Security best practices for Store Commerce for web in shared environments
Store Commerce for web is a web application that runs in the context of a browser. This article provides recommendations that can help secure Store Commerce for web in a shared environment.
Store Commerce for web is a web application that runs in the context of a web browser. Therefore, it's vulnerable to attack when a user can run any script in the context of the web application. One requirement for such attacks is that the user must have physical access to the computer, either in person or by using Remote Desktop Connection. Vulnerability to attack is an existing issue in most browsers that provide developer tools, and that enable scripts to be run without sufficient privilege control. Because the web application will have little influence over its hosting environment, one way to mitigate security issues is to add defense-in-depth. The defense-in-depth can be built by taking advantage of the restrictive policies of both the browser and the operating system.
Hardening instructions for a Store Commerce for web computer
Note
Removing Reply URLs or Service Principals will break operations related to Microsoft Entra in Store Commerce in the browser.
Here are some of the defense-in-depth recommendations for the operating system and/or browser that will have an activated instance of Store Commerce for web. The settings should be enabled or set by a high-privileged account for the operating system. Store Commerce for web should be used by a low-privileged account that can't override those settings. We recommend that you enable all the following settings. Otherwise, you could create a security loophole that will be prone to security exploitation.
- Required - Disable script execution in the browser's address bar.
- Required - Disable the browser's developer console.
- Required - Store Commerce for web should be accessed by a low-privileged user.
- Required - Set up group policies to enable a kiosk session.
- Recommended - Set up a proxy to access only websites included in a safe list.
Disable script execution in the address bar of the browser that runs Store Commerce for web
Internet Explorer - disable script execution
There is no option to disable script execution in the address bar in Internet Explorer. One alternative is to hide the address bar itself.
- Create a shortcut for the Store Commerce for web URL, and copy it to each store worker's Microsoft Windows desktop.
- Run regedit.exe to change the registry to disable the Internet Explorer address bar. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\ToolBars\Restrictions] "NoNavBar"=dword:00000001
Microsoft Edge - disable script execution
By design, Microsoft Edge prevents script execution in the address bar. Therefore, no action is required.
Disable the developer console in the browser that runs Store Commerce for web
Internet Explorer - disable the developer console
Use Group Policy Editor to enable the following group policy to disable the Internet Explorer developer console: \Administrative Templates\Windows Components\Internet Explorer\Toolbars\Turn off Developer Tools="Enabled"
Microsoft Edge - disable the developer console
Run regedit.exe to change the registry to disable the developer console. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\F12] "AllowDeveloperTools"=dword:00000000
Store Commerce for web should be accessed by a low-privileged user
A point of sale (POS) user must be a non-administrative account that doesn't have privileges to change applied policies.
Set up group policies to enable a kiosk session
We recommend that you apply the following restrictions for Store Commerce for web users:
- Restrict access to the file system.
- Restrict access to Control Panel.
- Restrict access to removable drives.
- Restrict access to shells that run commands.
- Restrict access to the registry.
- Restrict access to application management.
The following table lists the group policies to enable kiosk mode. The set of policies requires that you start your browser at the sign-in script. These policies can be adjusted to your requirements. You should always assess any security implications or talk to a specialist.
