Policy CSP - InternetExplorer

Tip

This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

Logo of Windows Insider.

Important

This CSP contains some settings that are under development and only applicable for Windows Insider Preview builds. These settings are subject to change and may have dependencies on other features or services in preview.

AddSearchProvider

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AddSearchProvider
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AddSearchProvider

This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.

  • If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]).

Note

This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.

  • If you disable or don't configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name AddSearchProvider
Friendly Name Add a specific list of search providers to the user's list of search providers
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
Registry Value Name AddPolicySearchProviders
ADMX File Name inetres.admx

AllowActiveXFiltering

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowActiveXFiltering
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowActiveXFiltering

This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.

  • If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user can't turn off ActiveX Filtering, although they may add per-site exceptions.

  • If you disable or don't configure this policy setting, ActiveX Filtering isn't enabled by default for the user. The user can turn ActiveX Filtering on or off.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name TurnOnActiveXFiltering
Friendly Name Turn on ActiveX Filtering
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Safety\ActiveXFiltering
Registry Value Name IsEnabled
ADMX File Name inetres.admx

AllowAddOnList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowAddOnList
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowAddOnList

This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.

This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied.

  • If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:

Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, '{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.

Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.

  • If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name AddonManagement_AddOnList
Friendly Name Add-on List
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Security Features > Add-on Management
Registry Key Name Software\Microsoft\Windows\CurrentVersion\Policies\Ext
Registry Value Name ListBox_Support_CLSID
ADMX File Name inetres.admx

AllowAutoComplete

Scope Editions Applicable OS
❌ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowAutoComplete

This AutoComplete feature can remember and suggest User names and passwords on Forms.

  • If you enable this setting, the user can't change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords".

  • If you disable this setting the user can't change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also can't opt to be prompted to save passwords.

  • If you don't configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name RestrictFormSuggestPW
Friendly Name Turn on the auto-complete feature for user names and passwords on forms
Location User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main
Registry Value Name FormSuggest Passwords
ADMX File Name inetres.admx

AllowCertificateAddressMismatchWarning

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowCertificateAddressMismatchWarning
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowCertificateAddressMismatchWarning

This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks.

  • If you enable this policy setting, the certificate address mismatch warning always appears.

  • If you disable or don't configure this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Internet Control panel).

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyWarnCertMismatch
Friendly Name Turn on certificate address mismatch warning
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Registry Value Name WarnOnBadCertRecving
ADMX File Name inetres.admx

AllowDeletingBrowsingHistoryOnExit

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowDeletingBrowsingHistoryOnExit
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowDeletingBrowsingHistoryOnExit

This policy setting allows the automatic deletion of specified items when the last browser window closes. The preferences selected in the Delete Browsing History dialog box (such as deleting temporary Internet files, cookies, history, form data, and passwords) are applied, and those items are deleted.

  • If you enable this policy setting, deleting browsing history on exit's turned on.

  • If you disable this policy setting, deleting browsing history on exit's turned off.

  • If you don't configure this policy setting, it can be configured on the General tab in Internet Options.

If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effect.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DBHDisableDeleteOnExit
Friendly Name Allow deleting browsing history on exit
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Delete Browsing History
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Privacy
Registry Value Name ClearBrowsingHistoryOnExit
ADMX File Name inetres.admx

AllowEnhancedProtectedMode

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnhancedProtectedMode
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnhancedProtectedMode

Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.

  • If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users won't be able to disable Enhanced Protected Mode.

  • If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.

  • If you don't configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Advanced_EnableEnhancedProtectedMode
Friendly Name Turn on Enhanced Protected Mode
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Advanced Page
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main
Registry Value Name Isolation
ADMX File Name inetres.admx

AllowEnhancedSuggestionsInAddressBar

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnhancedSuggestionsInAddressBar
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnhancedSuggestionsInAddressBar

This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services.

  • If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won't be able to change the Suggestions setting on the Settings charm.

  • If you disable this policy setting, users won't receive enhanced suggestions while typing in the Address bar. In addition, users won't be able to change the Suggestions setting on the Settings charm.

  • If you don't configure this policy setting, users can change the Suggestions setting on the Settings charm.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name AllowServicePoweredQSA
Friendly Name Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer
Registry Value Name AllowServicePoweredQSA
ADMX File Name inetres.admx

AllowEnterpriseModeFromToolsMenu

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnterpriseModeFromToolsMenu
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnterpriseModeFromToolsMenu

This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.

If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.

If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name EnterpriseModeEnable
Friendly Name Let users turn on and use Enterprise Mode from the Tools menu
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode
ADMX File Name inetres.admx

AllowEnterpriseModeSiteList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnterpriseModeSiteList
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnterpriseModeSiteList

This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.

  • If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.

  • If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name EnterpriseModeSiteList
Friendly Name Use the Enterprise Mode IE website list
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode
ADMX File Name inetres.admx

AllowFallbackToSSL3

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowFallbackToSSL3

This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails.

We recommend that you don't allow insecure fallback in order to prevent a man-in-the-middle attack.

This policy doesn't affect which security protocols are enabled.

If you disable this policy, system defaults will be used.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Advanced_EnableSSL3Fallback
Friendly Name Allow fallback to SSL 3.0 (Internet Explorer)
Location Computer Configuration
Path Windows Components > Internet Explorer > Security Features
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
ADMX File Name inetres.admx

AllowInternetExplorer7PolicyList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetExplorer7PolicyList
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetExplorer7PolicyList

This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.

  • If you enable this policy setting, the user can add and remove sites from the list, but the user can't remove the entries that you specify.

  • If you disable or don't configure this policy setting, the user can add and remove sites from the list.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name CompatView_UsePolicyList
Friendly Name Use Policy List of Internet Explorer 7 sites
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Compatibility View
Registry Key Name Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList
ADMX File Name inetres.admx

AllowInternetExplorerStandardsMode

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetExplorerStandardsMode
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetExplorerStandardsMode

This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.

  • If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user can't change this behavior through the Compatibility View Settings dialog box.

  • If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user can't change this behavior through the Compatibility View Settings dialog box.

  • If you don't configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name CompatView_IntranetSites
Friendly Name Turn on Internet Explorer Standards Mode for local intranet
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Compatibility View
Registry Key Name Software\Policies\Microsoft\Internet Explorer\BrowserEmulation
Registry Value Name IntranetCompatibilityMode
ADMX File Name inetres.admx

AllowInternetZoneTemplate

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetZoneTemplate
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

  • If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

  • If you disable this template policy setting, no security level is configured.

  • If you don't configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It's recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyInternetZoneTemplate
Friendly Name Internet Zone Template
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Template Policies
Registry Value Name InternetZoneTemplate
ADMX File Name inetres.admx

AllowIntranetZoneTemplate

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowIntranetZoneTemplate
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowIntranetZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

  • If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

  • If you disable this template policy setting, no security level is configured.

  • If you don't configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It's recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyIntranetZoneTemplate
Friendly Name Intranet Zone Template
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Settings\Template Policies
Registry Value Name IntranetZoneTemplate
ADMX File Name inetres.admx

AllowLegacyURLFields

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows Insider Preview
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLegacyURLFields
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLegacyURLFields

This policy setting allows the use of some disabled functionality, such as WorkingDirectory field or pluggable protocol handling, in Internet Shortcut files.

