interface:

  • "Disable changing Messaging settings"

  • "Disable changing Calendar and Contact settings"

  • "Disable the Reset Web Settings feature"

  • "Disable changing default browser check"

Disable the Security page

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the Security tab from the interface in the Internet Options dialog box.

If you enable this policy, users are prevented from seeing and changing settings for security zones such as scripting, downloads, and user authentication.

If you disable this policy or do not configure it, users can see and change these settings.

When you set this policy, you do not need to set the following Internet Explorer policies, because this policy removes the Security tab from the interface:

  • "Security zones: Do not allow users to change policies"

  • "Security zones: Do not allow users to add/delete sites"

Do not keep history of recently opened documents

Note

Location

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents.

If you enable this setting, the operating system and Windows programs do not create shortcuts to documents that are opened while the setting is in effect. Also, they retain but do not display existing document shortcuts. The operating system empties the Recent Items menu on the Start menu, and Windows programs do not display shortcuts at the bottom of the File menu. In addition, the submenus for programs in the Start menu and Taskbar do not show lists of recently or frequently used files, folders, or websites.

If you disable or do not configure this setting, the system will store and display shortcuts to recently and frequently used files, folders, and websites.

Note

The system saves document shortcuts in the user profile in the \Users\User-name\Recent folder.

If you enable this setting, but you do not enable the "Remove Recent Items menu from Start menu" setting, the Recent Items menu appears on the Start menu, but it is empty.

If you enable this setting, but then you later disable it or set it to Not Configured, the document shortcuts that saved before the setting was enabled appear in the Recent Items menu, program File menus, and submenus.

This setting does not hide or prevent the user from pinning files, folders, or websites to the Jump Lists. See the "Do not allow pinning items in Jump Lists" setting. This policy also does not hide tasks that the application has provided for their Jump List. This setting does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting.

Note

Non-Microsoft applications that are certified with the Windows 2000, Windows XP, Windows Vista or Windows 7 operating systems must adhere to this setting.

Do not move deleted files to the Recycle Bin

Location

User Configuration\Administrative Templates\Windows Explorer

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

When a file or folder is deleted in Windows Explorer, a copy of the file or folder is placed in the Recycle Bin. You can use this setting to change that behavior.

If you enable this setting, files and folders that are deleted by using Windows Explorer will not be placed in the Recycle Bin and therefore will be permanently deleted.

If you disable or do not configure this setting, files and folders that are deleted by using Windows Explorer will be placed in the Recycle Bin.

Empty Temporary Internet Files folder when browser is closed

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This policy setting allows you to manage whether Internet Explorer deletes the contents of the Temporary Internet Files folder after all browser windows are closed. This protects against storing dangerous files on the computer or storing sensitive files that other users could see, in addition to managing total disk space usage.

If you enable this policy setting, Internet Explorer will delete the contents of the user's Temporary Internet Files folder when all browser windows are closed.

If you disable this policy setting, Internet Explorer will not delete the contents of the user's Temporary Internet Files folder when browser windows are closed.

If you do not configure this policy, Internet Explorer will not delete the contents of the Temporary Internet Files folder when browser windows are closed.

File menu: Disable New menu option

Warning

Location

Note

The user can still open new tabs.

Force classic Start menu

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting affects the presentation of the Start menu.

The classic Start menu in Windows 2000 Professional allows users to begin common tasks, whereas the new Start menu consolidates common items onto one menu. When the classic Start Menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and Network. The new Start menu starts them directly.

If you enable this setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons.

If you disable this setting, the Start menu opens in the new style, and the desktop icons appear on the Start page.

If you do not configure this setting, the default is the new style, and the user can change the view.

Hide Favorites menu

Note

Location

Hide Network Locations icon on desktop

Note

Location

Hide the notification area

Note

Location

Hide these specified drives in My Computer

Note

Location

Recommended

High: Restrict all drives

Medium: Disabled

Low: Disabled

Description

This setting removes the icons that represent selected hard disk drives from My Computer and Windows Explorer. Also, the letters that represent the selected drives do not appear in the standard Open dialog box.

To use this setting, select a drive or combination of drives in the drop-down list. To display all drives, disable this setting or select the "Do not restrict drives" option in the drop-down list.

Note

This setting removes the hard disk drive icons. Users can still gain access to drive contents by using other methods, such as by typing the path to a directory on the drive in the Map Network Drive dialog box, in the Run dialog box, or in a Command Prompt window.