| Setting | State | Comment | Path |
|---|---|---|---|
| Enable screen saver | Disabled | No | \Control Panel\Personalization |
| Allow DFS roots to be published | Disabled | No | \Shared Folders |
| Allow shared folders to be published | Disabled | No | \Shared Folders |
| Add Search Internet link to Start Menu | Disabled | No | \Start Menu and Taskbar |
| Show Quick Launch on Taskbar | Disabled | No | \Start Menu and Taskbar |
| Show the Apps view automatically when the user goes to Start | Disabled | No | \Start Menu and Taskbar |
| Show "Run as different user" command on Start | Disabled | No | \Start Menu and Taskbar |
| Add the Run command to the Start Menu | Disabled | No | \Start Menu and Taskbar |
| Show Start on the display the user is using when they press the Windows logo key | Disabled | No | \Start Menu and Taskbar |
| Show Windows Store apps on the taskbar | Disabled | No | \Start Menu and Taskbar |
| Turn off shell protocol protected mode | Disabled | No | \Windows Components\File Explorer |
| Turn on menu bar by default | Disabled | No | \Windows Components\Internet Explorer |
| Turn on Script Execution | Disabled | No | \Windows Components\Windows PowerShell |
| Hide the "Add a program from CD-ROM or floppy disk" option | Enabled | No | \Control Panel\Add or Remove Programs |
| Hide the "Add programs from Microsoft" option | Enabled | No | \Control Panel\Add or Remove Programs |
| Hide the "Add programs from your network" option | Enabled | No | \Control Panel\Add or Remove Programs |
| Hide Add New Programs page | Enabled | No | \Control Panel\Add or Remove Programs |
| Remove Add or Remove Programs | Enabled | No | \Control Panel\Add or Remove Programs |
| Hide the Set Program Access and Defaults page | Enabled | No | \Control Panel\Add or Remove Programs |
| Hide Change or Remove Programs page | Enabled | No | \Control Panel\Add or Remove Programs |
| Go directly to Components Wizard | Enabled | No | \Control Panel\Add or Remove Programs |
| Remove Support Information | Enabled | No | \Control Panel\Add or Remove Programs |
| Hide Add/Remove Windows Components page | Enabled | No | \Control Panel\Add or Remove Programs |
| Disable the Display Control Panel | Enabled | No | \Control Panel\Display |
| Hide Settings tab | Enabled | No | \Control Panel\Display |
| Prevent changing color scheme | Enabled | No | \Control Panel\Personalization |
| Prevent changing theme | Enabled | No | \Control Panel\Personalization |
| Prevent changing visual style for windows and buttons | Enabled | No | \Control Panel\Personalization |
| Prohibit selection of visual style font size | Enabled | No | \Control Panel\Personalization |
| Prevent changing color and appearance | Enabled | No | \Control Panel\Personalization |
| Prevent changing desktop background | Enabled | No | \Control Panel\Personalization |
| Prevent changing desktop icons | Enabled | No | \Control Panel\Personalization |
| Prevent changing mouse pointers | Enabled | No | \Control Panel\Personalization |
| Prevent changing screen saver | Enabled | No | \Control Panel\Personalization |
| Prevent changing sounds | Enabled | No | \Control Panel\Personalization |
| Prevent addition of printers | Enabled | No | \Control Panel\Printers |
| Prevent deletion of printers | Enabled | No | \Control Panel\Printers |
| Hide "Set Program Access and Computer Defaults" page | Enabled | No | \Control Panel\Programs |
| Hide "Get Programs" page | Enabled | No | \Control Panel\Programs |
| Hide "Installed Updates" page | Enabled | No | \Control Panel\Programs |
| Hide "Programs and Features" page | Enabled | No | \Control Panel\Programs |
| Hide the Programs Control Panel | Enabled | No | \Control Panel\Programs |
| Hide "Windows Features" | Enabled | No | \Control Panel\Programs |
| Hide "Windows Marketplace" | Enabled | No | \Control Panel\Programs |
| Turn off automatic learning | Enabled | No | \Control Panel\Regional and Language Options\Handwriting personalization |
| Hide Regional and Language Options administrative options | Enabled | No | \Control Panel\Regional and Language Options |
| Hide and disable all items on the desktop | Enabled | No | \Desktop |
| Remove the Desktop Cleanup Wizard | Enabled | No | \Desktop |
| Hide Internet Explorer icon on desktop | Enabled | No | \Desktop |
| Remove Computer icon on the desktop | Enabled | No | \Desktop |
| Remove My Documents icon on the desktop | Enabled | No | \Desktop |
| Hide Network Locations icon on desktop | Enabled | No | \Desktop |
| Remove Properties from the Computer icon context menu | Enabled | No | \Desktop |