If you enable this policy, disabled functionality for Internet Shortcut files will be re-enabled.

If you disable, or don't configure this policy, some functionality for Internet Shortcut files, such as WorkingDirectory field or pluggable protocol handling, will be disabled.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name AllowLegacyURLFields
Friendly Name Allow legacy functionality for Internet Shortcut files
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main
Registry Value Name AllowLegacyURLFields
ADMX File Name inetres.admx

AllowLocalMachineZoneTemplate

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLocalMachineZoneTemplate
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLocalMachineZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

  • If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

  • If you disable this template policy setting, no security level is configured.

  • If you don't configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It's recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyLocalMachineZoneTemplate
Friendly Name Local Machine Zone Template
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Settings\Template Policies
Registry Value Name LocalMachineZoneTemplate
ADMX File Name inetres.admx

AllowLockedDownInternetZoneTemplate

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownInternetZoneTemplate
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownInternetZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

  • If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

  • If you disable this template policy setting, no security level is configured.

  • If you don't configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It's recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyInternetZoneLockdownTemplate
Friendly Name Locked-Down Internet Zone Template
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Lockdown Settings\Template Policies
Registry Value Name InternetZoneLockdownTemplate
ADMX File Name inetres.admx

AllowLockedDownIntranetZoneTemplate

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownIntranetZoneTemplate
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownIntranetZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

  • If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

  • If you disable this template policy setting, no security level is configured.

  • If you don't configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It's recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyIntranetZoneLockdownTemplate
Friendly Name Locked-Down Intranet Zone Template
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Lockdown Settings\Template Policies
Registry Value Name IntranetZoneLockdownTemplate
ADMX File Name inetres.admx

AllowLockedDownLocalMachineZoneTemplate

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownLocalMachineZoneTemplate
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownLocalMachineZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

  • If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

  • If you disable this template policy setting, no security level is configured.

  • If you don't configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It's recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyLocalMachineZoneLockdownTemplate
Friendly Name Locked-Down Local Machine Zone Template
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Lockdown Settings\Template Policies
Registry Value Name LocalMachineZoneLockdownTemplate
ADMX File Name inetres.admx

AllowLockedDownRestrictedSitesZoneTemplate

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

  • If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

  • If you disable this template policy setting, no security level is configured.

  • If you don't configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It's recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyRestrictedSitesZoneLockdownTemplate
Friendly Name Locked-Down Restricted Sites Zone Template
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Lockdown Settings\Template Policies
Registry Value Name RestrictedSitesZoneLockdownTemplate
ADMX File Name inetres.admx

AllowOneWordEntry

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowOneWordEntry
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowOneWordEntry

This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.

  • If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it's available.

  • If you disable or don't configure this policy setting, Internet Explorer doesn't go directly to an intranet site for a one-word entry in the Address bar.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name UseIntranetSiteForOneWordEntry
Friendly Name Go to an intranet site for a one-word entry in the Address bar
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Settings > Advanced settings > Browsing
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main
Registry Value Name GotoIntranetSiteForSingleWordEntry
ADMX File Name inetres.admx

AllowSaveTargetAsInIEMode

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20348] and later
✅ Windows 10, version 1903 [10.0.18362.1350] and later
✅ Windows 10, version 2004 with KB4598291 [10.0.19041.789] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSaveTargetAsInIEMode
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSaveTargetAsInIEMode

This policy setting allows admins to enable "Save Target As" context menu in Internet Explorer mode.

  • If you enable this policy, "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explorer.

  • If you disable or don't configure this policy setting, "Save Target As" won't show up in the Internet Explorer mode context menu.

For more information, see https://go.microsoft.com/fwlink/?linkid=2102115

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name AllowSaveTargetAsInIEMode
Friendly Name Allow "Save Target As" in Internet Explorer mode
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode
Registry Value Name AllowSaveTargetAsInIEMode
ADMX File Name inetres.admx

Example:

 <policy name="AllowSaveTargetAsInIEMode" class="Both" displayName="$(string.AllowSaveTargetAsInIEMode)" explainText="$(string.IE_ExplainAllowSaveTargetAsInIEMode)" key="Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode" valueName="AllowSaveTargetAsInIEMode">
      <parentCategory ref="InternetExplorer" />
      <supportedOn ref="SUPPORTED_IE11" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>

AllowSiteToZoneAssignmentList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList

This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.

Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer).

  • If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:

Valuename - A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter https://www.contoso.com as the valuename, other protocols aren't affected. If you enter just www.contoso.com, then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, don't include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.

Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.

  • If you disable or don't configure this policy, users may choose their own site-to-zone assignments.

Note

This policy is a list that contains the site and index value.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Zonemaps
Friendly Name Site to Zone Assignment List
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Registry Value Name ListBox_Support_ZoneMapKey
ADMX File Name inetres.admx

The list is a set of pairs of strings. Each string is separated by F000. Each pair of strings is stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below.

Example:

  <SyncBody>
      <Replace>
          <CmdID>2</CmdID>
           <Item>
               <Meta>
                  <Format>chr</Format>
                  <Type>text/plain</Type>
              </Meta>
              <Target>
                  <LocURI>./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList</LocURI>
              </Target>
               <Data>&lt;Enabled/&gt;&lt;Data id=&quot;IZ_ZonemapPrompt&quot; value=&quot;http://adfs.contoso.org&#xF000;1&#xF000;http://microsoft.com&#xF000;2&quot;/&gt;</Data>
          </Item>
      </Replace>
      <Final/>
  </SyncBody>

Value and index pairs in the SyncML example:

  • https://adfs.contoso.org 1
  • https://microsoft.com 2

AllowsLockedDownTrustedSitesZoneTemplate

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

  • If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

  • If you disable this template policy setting, no security level is configured.

  • If you don't configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It's recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyTrustedSitesZoneLockdownTemplate
Friendly Name Locked-Down Trusted Sites Zone Template
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Lockdown Settings\Template Policies
Registry Value Name TrustedSitesZoneLockdownTemplate
ADMX File Name inetres.admx

AllowSoftwareWhenSignatureIsInvalid

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSoftwareWhenSignatureIsInvalid
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSoftwareWhenSignatureIsInvalid

This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file.

  • If you enable this policy setting, users will be prompted to install or run files with an invalid signature.

  • If you disable this policy setting, users can't run or install files with an invalid signature.

  • If you don't configure this policy, users can choose to run or install files with an invalid signature.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Advanced_InvalidSignatureBlock
Friendly Name Allow software to run or install even if the signature is invalid
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Advanced Page
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Download
Registry Value Name RunInvalidSignatures
ADMX File Name inetres.admx

AllowsRestrictedSitesZoneTemplate

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowsRestrictedSitesZoneTemplate
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowsRestrictedSitesZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

  • If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

  • If you disable this template policy setting, no security level is configured.

  • If you don't configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It's recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyRestrictedSitesZoneTemplate
Friendly Name Restricted Sites Zone Template
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Settings\Template Policies
Registry Value Name RestrictedSitesZoneTemplate
ADMX File Name inetres.admx

AllowSuggestedSites

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSuggestedSites
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSuggestedSites

This policy setting controls the Suggested Sites feature, which recommends websites based on the user's browsing activity. Suggested Sites reports a user's browsing history to Microsoft to suggest sites that the user might want to visit.