This setting does not prevent users from using programs to access these drives or their contents. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.

Note

Non-Microsoft applications that are certified with the Windows 2000, Windows XP, Windows Vista or Windows 7 operating systems must adhere to this setting.

Interactive logon: Do not display last user name

Location

Computer Configuration\Windows Settings\Local Policies\Security Options

Recommended

Enabled

Default: Disabled

Description

This security setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen.

If this policy is enabled, the name of the last user to successfully log on is not displayed in the logon screen.

If this policy is disabled, the name of the last user to log on is displayed.

Lock the Taskbar

Note

Location

Network access: Do not allow storage of credentials or .NET Passports for network authentication

Note

Location

Network security: Do not store LAN Manager hash value on next password change

Note

Location

This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and Windows Server 2003 to communicate with computers running Windows 95 and Windows 98.

Prevent access to drives from My Computer

Note

Location

Recommended

High: Restrict all drives

Medium: Disabled

Low: Disabled

Description

This setting prevents users from using My Computer to gain access to the content of selected hard disk drives.

If you enable this setting, users can browse the directory structure of the selected drives in My Computer or Windows Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.

To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list.

Note

The icons that represent the specified drives still appear in My Computer, but if users double-click the icons, a message appears to explain that a setting prevents the action.

This setting does not prevent users from using programs to access local and network drives. It does not prevent them from using the Disk Management snap-in to view and change drive characteristics.

Prevent access to registry editing tools

Location

User Configuration\Administrative Templates\System

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting disables the Windows registry editor Regedit.exe.

If this setting is enabled and the user tries to start a registry editor, a message appears to explain that a setting prevents the action.

To prevent users from using other administrative tools, use the "Run only specified Windows applications" setting.

Prevent access to the command prompt

Note

Location

Prevent adding, dragging, dropping and closing the Taskbar's toolbars

Note

Location

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting prevents users from manipulating desktop toolbars.

If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars.

Note

If users have added or removed toolbars, this setting prevents them from restoring the default configuration.

Tip

To view the toolbars that can be added to the desktop, right-click a docked toolbar (such as the taskbar), and point to Toolbars.

Prevent addition of printers

Note

Location

If this policy is disabled or not configured, users can add printers by using the methods described.

Prevent changes to Taskbar and Start Menu Settings

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting removes the Taskbar and Start Menu item from Settings on the Start Menu. This setting also prevents the user from opening the taskbar’s Properties dialog box.

If the user right-clicks the taskbar and clicks Properties, a message appears to explain that a setting prevents the action.

Prevent deletion of printers

Location

User Configuration\Administrative Templates\Control Panel\Printers

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting prevents users from deleting local and network printers.

If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears to explain that a setting prevents the action.

This setting does not prevent users from running other programs to delete a printer.

If this policy is disabled or not configured, users can delete printers by using the methods described.

Prohibit access to the Control Panel

Location

User Configuration\Administrative Templates\Control Panel

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting disables all Control Panel programs.

This setting prevents Control.exe (the program file for Control Panel) from starting. As a result, users cannot start Control Panel or adjust any Control Panel settings.

This setting also removes Control Panel from the Start Menu and removes the Control Panel folder from Windows Explorer.

If users try to select a Control Panel item from the Properties item on a context menu, a message appears to explain that a setting prevents the action.

Removable Disks: Deny write access

Note

Location

Remove "Map Network Drive" and "Disconnect Network Drive"

Note

Location

Note

Non-Microsoft applications that are certified with the Windows 2000, Windows XP, Windows Vista or Windows 7 operating systems must adhere to this setting.

Remove access to the context menus for the taskbar

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting hides the menus that appear when you right-click the taskbar and items on the taskbar, such as the Start button, the clock, and the taskbar buttons.

This setting does not prevent users from using other methods to issue the commands that appear in these menus.

Remove CD Burning features

Note

Location

Remove Change Password

Location

User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting prevents users from changing their Windows password on demand.

This setting disables the Change Password button on the Windows Security dialog box (which appears when you press Ctrl+Alt+Del).

However, users are still able to change their password when prompted by the operating system. The system prompts users for a new password when an administrator requires a new password or when their password is expiring.

Remove common program groups from Start Menu

Tip

Location

Note

Location

Remove Documents icon from Start Menu

Note

Location

Remove drag-and-drop and context menus on the Start menu

Note

Location

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting prevents users from using the drag-and-drop method to reorder or remove items on the Start menu. Also, it removes context menus from the Start menu.