| Remove Properties from the Documents icon context menu | Enabled | No | \Desktop |
| Do not add shares of recently opened documents to Network Locations | Enabled | No | \Desktop |
| Remove Recycle Bin icon from desktop | Enabled | No | \Desktop |
| Remove Properties from the Recycle Bin context menu | Enabled | No | \Desktop |
| Do not save settings at exit | Enabled | No | \Desktop |
| Turn off Aero Shake window minimizing mouse gesture | Enabled | No | \Desktop |
| Prevent adding, dragging dropping and closing the Taskbar's toolbars | Enabled | ||
| Prohibit adjusting desktop toolbars | Enabled | No | \Desktop |
| Force Start to be either full screen size or menu size | Enabled | No | \Start Menu and Taskbar |
| Go to the desktop instead of Start when signing in | Enabled | No | \Start Menu and Taskbar |
| Turn off personalized menus | Enabled | No | \Start Menu and Taskbar |
| Lock the Taskbar | Enabled | No | \Start Menu and Taskbar |
| Turn off notification area cleanup | Enabled | No | \Start Menu and Taskbar |
| Remove Balloon Tips on Start Menu items | Enabled | No | \Start Menu and Taskbar |
| Prevent users from customizing their Start Screen | Enabled | No | \Start Menu and Taskbar |
| Remove common program groups from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove Favorites menu from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove Search link from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove frequent programs list from the Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove Games link from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove Help menu from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Turn off user tracking | Enabled | No | \Start Menu and Taskbar |
| Remove All Programs list from the Start menu | Enabled | No | \Start Menu and Taskbar |
| Remove Network Connections from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove pinned programs list from the Start Menu | Enabled | No | \Start Menu and Taskbar |
| Do not keep history of recently opened documents | Enabled | No | \Start Menu and Taskbar |
| Remove Recent Items menu from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Do not use the search-based method when resolving shell shortcuts | Enabled | No | \Start Menu and Taskbar |
| Do not use the tracking-based method when resolving shell shortcuts | Enabled | No | \Start Menu and Taskbar |
| Remove Run menu from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove Default Programs link from the Start menu. | Enabled | No | \Start Menu and Taskbar |
| Remove Documents icon from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove Music icon from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove Network icon from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove Pictures icon from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Do not search communications | Enabled | No | \Start Menu and Taskbar |
| Remove Search Computer link | Enabled | No | \Start Menu and Taskbar |
| Remove See More Results / Search Everywhere link | Enabled | No | \Start Menu and Taskbar |
| Do not search for files | Enabled | No | \Start Menu and Taskbar |
| Do not search Internet | Enabled | No | \Start Menu and Taskbar |
| Do not search programs and Control Panel items | Enabled | No | \Start Menu and Taskbar |
| Remove programs on Settings menu | Enabled | No | \Start Menu and Taskbar |
| Prevent changes to Taskbar and Start Menu Settings | Enabled | No | \Start Menu and Taskbar |
| Remove Downloads link from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove Homegroup link from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove Recorded TV link from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove user's folders from the Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove Videos link from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Force classic Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove Clock from the system notification area | Enabled | No | \Start Menu and Taskbar |
| Prevent grouping of taskbar items | Enabled | No | \Start Menu and Taskbar |
| Do not display any custom toolbars in the taskbar | Enabled | No | \Start Menu and Taskbar |
| Remove access to the context menus for the taskbar | Enabled | No | \Start Menu and Taskbar |
| Hide the notification area | Enabled | No | \Start Menu and Taskbar |
| Prevent users from uninstalling applications from Start | Enabled | No | \Start Menu and Taskbar |