  • If you enable this policy setting, the user isn't prompted to enable Suggested Sites. The user's browsing history is sent to Microsoft to produce suggestions.

  • If you disable this policy setting, the entry points and functionality associated with this feature are turned off.

  • If you don't configure this policy setting, the user can turn on and turn off the Suggested Sites feature.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name EnableSuggestedSites
Friendly Name Turn on Suggested Sites
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Suggested Sites
Registry Value Name Enabled
ADMX File Name inetres.admx

AllowTrustedSitesZoneTemplate

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowTrustedSitesZoneTemplate
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowTrustedSitesZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

  • If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

  • If you disable this template policy setting, no security level is configured.

  • If you don't configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It's recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyTrustedSitesZoneTemplate
Friendly Name Trusted Sites Zone Template
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Settings\Template Policies
Registry Value Name TrustedSitesZoneTemplate
ADMX File Name inetres.admx

CheckServerCertificateRevocation

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/CheckServerCertificateRevocation
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/CheckServerCertificateRevocation

This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certificates are revoked when they've been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.

  • If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked.

  • If you disable this policy setting, Internet Explorer won't check server certificates to see if they've been revoked.

  • If you don't configure this policy setting, Internet Explorer won't check server certificates to see if they've been revoked.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Advanced_CertificateRevocation
Friendly Name Check for server certificate revocation
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Advanced Page
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Registry Value Name CertificateRevocation
ADMX File Name inetres.admx

CheckSignaturesOnDownloadedPrograms

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/CheckSignaturesOnDownloadedPrograms
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/CheckSignaturesOnDownloadedPrograms

This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs.

  • If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers.

  • If you disable this policy setting, Internet Explorer won't check the digital signatures of executable programs or display their identities before downloading them to user computers.

  • If you don't configure this policy, Internet Explorer won't check the digital signatures of executable programs or display their identities before downloading them to user computers.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Advanced_DownloadSignatures
Friendly Name Check for signatures on downloaded programs
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Advanced Page
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Download
Registry Value Name CheckExeSignatures
ADMX File Name inetres.admx

ConfigureEdgeRedirectChannel

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20348] and later
✅ Windows 10, version 1903 [10.0.18362.1350] and later
✅ Windows 10, version 2004 with KB4598291 [10.0.19041.789] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/ConfigureEdgeRedirectChannel
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/ConfigureEdgeRedirectChannel

Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this policy if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge. If any of the chosen versions aren't installed on the device, that preference will be bypassed.

If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed, the following behaviors occur:

  • If you disable or don't configure this policy, Microsoft Edge Stable channel is used. This is the default behavior.

  • If you enable this policy, you can configure redirected sites to open in up to three of the following channels where:

1 = Microsoft Edge Stable 2 = Microsoft Edge Beta version 77 or later 3 = Microsoft Edge Dev version 77 or later 4 = Microsoft Edge Canary version 77 or later.

If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel aren't installed, the following behaviors occur:

  • If you disable or don't configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior.

  • If you enable this policy, you can configure redirected sites to open in up to three of the following channels where:

0 = Microsoft Edge version 45 or earlier 1 = Microsoft Edge Stable 2 = Microsoft Edge Beta version 77 or later 3 = Microsoft Edge Dev version 77 or later 4 = Microsoft Edge Canary version 77 or later.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name NeedEdgeBrowser
Friendly Name Configure which channel of Microsoft Edge to use for opening redirected sites
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode
ADMX File Name inetres.admx

Example:

 <policy name="NeedEdgeBrowser" class="Both" displayName="$(string.NeedEdgeBrowser)" explainText="$(string.IE_ExplainNeedEdgeBrowser)" key="Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode" presentation="$(presentation.NeedEdgeBrowser)">

      <parentCategory ref="InternetExplorer" />

      <supportedOn ref="SUPPORTED_IE11" />

      <elements>

        <enum id="NeedEdgeBrowser" valueName="NeedEdgeBrowser">

          <item displayName="$(string.NeedEdgeBrowserChoice_None)">

            <value>

              <delete />

            </value>

          </item>

          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumStable)">

            <value>

              <decimal value="1" />

            </value>

          </item>

          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumBeta)">

            <value>

              <decimal value="2" />

            </value>

          </item>

          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumDev)">

            <value>

              <decimal value="3" />

            </value>

          </item>

          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumCanary)">

            <value>

              <decimal value="4" />

            </value>

          </item>

          <item displayName="$(string.NeedEdgeBrowserChoice_EdgeHTML)">

            <value>

              <decimal value="0" />

            </value>

          </item>

        </enum>

        <enum id="NeedEdgeBrowser2" valueName="NeedEdgeBrowser2">

          <item displayName="$(string.NeedEdgeBrowserChoice_None)">

            <value>

              <delete />

            </value>

          </item>

          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumStable)">

            <value>

              <decimal value="1" />

            </value>

          </item>

          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumBeta)">

            <value>

              <decimal value="2" />

            </value>

          </item>

          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumDev)">

            <value>

              <decimal value="3" />

            </value>

          </item>

          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumCanary)">

            <value>

              <decimal value="4" />

            </value>

          </item>

          <item displayName="$(string.NeedEdgeBrowserChoice_EdgeHTML)">

            <value>

              <decimal value="0" />

            </value>

          </item>

        </enum>

        <enum id="NeedEdgeBrowser3" valueName="NeedEdgeBrowser3">

          <item displayName="$(string.NeedEdgeBrowserChoice_None)">

            <value>

              <delete />

            </value>

          </item>

          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumStable)">

            <value>

              <decimal value="1" />

            </value>

          </item>

          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumBeta)">

            <value>

              <decimal value="2" />

            </value>

          </item>

          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumDev)">

            <value>

              <decimal value="3" />

            </value>

          </item>

          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumCanary)">

            <value>

              <decimal value="4" />

            </value>

          </item>

          <item displayName="$(string.NeedEdgeBrowserChoice_EdgeHTML)">

            <value>

              <decimal value="0" />

            </value>

          </item>

        </enum>

      </elements>

    </policy>

ConsistentMimeHandlingInternetExplorerProcesses

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses

Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server.

This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension.

  • If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files.

  • If you disable this policy setting, Internet Explorer won't require consistent MIME data for all received files.

  • If you don't configure this policy setting, Internet Explorer requires consistent MIME data for all received files.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IESF_PolicyExplorerProcesses_5
Friendly Name Internet Explorer Processes
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Security Features > Consistent Mime Handling
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
ADMX File Name inetres.admx

DisableActiveXVersionListAutoDownload

Scope Editions Applicable OS
❌ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableActiveXVersionListAutoDownload

This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList. XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.

  • If you enable this setting, IE stops downloading updated versions of VersionList. XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.

  • If you disable or don't configure this setting, IE continues to download updated versions of VersionList. XML.

For more information, see "Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name VersionListAutomaticDownloadDisable
Friendly Name Turn off automatic download of the ActiveX VersionList
Location User Configuration
Path Windows Components > Internet Explorer > Security Features > Add-on Management
Registry Key Name Software\Microsoft\Internet Explorer\VersionManager
Registry Value Name DownloadVersionList
ADMX File Name inetres.admx

DisableBypassOfSmartScreenWarnings

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableBypassOfSmartScreenWarnings
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableBypassOfSmartScreenWarnings

This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious.