If you disable this setting or do not configure it, users can remove or reorder Start menu items by dragging and dropping the item. Users can display context menus by right-clicking a Start menu item.

This setting does not prevent users from using other methods to customize the Start menu or perform the tasks that are available from the context menus.

Remove Favorites menu from Start menu

Note

Location

Note

The items that appear in the Favorites menu when you install Windows are preconfigured by the operating system to appeal to most users. However, users can add and remove items from this menu, and system administrators can create a customized Favorites menu for a user group.

Note

This setting affects only the Start menu. The Favorites menu still appears in Windows Explorer and in Internet Explorer.

Remove frequent programs list from the Start menu

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

If you enable this setting, the frequently used programs list is removed from the Start menu.

If you disable this setting or do not configure it, the frequently used programs list remains on the simple Start menu.

Remove Help menu from Start menu

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting removes the Help and Support option from the Start menu.

This setting affects only the Start menu. It does not remove Help and Support from Windows Explorer, and it does not prevent users from running Help and Support.

Note

Location

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting prevents users from connecting to the Windows Update website.

This setting blocks user access to the Windows Update website at https://windowsupdate.microsoft.com. Also, the setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer.

Windows Update, the online extension of Windows, offers software updates to keep a user’s system up-to-date. The Windows Update Product Catalog determines operating system files, security fixes, and Microsoft updates that users need to update, and it shows the newest versions that are available to download.

Remove Lock Computer

Tip

Location

Remove Music icon from Start menu

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the Music icon from the Start menu.

Remove My Documents icon on the desktop

Note

Location

Remove Network Connections from Start menu

Note

Location

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting prevents users from running Network Connections.This setting prevents the Network Connections folder from opening. This setting also removes Network Connections from Settings on the Start menu.

Network Connections still appears in Control Panel and in Windows Explorer, but if users try to start it, a message appears to explain that a setting prevents the action.

Remove Network icon from Start menu

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the Network icon from the Start menu.

Remove Pictures icon from Start menu

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the Pictures icon from the Start menu.

Remove programs on Settings menu

Note

Location

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting prevents Control Panel, Printers, and Network Connections from running.

This setting removes the Control Panel, Printers, and Network and Connection folders from Start menu, Computer, and Windows Explorer settings. It also prevents the programs represented by these folders (such as Control.exe) from running.

However, users can still start Control Panel items by using other methods, such as right-clicking the desktop to start Display or right-clicking Computer to start System.

Remove Recent Items menu from Start menu

Note

Location

Remove Recycle Bin icon from desktop

Note

Location

Remove Run menu from Start menu

Note

Location

Note

Non-Microsoft applications that are certified with the Windows 2000, Windows XP, Windows Vista or Windows 7 operating systems must adhere to this setting.

Remove Task Manager

Location

User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting prevents users from starting Task Manager (Taskmgr.exe).

If this setting is enabled and users try to start Task Manager, a message appears to explain that a setting prevents the action.

Task Manager lets users start and stop programs; monitor the performance of their computers; view and monitor all programs running on their computers, including system services; find the executable names of programs; and change the priority of the process in which programs run.

Remove Windows Explorer's default context menu

Location

User Configuration\Administrative Templates\Windows Explorer

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting removes shortcut menus from the desktop and Windows Explorer. Shortcut menus appear when you right-click an item in Windows Explorer.

If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in Windows Explorer. This setting does not prevent users from using other methods to issue commands that are available on the shortcut menus.

Removes the Folder Options menu item from the Tools menu

Note

Location

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting removes the Folder Options item from all Windows Explorer menus and removes the Folder Options item from Control Panel. As a result, users cannot use the Folder Options dialog box.

Note

The Folder Options dialog box lets users set many properties of Windows Explorer, such as Active Desktop, Web view, Offline Files, hidden system files, and file types.

Restrict users to the explicitly permitted list of snap-ins

Note

Location

Search: Disable Find Files via F3 within the browser

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting disables using the F3 key to search in Internet Explorer and Windows Explorer.

If you enable this policy, the search functionality of the F3 key is disabled. Users cannot press F3 to search the Internet (from Internet Explorer) or to search the hard disk drive (from Windows Explorer). If the user presses F3, a message appears to explain that this feature has been disabled.

If you disable this policy or do not configure it, users can press F3 to search the Internet (from Internet Explorer) or the hard disk drive (from Windows Explorer).