| Remove user folder link from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove user name from Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove links and access to Windows Update | Enabled | No | \Start Menu and Taskbar |
| Remove the "Undock PC" button from the Start Menu | Enabled | No | \Start Menu and Taskbar |
| Remove Notifications and Action Center | Enabled | No | \Start Menu and Taskbar |
| Disable showing balloon notifications as toasts. | Enabled | No | \Start Menu and Taskbar |
| Remove the Security and Maintenance icon | Enabled | No | \Start Menu and Taskbar |
| Remove the networking icon | Enabled | No | \Start Menu and Taskbar |
| Remove the battery meter | Enabled | No | \Start Menu and Taskbar |
| Remove the volume control icon | Enabled | No | \Start Menu and Taskbar |
| Turn off feature advertisement balloon notifications | Enabled | No | \Start Menu and Taskbar |
| Do not allow pinning Store app to the Taskbar | Enabled | No | \Start Menu and Taskbar |
| Do not allow pinning items in Jump Lists | Enabled | No | \Start Menu and Taskbar |
| Do not allow pinning programs to the Taskbar | Enabled | No | \Start Menu and Taskbar |
| Do not display or track items in Jump Lists from remote locations | Enabled | No | \Start Menu and Taskbar |
| Turn off automatic promotion of notification icons to the taskbar | Enabled | No | \Start Menu and Taskbar |
| Lock all taskbar settings | Enabled | No | \Start Menu and Taskbar |
| Prevent users from adding or removing toolbars | Enabled | No | \Start Menu and Taskbar |
| Prevent users from rearranging toolbars | Enabled | No | \Start Menu and Taskbar |
| Do not allow taskbars on more than one display | Enabled | No | \Start Menu and Taskbar |
| Turn off all balloon notifications | Enabled | No | \Start Menu and Taskbar |
| Remove pinned programs from the Taskbar | Enabled | No | \Start Menu and Taskbar |
| Prevent users from moving taskbar to another screen dock location | Enabled | No | \Start Menu and Taskbar |
| Prevent users from resizing the taskbar | Enabled | No | \Start Menu and Taskbar |
| Turn off taskbar thumbnails | Enabled | No | \Start Menu and Taskbar |
| Remove Task Manager | Enabled | No | \System\Ctrl+Alt+Del Options |
| Code signing for device drivers | Enabled | No | \System\Driver Installation |
| Turn off Windows Update device driver search prompt | Enabled | No | \System\Driver Installation |
| Disallow selection of Custom Locales | Enabled | No | \System\Locale Services |
| Disallow changing of geographic location | Enabled | No | \System\Locale Services |
| Disallow user override of locale settings | Enabled | No | \System\Locale Services |
| CD and DVD: Deny read access | Enabled | No | \System\Removable Storage Access |
| CD and DVD: Deny write access | Enabled | No | \System\Removable Storage Access |
| Floppy Drives: Deny read access | Enabled | No | \System\Removable Storage Access |
| Floppy Drives: Deny write access | Enabled | No | \System\Removable Storage Access |
| Removable Disks: Deny read access | Enabled | No | \System\Removable Storage Access |
| Removable Disks: Deny write access | Enabled | No | \System\Removable Storage Access |
| All Removable Storage classes: Deny all access | Enabled | No | \System\Removable Storage Access |
| Tape Drives: Deny read access | Enabled | No | \System\Removable Storage Access |
| Tape Drives: Deny write access | Enabled | No | \System\Removable Storage Access |
| WPD Devices: Deny read access | Enabled | No | \System\Removable Storage Access |
| WPD Devices: Deny write access | Enabled | No | \System\Removable Storage Access |
| Prevent access to the command prompt | Enabled | No | \System |
| Prevent access to registry editing tools | Enabled | No | \System |
| Prevent the wizard from running. | Enabled | No | \Windows Components\Add features to Windows 10 |
| Turn off Program Compatibility Assistant | Enabled | No | \Windows Components\Application Compatibility |
| Search, Share, Start, Devices and Settings don't appear when the mouse is pointing to the upper-right corner of the screen | Enabled | No | \Windows Components\Edge UI |
| Disable help tips | Enabled | No | \Windows Components\Edge UI |
| Turn off tracking of app usage | Enabled | No | \Windows Components\Edge UI |
| Do not show recent apps when the mouse is pointing to the upper-left corner of the screen | Enabled | No | \Windows Components\Edge UI |
| Prevent users from replacing the Command Prompt with Windows PowerShell in the menu they see when they right-click the lower-left corner or press the Windows logo key+X | Enabled | No | \Windows Components\Edge UI |
| Turn off switching between recent apps | Enabled | No | \Windows Components\Edge UI |