  • If you enable this policy setting, SmartScreen Filter warnings block the user.

  • If you disable or don't configure this policy setting, the user can bypass SmartScreen Filter warnings.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DisableSafetyFilterOverride
Friendly Name Prevent bypassing SmartScreen Filter warnings
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\PhishingFilter
Registry Value Name PreventOverride
ADMX File Name inetres.admx

DisableBypassOfSmartScreenWarningsAboutUncommonFiles

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles

This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users don't commonly download from the Internet.

  • If you enable this policy setting, SmartScreen Filter warnings block the user.

  • If you disable or don't configure this policy setting, the user can bypass SmartScreen Filter warnings.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DisableSafetyFilterOverrideForAppRepUnknown
Friendly Name Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\PhishingFilter
Registry Value Name PreventOverrideAppRepUnknown
ADMX File Name inetres.admx

DisableCompatView

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCompatView
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCompatView

This policy setting controls the Compatibility View feature, which allows the user to fix website display problems that he or she may encounter while browsing.

  • If you enable this policy setting, the user can't use the Compatibility View button or manage the Compatibility View sites list.

  • If you disable or don't configure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name CompatView_DisableList
Friendly Name Turn off Compatibility View
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Compatibility View
Registry Key Name Software\Policies\Microsoft\Internet Explorer\BrowserEmulation
Registry Value Name DisableSiteListEditing
ADMX File Name inetres.admx

DisableConfiguringHistory

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableConfiguringHistory
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableConfiguringHistory

This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Temporary Internet Files and History Settings dialog box, from the Menu bar, on the Tools menu, click Internet Options, click the General tab, and then click Settings under Browsing history.

  • If you enable this policy setting, a user can't set the number of days that Internet Explorer tracks views of the pages in the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can't delete browsing history.

  • If you disable or don't configure this policy setting, a user can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name RestrictHistory
Friendly Name Disable "Configuring History"
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Delete Browsing History
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Control Panel
Registry Value Name History
ADMX File Name inetres.admx

DisableCrashDetection

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCrashDetection
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCrashDetection

This policy setting allows you to manage the crash detection feature of add-on Management.

  • If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply.

  • If you disable or don't configure this policy setting, the crash detection feature for add-on management will be functional.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name AddonManagement_RestrictCrashDetection
Friendly Name Turn off Crash Detection
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Restrictions
Registry Value Name NoCrashDetection
ADMX File Name inetres.admx

DisableCustomerExperienceImprovementProgramParticipation

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation

This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).

  • If you enable this policy setting, the user can't participate in the CEIP, and the Customer Feedback Options command doesn't appear on the Help menu.

  • If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command doesn't appear on the Help menu.

  • If you don't configure this policy setting, the user can choose to participate in the CEIP.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name SQM_DisableCEIP
Friendly Name Prevent participation in the Customer Experience Improvement Program
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\SQM
Registry Value Name DisableCustomerImprovementProgram
ADMX File Name inetres.admx

DisableDeletingUserVisitedWebsites

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableDeletingUserVisitedWebsites
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableDeletingUserVisitedWebsites

This policy setting prevents the user from deleting the history of websites that he or she has visited. This feature is available in the Delete Browsing History dialog box.

  • If you enable this policy setting, websites that the user has visited are preserved when he or she clicks Delete.

  • If you disable this policy setting, websites that the user has visited are deleted when he or she clicks Delete.

  • If you don't configure this policy setting, the user can choose whether to delete or preserve visited websites when he or she clicks Delete.

If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DBHDisableDeleteHistory
Friendly Name Prevent deleting websites that the user has visited
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Delete Browsing History
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Privacy
Registry Value Name CleanHistory
ADMX File Name inetres.admx

DisableEnclosureDownloading

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableEnclosureDownloading
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableEnclosureDownloading

This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.

  • If you enable this policy setting, the user can't set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can't change the download setting through the Feed APIs.

  • If you disable or don't configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Disable_Downloading_of_Enclosures
Friendly Name Prevent downloading of enclosures
Location Computer and User Configuration
Path Windows Components > RSS Feeds
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Feeds
Registry Value Name DisableEnclosureDownload
ADMX File Name inetres.admx

DisableEncryptionSupport

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableEncryptionSupport
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableEncryptionSupport

This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other's list of supported protocols and versions, and they select the most preferred match.

  • If you enable this policy setting, the browser negotiates or doesn't negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.

  • If you disable or don't configure this policy setting, the user can select which encryption method the browser supports.

Note

SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Advanced_SetWinInetProtocols
Friendly Name Turn off encryption support
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Advanced Page
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
ADMX File Name inetres.admx

DisableFeedsBackgroundSync

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFeedsBackgroundSync
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFeedsBackgroundSync

This policy setting controls whether to have background synchronization for feeds and Web Slices.

  • If you enable this policy setting, the ability to synchronize feeds and Web Slices in the background is turned off.

  • If you disable or don't configure this policy setting, the user can synchronize feeds and Web Slices in the background.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Disable_Background_Syncing
Friendly Name Turn off background synchronization for feeds and Web Slices
Location Computer and User Configuration
Path Windows Components > RSS Feeds
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Feeds
Registry Value Name BackgroundSyncStatus
ADMX File Name inetres.admx

DisableFirstRunWizard

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFirstRunWizard
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFirstRunWizard

This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

  • If you enable this policy setting, you must make one of the following choices:

  • Skip the First Run wizard, and go directly to the user's home page.

  • Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.

Starting with Windows 8, the "Welcome to Internet Explorer" webpage isn't available. The user's home page will display regardless of which option is chosen.

  • If you disable or don't configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name NoFirstRunCustomise
Friendly Name Prevent running First Run wizard
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main
ADMX File Name inetres.admx

DisableFlipAheadFeature

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFlipAheadFeature
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFlipAheadFeature

This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.

Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop.

  • If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.

  • If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.

  • If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Advanced_DisableFlipAhead
Friendly Name Turn off the flip ahead with page prediction feature
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Advanced Page
Registry Key Name Software\Policies\Microsoft\Internet Explorer\FlipAhead
Registry Value Name Enabled
ADMX File Name inetres.admx

DisableGeolocation

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableGeolocation
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableGeolocation

This policy setting allows you to disable browser geolocation support. This will prevent websites from requesting location data about the user.

  • If you enable this policy setting, browser geolocation support is turned off.

  • If you disable this policy setting, browser geolocation support is turned on.

  • If you don't configure this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name GeolocationDisable
Friendly Name Turn off browser geolocation
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Geolocation
Registry Value Name PolicyDisableGeolocation
ADMX File Name inetres.admx

DisableHomePageChange

Scope Editions Applicable OS
❌ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHomePageChange

The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it's run.

  • If you enable this policy setting, a user can't set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.

  • If you disable or don't configure this policy setting, the Home page box is enabled and users can choose their own home page.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name RestrictHomePage
Friendly Name Disable changing home page settings
Location User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Control Panel
Registry Value Name HomePage
ADMX File Name inetres.admx

DisableHTMLApplication

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20348.1060] and later
✅ Windows 10, version 1809 [10.0.17763.3460] and later
✅ Windows 10, version 2004 [10.0.19041.2060] and later
✅ Windows 11, version 21H2 [10.0.22000.1030] and later
✅ Windows 11, version 22H2 [10.0.22621] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHTMLApplication
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHTMLApplication

This policy setting specifies if running the HTML Application (HTA file) is blocked or allowed.