This policy is intended for situations in which administrators do not want users to explore the Internet or the hard disk drive.

This policy can be used in coordination with the "File Menu: Disable Open menu option" policy (located in \User Configuration\Administrative Templates\Administrative Templates\Windows Components\Internet Explorer\Browser Menus), which prevents users from opening files by using the browser.

Shutdown: Allow system to be shut down without having to log on

Location

Computer Configuration\Windows Settings\Local Policies\Security Options

Recommended

Disabled

Default on workstations: Enabled.

Default on servers: Disabled.

Description

This security setting determines whether a computer can be shut down without having to log on to Windows.

When this policy is enabled, the Shut Down command is available on the Windows logon screen.

When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the “Shut down the system” user right before they can perform a system shutdown.

Tools menu: Disable Internet Options... menu option

Note

Location

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting prevents users from opening the Internet Options dialog box from the Tools menu in Internet Explorer.

If you enable this policy, users cannot change their Internet options, such as the default home page, cache size, and connection and proxy settings, from the Tools menu in the browser. When users click the Internet Options command on the Tools menu, an error message appears to explain that a setting prevents the action.

If you disable this policy or do not configure it, users can change their Internet settings from the browser’s Tools menu.

Warning

This policy does not prevent users from viewing and changing Internet settings by clicking the Internet Options icon in Control Panel.

Turn off AutoPlay

Note

Location

Turn off displaying the Internet Explorer Help menu

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This policy setting allows you to turn off the Help menu in Internet Explorer.

If you enable this policy setting, users will not be able to use the Internet Explorer Help.

The Help icon will be removed from the command bar, and the Help menu in the menu bar will not be functional. The use of the shortcut key F1 for Help will be restricted.

If you disable or do not configure this policy setting, the Help menu in Internet Explorer will be available to users and they can also use F1 to access Help.

Turn off feed and Web Slices discovery

Location

User Configuration\Administrative Templates\Windows Components\RSS Feeds

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This policy setting prevents users from having Internet Explorer automatically detect whether a feed or Web Slice is available for an associated webpage.

If you enable this policy setting, users will not receive a notification on the toolbar that a feed or Web Slice is available.

If you disable or do not configure this policy setting, users can see when a feed or Web Slice is available, and click the Feed Discovery button.

Turn off Print menu

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This policy setting allows you to manage whether users can access the Print menu.

If you enable this policy setting, the Print menu in Internet Explorer will not be available.

If you disable or do not configure this policy setting, the Print menu in Internet Explorer will be available.

Section Heading

Location

User Configuration\Administrative Templates\Windows Components\RSS Feeds

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This policy setting prevents users from using Internet Explorer as a feed reader. This setting has no impact on the Windows RSS Platform.

If you enable this policy setting, the user cannot access the Feeds list located in the Favorites center.

If you disable or do not configure this policy setting, users can access the Feeds list in the Favorites center.

Turn off Windows+X hotkeys

Location

User Configuration\Administrative Templates\Windows Explorer

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting disables the Windows+X hotkeys.

Keyboards with a Windows key provide users with shortcuts to common features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts Windows Explorer.

If you enable this setting, the Windows+X shortcut keys are unavailable.

If you disable or do not configure this setting, the Windows+X shortcut keys are available.

Turn on the auto-complete feature for user names and passwords on forms

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This AutoComplete feature can remember and suggest user names and passwords on forms.

If you enable this setting, users cannot change text in "User name and passwords on forms" or "Prompt me to save passwords." The AutoComplete feature for “User names and passwords on forms” will be turned on. You have to decide whether to select "Prompt me to save passwords."

If you disable this setting, the user cannot change text in "User name and passwords on forms" or "Prompt me to save passwords." The AutoComplete feature for “User names and passwords on forms” is turned off. The user also cannot opt to be prompted to save passwords.

If you do not configure this setting, the user has the freedom of turning on AutoComplete for “User names and passwords on forms” and the option of prompting to save passwords. To display this option, users can open Internet Options, click the Contents tab, and then click Settings.

View menu: Disable Full Screen menu option

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting prevents users from displaying the browser in full-screen (kiosk) mode, without the standard toolbar.

If you enable this policy, the Full Screen command on the View menu will appear unavailable, and pressing F11 will not display the browser in a full screen.

If you disable this policy or do not configure it, users can display the browser in full-screen mode.

This policy is intended to prevent users from displaying the browser without toolbars, which might be confusing for some beginner users.

View menu: Disable Source menu option

Warning

Location