| Turn on or off details pane | Enabled | No | \Windows Components\File Explorer\Explorer Frame Pane |
| Turn off Preview Pane | Enabled | No | \Windows Components\File Explorer\Explorer Frame Pane |
| Do not display the Welcome Center at user logon | Enabled | No | \Windows Components\File Explorer |
| Turn on Classic Shell | Enabled | No | \Windows Components\File Explorer |
| Remove CD Burning features | Enabled | No | \Windows Components\File Explorer |
| Remove DFS tab | Enabled | No | \Windows Components\File Explorer |
| Hide these specified drives in My Computer | Enabled | No | \Windows Components\File Explorer |
| No Entire Network in Network Locations | Enabled | No | \Windows Components\File Explorer |
| Remove File menu from File Explorer | Enabled | No | \Windows Components\File Explorer |
| Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon | Enabled | No | \Windows Components\File Explorer |
| Remove Hardware tab | Enabled | No | \Windows Components\File Explorer |
| Hide the Manage item on the File Explorer context menu | Enabled | No | \Windows Components\File Explorer |
| Remove Shared Documents from My Computer | Enabled | No | \Windows Components\File Explorer |
| Remove "Map Network Drive" and "Disconnect Network Drive" | Enabled | No | \Windows Components\File Explorer |
| Remove the Search the Internet "Search again" link | Enabled | No | \Windows Components\File Explorer |
| Remove Security tab | Enabled | No | \Windows Components\File Explorer |
| Remove Search button from File Explorer | Enabled | No | \Windows Components\File Explorer |
| Remove File Explorer's default context menu | Enabled | No | \Windows Components\File Explorer |
| Prevent access to drives from My Computer | Enabled | No | \Windows Components\File Explorer |
| Turn off Windows+X hotkeys | Enabled | No | \Windows Components\File Explorer |
| No Computers Near Me in Network Locations | Enabled | No | \Windows Components\File Explorer |
| Request credentials for network installations | Enabled | No | \Windows Components\File Explorer |
| Prevent users from adding files to the root of their Users Files folder. | Enabled | No | \Windows Components\File Explorer |
| Turn off Accelerators | Enabled | No | \Windows Components\Internet Explorer\Accelerators |
| File menu: Disable closing the browser and Explorer windows | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| File menu: Disable Save As... menu option | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| File menu: Disable Save As Web Page Complete | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| File menu: Disable New menu option | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| File menu: Disable Open menu option | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| Help menu: Remove 'Send Feedback' menu option | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| Help menu: Remove 'For Netscape Users' menu option | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| Help menu: Remove 'Tip of the Day' menu option | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| Help menu: Remove 'Tour' menu option | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| Turn off Shortcut Menu | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| Hide Favorites menu | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| Disable Open in New Window menu option | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| Turn off Print Menu | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| Turn off the ability to launch report site problems using a menu option | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| Disable Save this program to disk option | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| Tools menu: Disable Internet Options... menu option | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| View menu: Disable Full Screen menu option | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| View menu: Disable Source menu option | Enabled | No | \Windows Components\Internet Explorer\Browser menus |
| Turn off Developer Tools | Enabled | No | \Windows Components\Internet Explorer\Toolbars |
| Turn off toolbar upgrade tool | Enabled | No | \Windows Components\Internet Explorer\Toolbars |
| Hide the Command bar | Enabled | No | \Windows Components\Internet Explorer\Toolbars |
| Hide the status bar | Enabled | No | \Windows Components\Internet Explorer\Toolbars |
| Disable customizing browser toolbars | Enabled | No | \Windows Components\Internet Explorer\Toolbars |