  • If you enable this policy setting, running the HTML Application (HTA file) will be blocked.

  • If you disable or don't configure this policy setting, running the HTML Application (HTA file) is allowed.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DisableHTMLApplication
Friendly Name Disable HTML Application
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Hta
Registry Value Name DisableHTMLApplication
ADMX File Name inetres.admx

DisableIgnoringCertificateErrors

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableIgnoringCertificateErrors
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableIgnoringCertificateErrors

This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer.

  • If you enable this policy setting, the user can't continue browsing.

  • If you disable or don't configure this policy setting, the user can choose to ignore certificate errors and continue browsing.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name NoCertError
Friendly Name Prevent ignoring certificate errors
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Registry Value Name PreventIgnoreCertErrors
ADMX File Name inetres.admx

DisableInPrivateBrowsing

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInPrivateBrowsing
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInPrivateBrowsing

This policy setting allows you to turn off the InPrivate Browsing feature.

InPrivate Browsing prevents Internet Explorer from storing data about a user's browsing session. This includes cookies, temporary Internet files, history, and other data.

  • If you enable this policy setting, InPrivate Browsing is turned off.

  • If you disable this policy setting, InPrivate Browsing is available for use.

  • If you don't configure this policy setting, InPrivate Browsing can be turned on or off through the registry.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DisableInPrivateBrowsing
Friendly Name Turn off InPrivate Browsing
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Privacy
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Privacy
Registry Value Name EnableInPrivateBrowsing
ADMX File Name inetres.admx

DisableInternetExplorerApp

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20348] and later
✅ Windows 10, version 1903 [10.0.18362.1350] and later
✅ Windows 10, version 2004 with KB4598291 [10.0.19041.789] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp

This policy lets you restrict launching of Internet Explorer as a standalone browser.

If you enable this policy, it:

  • Prevents Internet Explorer 11 from launching as a standalone browser.

  • Restricts Internet Explorer's usage to Microsoft Edge's native 'Internet Explorer mode'.

  • Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser.

  • Overrides any other policies that redirect to Internet Explorer 11.

If you disable, or don't configure this policy, all sites are opened using the current active browser settings.

Note

Microsoft Edge Stable Channel must be installed for this policy to take effect.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DisableInternetExplorerApp
Friendly Name Disable Internet Explorer 11 as a standalone browser
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main
ADMX File Name inetres.admx

Example:

 <policy name="DisableInternetExplorerApp" class="Both" displayName="$(string.DisableInternetExplorerApp)" explainText="$(string.IE_ExplainDisableInternetExplorerApp)" key="Software\Policies\Microsoft\Internet Explorer\Main" valueName="DisableInternetExplorerApp">

      <parentCategory ref="InternetExplorer" />

      <supportedOn ref="SUPPORTED_IE11" />

      <enabledValue>

        <decimal value="1" />

      </enabledValue>

      <disabledValue>

        <decimal value="0" />

      </disabledValue>

    </policy>

DisableProcessesInEnhancedProtectedMode

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableProcessesInEnhancedProtectedMode
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableProcessesInEnhancedProtectedMode

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Advanced_EnableEnhancedProtectedMode64Bit
Friendly Name Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Advanced Page
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main
Registry Value Name Isolation64Bit
ADMX File Name inetres.admx

DisableProxyChange

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableProxyChange
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableProxyChange

This policy setting specifies if a user can change proxy settings.

  • If you enable this policy setting, the user won't be able to configure proxy settings.

  • If you disable or don't configure this policy setting, the user can configure proxy settings.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name RestrictProxy
Friendly Name Prevent changing proxy settings
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Control Panel
Registry Value Name Proxy
ADMX File Name inetres.admx

DisableSearchProviderChange

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSearchProviderChange
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSearchProviderChange

This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.

  • If you enable this policy setting, the user can't change the default search provider.

  • If you disable or don't configure this policy setting, the user can change the default search provider.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name NoSearchProvider
Friendly Name Prevent changing the default search provider
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
Registry Value Name NoChangeDefaultSearchProvider
ADMX File Name inetres.admx

DisableSecondaryHomePageChange

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecondaryHomePageChange
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecondaryHomePageChange

Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.

  • If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user can't set custom default secondary home pages.

  • If you disable or don't configure this policy setting, the user can add secondary home pages.

Note

If the "Disable Changing Home Page Settings" policy is enabled, the user can't add secondary home pages.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name SecondaryHomePages
Friendly Name Disable changing secondary home page settings
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\SecondaryStartPages
ADMX File Name inetres.admx

DisableSecuritySettingsCheck

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecuritySettingsCheck
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecuritySettingsCheck

This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk.

  • If you enable this policy setting, the feature is turned off.

  • If you disable or don't configure this policy setting, the feature is turned on.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Disable_Security_Settings_Check
Friendly Name Turn off the Security Settings Check feature
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Security
Registry Value Name DisableSecuritySettingsCheck
ADMX File Name inetres.admx

DisableUpdateCheck

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableUpdateCheck

Prevents Internet Explorer from checking whether a new version of the browser is available.

  • If you enable this policy, it prevents Internet Explorer from checking to see whether it's the latest available browser version and notifying users if a new version is available.

  • If you disable this policy or don't configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available.

This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name NoUpdateCheck
Friendly Name Disable Periodic Check for Internet Explorer software updates
Location Computer Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
Registry Value Name NoUpdateCheck
ADMX File Name inetres.admx

DisableWebAddressAutoComplete

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableWebAddressAutoComplete
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableWebAddressAutoComplete

This AutoComplete feature suggests possible matches when users are entering Web addresses in the browser address bar.

  • If you enable this policy setting, user won't be suggested matches when entering Web addresses. The user can't change the auto-complete for web-address setting.

  • If you disable this policy setting, user will be suggested matches when entering Web addresses. The user can't change the auto-complete for web-address setting.

  • If you don't configure this policy setting, a user will have the freedom to choose to turn the auto-complete setting for web-addresses on or off.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name RestrictWebAddressSuggest
Friendly Name Turn off the auto-complete feature for web addresses
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
Registry Value Name AutoSuggest
ADMX File Name inetres.admx

DoNotAllowActiveXControlsInProtectedMode

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotAllowActiveXControlsInProtectedMode
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotAllowActiveXControlsInProtectedMode

This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that isn't compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode.

Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.

When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an ActiveX control that isn't compatible with Enhanced Protected Mode, Internet Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website.

  • If you enable this policy setting, Internet Explorer won't give the user the option to disable Enhanced Protected Mode. All Protected Mode websites will run in Enhanced Protected Mode.

  • If you disable or don't configure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Advanced_DisableEPMCompat
Friendly Name Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Advanced Page
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main
Registry Value Name DisableEPMCompat
ADMX File Name inetres.admx

DoNotAllowUsersToAddSites

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotAllowUsersToAddSites

Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.

  • If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button).

  • If you disable this policy or don't configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone.

This policy prevents users from changing site management settings for security zones established by the administrator.

Note

The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it's enabled, this policy is ignored.

Also, see the "Security zones: Use only machine settings" policy.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Security_zones_map_edit
Friendly Name Security Zones: Do not allow users to add/delete sites
Location Computer Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Registry Value Name Security_zones_map_edit
ADMX File Name inetres.admx

DoNotAllowUsersToChangePolicies

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotAllowUsersToChangePolicies

Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.

  • If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.

  • If you disable this policy or don't configure it, users can change the settings for security zones.

This policy prevents users from changing security zone settings established by the administrator.

Note

The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it's enabled, this policy is ignored.

Also, see the "Security zones: Use only machine settings" policy.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Security_options_edit
Friendly Name Security Zones: Do not allow users to change policies
Location Computer Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Registry Value Name Security_options_edit
ADMX File Name inetres.admx

DoNotBlockOutdatedActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotBlockOutdatedActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotBlockOutdatedActiveXControls

This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

  • If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.

  • If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.

For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name VerMgmtDisable
Friendly Name Turn off blocking of outdated ActiveX controls for Internet Explorer
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Security Features > Add-on Management
Registry Key Name Software\Microsoft\Windows\CurrentVersion\Policies\Ext
Registry Value Name VersionCheckEnabled
ADMX File Name inetres.admx

DoNotBlockOutdatedActiveXControlsOnSpecificDomains

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains

This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

  • If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
  1. "domain.name. TLD". For example, if you want to include .contoso.com/, use "contoso.com"

  2. "hostname". For example, if you want to include https://example, use "example".

  3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm".

  • If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.

For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name VerMgmtDomainAllowlist
Friendly Name Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Security Features > Add-on Management
Registry Key Name Software\Microsoft\Windows\CurrentVersion\Policies\Ext
Registry Value Name ListBox_DomainAllowlist
ADMX File Name inetres.admx

EnableExtendedIEModeHotkeys

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20348.143] and later
✅ Windows 10, version 1903 [10.0.18362.1474] and later
✅ Windows 10, version 2004 with KB5000842 [10.0.19041.906] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/EnableExtendedIEModeHotkeys
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/EnableExtendedIEModeHotkeys

This policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys, such as "Ctrl+S" to have "Save as" functionality.

If you enable this policy, extended hotkey functionality is enabled in Internet Explorer mode and work the same as Internet Explorer.

If you disable, or don't configure this policy, extended hotkeys won't work in Internet Explorer mode.

For more information, see https://go.microsoft.com/fwlink/?linkid=2102115

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name EnableExtendedIEModeHotkeys
Friendly Name Enable extended hot keys in Internet Explorer mode
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode
Registry Value Name EnableExtendedIEModeHotkeys
ADMX File Name inetres.admx

EnableGlobalWindowListInIEMode

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20348.558] and later
✅ Windows 10, version 2004 [10.0.19041.1566] and later
✅ Windows 11, version 21H2 with KB5010414 [10.0.22000.527] and later
✅ Windows 11, version 22H2 [10.0.22621] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/EnableGlobalWindowListInIEMode
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/EnableGlobalWindowListInIEMode

This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications.

The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser.

  • If you enable this policy, Internet Explorer mode will use the global window list.

  • If you disable or don't configure this policy, Internet Explorer mode will continue to maintain a separate window list.

To learn more about Internet Explorer mode, see https://go.microsoft.com/fwlink/?linkid=2102921 To learn more about disabling Internet Explorer 11 as a standalone browser, see https://go.microsoft.com/fwlink/?linkid=2168340

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name EnableGlobalWindowListInIEMode
Friendly Name Enable global window list in Internet Explorer mode
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode
Registry Value Name EnableGlobalWindowListInIEMode
ADMX File Name inetres.admx

IncludeAllLocalSites

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/IncludeAllLocalSites
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IncludeAllLocalSites

This policy setting controls whether local sites which aren't explicitly mapped into any Security Zone are forced into the local Intranet security zone.

  • If you enable this policy setting, local sites which aren't explicitly mapped into a zone are considered to be in the Intranet Zone.

  • If you disable this policy setting, local sites which aren't explicitly mapped into a zone won't be considered to be in the Intranet Zone (so would typically be in the Internet Zone).

  • If you don't configure this policy setting, users choose whether to force local sites into the Intranet Zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_IncludeUnspecifiedLocalSites
Friendly Name Intranet Sites: Include all local (intranet) sites not listed in other zones
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Registry Value Name IntranetName
ADMX File Name inetres.admx

IncludeAllNetworkPaths

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/IncludeAllNetworkPaths
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IncludeAllNetworkPaths

This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.

  • If you enable this policy setting, all network paths are mapped into the Intranet Zone.

  • If you disable this policy setting, network paths aren't necessarily mapped into the Intranet Zone (other rules might map one there).

  • If you don't configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_UNCAsIntranet
Friendly Name Intranet Sites: Include all network paths (UNCs)
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Registry Value Name UNCAsIntranet
ADMX File Name inetres.admx

InternetZoneAllowAccessToDataSources

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAccessToDataSources
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

  • If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you disable this policy setting, users can't load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you don't configure this policy setting, users can't load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAccessDataSourcesAcrossDomains_1
Friendly Name Access data sources across domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowAutomaticPromptingForActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

  • If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they don't have installed.

  • If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

  • If you don't configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarActiveXURLaction_1
Friendly Name Automatic prompting for ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowAutomaticPromptingForFileDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

  • If you enable this setting, users will receive a file download dialog for automatic download attempts.

  • If you disable or don't configure this setting, file downloads that aren't user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarDownloadURLaction_1
Friendly Name Automatic prompting for file downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowCopyPasteViaScript

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowCopyPasteViaScript
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowCopyPasteViaScript

This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.

  • If you enable this policy setting, a script can perform a clipboard operation.

If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.

  • If you disable this policy setting, a script can't perform a clipboard operation.

  • If you don't configure this policy setting, a script can perform a clipboard operation.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAllowPasteViaScript_1
Friendly Name Allow cut, copy or paste operations from the clipboard via script
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowDragAndDropCopyAndPasteFiles

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles

This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.

  • If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.

  • If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.

  • If you don't configure this policy setting, users can drag files or copy and paste files from this zone automatically.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyDropOrPasteFiles_1
Friendly Name Allow drag and drop or copy and paste files
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowFontDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowFontDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

  • If you enable this policy setting, HTML fonts can be downloaded automatically.

  • If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

  • If you disable this policy setting, HTML fonts are prevented from downloading.

  • If you don't configure this policy setting, HTML fonts can be downloaded automatically.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyFontDownload_1
Friendly Name Allow font downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowLessPrivilegedSites

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowLessPrivilegedSites
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

  • If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that's provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

  • If you disable this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

  • If you don't configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyZoneElevationURLaction_1
Friendly Name Web sites in less privileged Web content zones can navigate into this zone
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowLoadingOfXAMLFiles

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles

This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.

  • If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user can't change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files.

  • If you disable this policy setting, XAML files aren't loaded inside Internet Explorer. The user can't change this behavior.

  • If you don't configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_XAML_1
Friendly Name Allow loading of XAML files
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowNETFrameworkReliantComponents

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

  • If you disable this policy setting, Internet Explorer won't execute unsigned managed components.

  • If you don't configure this policy setting, Internet Explorer will execute unsigned managed components.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUnsignedFrameworkComponentsURLaction_1
Friendly Name Run .NET Framework-reliant components not signed with Authenticode
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls

This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.

  • If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites.

  • If you disable this policy setting, the user doesn't see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet
Friendly Name Allow only approved domains to use ActiveX controls without prompt
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl

This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.