| Disable customizing browser toolbar buttons | Enabled | No | \Windows Components\Internet Explorer\Toolbars |
| Turn off add-on performance notifications | Enabled | No | \Windows Components\Internet Explorer |
| Do not allow users to enable or disable add-ons | Enabled | No | \Windows Components\Internet Explorer |
| Disable changing Advanced page settings | Enabled | No | \Windows Components\Internet Explorer |
| Turn off Favorites bar | Enabled | No | \Windows Components\Internet Explorer |
| Prevent per-user installation of ActiveX controls | Enabled | No | \Windows Components\Internet Explorer |
| Turn off Reopen Last Browsing Session | Enabled | No | \Windows Components\Internet Explorer |
| Turn off Tab Grouping | Enabled | No | \Windows Components\Internet Explorer |
| Prevent managing the phishing filter | Enabled | No | \Windows Components\Internet Explorer |
| Turn off Managing SmartScreen Filter for Internet Explorer 8 | Enabled | No | \Windows Components\Internet Explorer |
| Prevent managing SmartScreen Filter | Enabled | No | \Windows Components\Internet Explorer |
| Turn off the Security Settings Check feature | Enabled | No | \Windows Components\Internet Explorer |
| Enforce full-screen mode | Enabled | No | \Windows Components\Internet Explorer |
| Disable Import/Export Settings wizard | Enabled | No | \Windows Components\Internet Explorer |
| Prevent Internet Explorer Search box from appearing | Enabled | No | \Windows Components\Internet Explorer |
| Turn off Quick Tabs functionality | Enabled | No | \Windows Components\Internet Explorer |
| Turn off tabbed browsing | Enabled | No | \Windows Components\Internet Explorer |
| Disable changing Automatic Configuration settings | Enabled | No | \Windows Components\Internet Explorer |
| Disable changing Temporary Internet files settings | Enabled | No | \Windows Components\Internet Explorer |
| Disable changing Calendar and Contact settings | Enabled | No | \Windows Components\Internet Explorer |
| Disable changing certificate settings | Enabled | No | \Windows Components\Internet Explorer |
| Disable changing default browser check | Enabled | No | \Windows Components\Internet Explorer |
| Disable changing color settings | Enabled | No | \Windows Components\Internet Explorer |
| Disable changing connection settings | Enabled | No | \Windows Components\Internet Explorer |
| Disable changing font settings | Enabled | No | \Windows Components\Internet Explorer |
| Disable changing language settings | Enabled | No | \Windows Components\Internet Explorer |
| Disable changing link color settings | Enabled | No | \Windows Components\Internet Explorer |
| Disable changing Messaging settings | Enabled | No | \Windows Components\Internet Explorer |
| Prevent managing pop-up exception list | Enabled | No | \Windows Components\Internet Explorer |
| Turn off pop-up management | Enabled | No | \Windows Components\Internet Explorer |
| Disable changing Profile Assistant settings | Enabled | No | \Windows Components\Internet Explorer |
| Prevent changing proxy settings | Enabled | No | \Windows Components\Internet Explorer |
| Disable changing ratings settings | Enabled | No | \Windows Components\Internet Explorer |
| Turn off the auto-complete feature for web addresses | Enabled | No | \Windows Components\Internet Explorer |
| Turn off suggestions for all user-installed providers | Enabled | No | \Windows Components\Internet Explorer |
| Turn off the quick pick menu | Enabled | No | \Windows Components\Internet Explorer |
| Search: Disable Find Files via F3 within the browser | Enabled | No | \Windows Components\Internet Explorer |
| Search: Disable Search Customization | Enabled | No | \Windows Components\Internet Explorer |
| Turn off ability to pin sites in Internet Explorer on the desktop | Enabled | No | \Windows Components\Internet Explorer |
| Turn off the offer to update to the latest version of Windows | Enabled | No | \Windows Components\Store |
| Turn off the Store application | Enabled | No | \Windows Components\Store |
| Prohibit New Task Creation | Enabled | No | \Windows Components\Task Scheduler |
Set up a proxy to access only websites included in a safe list
You can define a list of websites that a store worker (cashier) requires for normal operations, and set up an administrator-controlled proxy that has access only to these websites. Store Commerce for web requires access to the following websites:
- Store Commerce for web website
- Microsoft Entra ID sign-in page
- Commerce Scale Unit website
- Bing Maps resources
- Media resources
- Credit Card Payment acceptance page (optional)