  • If you enable this policy setting, the TDC ActiveX control won't run from websites in this zone.

  • If you disable this policy setting, the TDC Active X control will run from all sites in this zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAllowTDCControl_Both_Internet
Friendly Name Allow only approved domains to use the TDC ActiveX control
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls

This policy setting determines whether a page can control embedded WebBrowser controls via script.

  • If you enable this policy setting, script access to the WebBrowser control is allowed.

  • If you disable this policy setting, script access to the WebBrowser control isn't allowed.

  • If you don't configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_WebBrowserControl_1
Friendly Name Allow scripting of Internet Explorer WebBrowser controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowScriptInitiatedWindows

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptInitiatedWindows
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptInitiatedWindows

This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.

  • If you enable this policy setting, Windows Restrictions security won't apply in this zone. The security zone runs without the added layer of security provided by this feature.

  • If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars can't be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

  • If you don't configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars can't be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyWindowsRestrictionsURLaction_1
Friendly Name Allow script-initiated windows without size or position constraints
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowScriptlets

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptlets
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

  • If you enable this policy setting, the user can run scriptlets.

  • If you disable this policy setting, the user can't run scriptlets.

  • If you don't configure this policy setting, the user can enable or disable scriptlets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_AllowScriptlets_1
Friendly Name Allow scriptlets
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowSmartScreenIE

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowSmartScreenIE
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this policy setting, SmartScreen Filter doesn't scan pages in this zone for malicious content.

  • If you don't configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_Phishing_1
Friendly Name Turn on SmartScreen Filter scan
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowUpdatesToStatusBarViaScript

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript

This policy setting allows you to manage whether script is allowed to update the status bar within the zone.

  • If you enable this policy setting, script is allowed to update the status bar.

  • If you disable or don't configure this policy setting, script isn't allowed to update the status bar.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_ScriptStatusBar_1
Friendly Name Allow updates to status bar via script
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowUserDataPersistence

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowUserDataPersistence
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

  • If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you disable this policy setting, users can't preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you don't configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUserdataPersistence_1
Friendly Name Userdata persistence
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneAllowVBScriptToRunInInternetExplorer

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 [10.0.17134] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer

This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.

If you selected Enable in the drop-down box, VBScript can run without user intervention.

If you selected Prompt in the drop-down box, users are asked to choose whether to allow VBScript to run.

If you selected Disable in the drop-down box, VBScript is prevented from running.

If you don't configure or disable this policy setting, VBScript is prevented from running.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAllowVBScript_1
Friendly Name Allow VBScript to run in Internet Explorer
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneDoNotRunAntimalwareAgainstActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls

This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

  • If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

  • If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

  • If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAntiMalwareCheckingOfActiveXControls_1
Friendly Name Don't run antimalware programs against ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneDownloadSignedActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDownloadSignedActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDownloadSignedActiveXControls

This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.

  • If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.

  • If you disable the policy setting, signed controls can't be downloaded.

  • If you don't configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyDownloadSignedActiveX_1
Friendly Name Download signed ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneDownloadUnsignedActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDownloadUnsignedActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDownloadUnsignedActiveXControls

This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.

  • If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.

  • If you disable this policy setting, users can't run unsigned controls.

  • If you don't configure this policy setting, users can't run unsigned controls.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyDownloadUnsignedActiveX_1
Friendly Name Download unsigned ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneEnableCrossSiteScriptingFilter

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter

This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.

  • If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.

  • If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyTurnOnXSSFilter_Both_Internet
Friendly Name Turn on Cross-Site Scripting Filter
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows

This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows.

If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users can't change this setting.

If you enable this policy setting and click Disable, users can't drag content from one domain to a different domain when both the source and destination are in different windows. Users can't change this setting.

In Internet Explorer 10, if you disable this policy setting or don't configure it, users can't drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog.

In Internet Explorer 9 and earlier versions, if you disable this policy or don't configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users can't change this setting.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet
Friendly Name Enable dragging of content from different domains across windows
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows

This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window.

If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users can't change this setting.

If you enable this policy setting and click Disable, users can't drag content from one domain to a different domain when the source and destination are in the same window. Users can't change this setting in the Internet Options dialog.

In Internet Explorer 10, if you disable this policy setting or don't configure it, users can't drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.

In Internet Explorer 9 and earlier versions, if you disable this policy setting or don't configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users can't change this setting in the Internet Options dialog.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet
Friendly Name Enable dragging of content from different domains within a window
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneEnableMIMESniffing

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableMIMESniffing
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableMIMESniffing

This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.

  • If you enable this policy setting, the MIME Sniffing Safety Feature won't apply in this zone. The security zone will run without the added layer of security provided by this feature.

  • If you disable this policy setting, the actions that may be harmful can't run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.

  • If you don't configure this policy setting, the MIME Sniffing Safety Feature won't apply in this zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyMimeSniffingURLaction_1
Friendly Name Enable MIME Sniffing
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneEnableProtectedMode

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableProtectedMode
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableProtectedMode

This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.

  • If you enable this policy setting, Protected Mode is turned on. The user can't turn off Protected Mode.

  • If you disable this policy setting, Protected Mode is turned off. The user can't turn on Protected Mode.

  • If you don't configure this policy setting, the user can turn on or turn off Protected Mode.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_TurnOnProtectedMode_1
Friendly Name Turn on Protected Mode
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneIncludeLocalPathWhenUploadingFilesToServer

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer

This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.

  • If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form.

  • If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form.

  • If you don't configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_LocalPathForUpload_1
Friendly Name Include local path when user is uploading files to a server
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneInitializeAndScriptActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneInitializeAndScriptActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

  • If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting isn't recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

  • If you don't configure this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyScriptActiveXNotMarkedSafe_1
Friendly Name Initialize and script ActiveX controls not marked as safe
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneJavaPermissions

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneJavaPermissions
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneJavaPermissions

This policy setting allows you to manage permissions for Java applets.

  • If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.

Low Safety enables applets to perform all operations.

Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program can't make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.

  • If you disable this policy setting, Java applets can't run.

  • If you don't configure this policy setting, the permission is set to High Safety.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyJavaPermissions_1
Friendly Name Java permissions
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneLaunchingApplicationsAndFilesInIFRAME

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME

This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.

  • If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.

  • If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.

  • If you don't configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyLaunchAppsAndFilesInIFRAME_1
Friendly Name Launching applications and files in an IFRAME
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneLogonOptions

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneLogonOptions
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneLogonOptions

This policy setting allows you to manage settings for logon options.

  • If you enable this policy setting, you can choose from the following logon options.

Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.

Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.

Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.

Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.

  • If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.

  • If you don't configure this policy setting, logon is set to Automatic logon only in Intranet zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyLogon_1
Friendly Name Logon options
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneNavigateWindowsAndFrames

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneNavigateWindowsAndFrames
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

  • If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

  • If you disable this policy setting, users can't open windows and frames to access applications from different domains.

  • If you don't configure this policy setting, users can open windows and frames from other domains and access applications from other domains.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNavigateSubframesAcrossDomains_1
Friendly Name Navigate windows and frames across different domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode

This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.

  • If you disable this policy setting, Internet Explorer won't execute signed managed components.

  • If you don't configure this policy setting, Internet Explorer will execute signed managed components.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicySignedFrameworkComponentsURLaction_1
Friendly Name Run .NET Framework-reliant components signed with Authenticode
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles

This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).

  • If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open.

  • If you disable this policy setting, these files don't open.

  • If you don't configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_UnsafeFiles_1
Friendly Name Show security warning for potentially unsafe files
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

InternetZoneUsePopupBlocker

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneUsePopupBlocker
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneUsePopupBlocker

This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link aren't blocked.

  • If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.

  • If you disable this policy setting, pop-up windows aren't prevented from appearing.

  • If you don't configure this policy setting, most unwanted pop-up windows are prevented from appearing.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyBlockPopupWindows_1
Friendly Name Use Pop-up Blocker
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ADMX File Name inetres.admx

IntranetZoneAllowAccessToDataSources

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAccessToDataSources
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

  • If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you disable this policy setting, users can't load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you don't configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAccessDataSourcesAcrossDomains_3
Friendly Name Access data sources across domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
ADMX File Name inetres.admx

IntranetZoneAllowAutomaticPromptingForActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

  • If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they don't have installed.

  • If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

  • If you don't configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they don't have installed.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarActiveXURLaction_3
Friendly Name Automatic prompting for ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
ADMX File Name inetres.admx

IntranetZoneAllowAutomaticPromptingForFileDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

  • If you enable this setting, users will receive a file download dialog for automatic download attempts.

  • If you disable or don't configure this setting, users will receive a file download dialog for automatic download attempts.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarDownloadURLaction_3
Friendly Name Automatic prompting for file downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
ADMX File Name inetres.admx

IntranetZoneAllowFontDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowFontDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

  • If you enable this policy setting, HTML fonts can be downloaded automatically.

  • If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

  • If you disable this policy setting, HTML fonts are prevented from downloading.

  • If you don't configure this policy setting, HTML fonts can be downloaded automatically.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyFontDownload_3
Friendly Name Allow font downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
ADMX File Name inetres.admx

IntranetZoneAllowLessPrivilegedSites

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowLessPrivilegedSites
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

  • If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that's provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

  • If you disable this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

  • If you don't configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyZoneElevationURLaction_3
Friendly Name Web sites in less privileged Web content zones can navigate into this zone
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
ADMX File Name inetres.admx

IntranetZoneAllowNETFrameworkReliantComponents

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

  • If you disable this policy setting, Internet Explorer won't execute unsigned managed components.

  • If you don't configure this policy setting, Internet Explorer will execute unsigned managed components.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUnsignedFrameworkComponentsURLaction_3
Friendly Name Run .NET Framework-reliant components not signed with Authenticode
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
ADMX File Name inetres.admx

IntranetZoneAllowScriptlets

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowScriptlets
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

  • If you enable this policy setting, the user can run scriptlets.

  • If you disable this policy setting, the user can't run scriptlets.

  • If you don't configure this policy setting, the user can enable or disable scriptlets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_AllowScriptlets_3
Friendly Name Allow scriptlets
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
ADMX File Name inetres.admx

IntranetZoneAllowSmartScreenIE

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowSmartScreenIE
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this policy setting, SmartScreen Filter doesn't scan pages in this zone for malicious content.

  • If you don't configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_Phishing_3
Friendly Name Turn on SmartScreen Filter scan
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
ADMX File Name inetres.admx

IntranetZoneAllowUserDataPersistence

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowUserDataPersistence
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

  • If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you disable this policy setting, users can't preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you don't configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUserdataPersistence_3
Friendly Name Userdata persistence
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
ADMX File Name inetres.admx

IntranetZoneDoNotRunAntimalwareAgainstActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls

This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

  • If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

  • If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

  • If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAntiMalwareCheckingOfActiveXControls_3
Friendly Name Don't run antimalware programs against ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
ADMX File Name inetres.admx

IntranetZoneInitializeAndScriptActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

  • If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting isn't recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

  • If you don't configure this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyScriptActiveXNotMarkedSafe_3
Friendly Name Initialize and script ActiveX controls not marked as safe
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
ADMX File Name inetres.admx

IntranetZoneJavaPermissions

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneJavaPermissions
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneJavaPermissions

This policy setting allows you to manage permissions for Java applets.

  • If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.

Low Safety enables applets to perform all operations.

Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program can't make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.

  • If you disable this policy setting, Java applets can't run.

  • If you don't configure this policy setting, the permission is set to Medium Safety.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyJavaPermissions_3
Friendly Name Java permissions
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
ADMX File Name inetres.admx

IntranetZoneLogonOptions

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20348.2227] and later
✅ [10.0.25398.643] and later
✅ [10.0.25965] and later
✅ Windows 10, version 2004 [10.0.19041.3758] and later
✅ Windows 11, version 22H2 with KB5032288 [10.0.22621.2792] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneLogonOptions
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneLogonOptions

This policy setting allows you to manage settings for logon options.

  • If you enable this policy setting, you can choose from the following logon options.

Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.

Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.

Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.

Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.

  • If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.

  • If you don't configure this policy setting, logon is set to Automatic logon only in Intranet zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyLogon_3
Friendly Name Logon options
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
ADMX File Name inetres.admx

IntranetZoneNavigateWindowsAndFrames

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneNavigateWindowsAndFrames
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

  • If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

  • If you disable this policy setting, users can't open windows and frames to access applications from different domains.

  • If you don't configure this policy setting, users can open windows and frames from other domains and access applications from other domains.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNavigateSubframesAcrossDomains_3
Friendly Name Navigate windows and frames across different domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
ADMX File Name inetres.admx

JScriptReplacement

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/JScriptReplacement
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/JScriptReplacement

This policy setting specifies whether JScript or JScript9Legacy is loaded.

  • If you enable this policy setting or not configured, JScript9Legacy will be loaded in situations where JScript is instantiated.

  • If you disable this policy, then JScript will be utilized.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name JScriptReplacement
Friendly Name Replace JScript by loading JScript9Legacy in place of JScript.
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main
Registry Value Name JScriptReplacement
ADMX File Name inetres.admx

KeepIntranetSitesInInternetExplorer

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20348] and later
✅ Windows 10, version 1903 [10.0.18362.1350] and later
✅ Windows 10, version 2004 with KB4598291 [10.0.19041.789] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/KeepIntranetSitesInInternetExplorer
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/KeepIntranetSitesInInternetExplorer

Prevents intranet sites from being opened in any browser except Internet Explorer. But note that If the 'Send all sites not included in the Enterprise Mode Site List to Microsoft Edge' ('RestrictIE') policy isn't enabled, this policy has no effect.

  • If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List.

  • If you disable or don't configure this policy, all intranet sites are automatically opened in Microsoft Edge.

We strongly recommend keeping this policy in sync with the 'Send all intranet sites to Internet Explorer' ('SendIntranetToInternetExplorer') policy. Additionally, it's best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge.

Related policies:

  • Send all intranet sites to Internet Explorer ('SendIntranetToInternetExplorer')
  • Send all sites not included in the Enterprise Mode Site List to Microsoft Edge ('RestrictIE')

For more info about how to use this policy together with other related policies to create the optimal configuration for your organization, see< https://go.microsoft.com/fwlink/?linkid=2094210>.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name KeepIntranetSitesInInternetExplorer
Friendly Name Keep all intranet sites in Internet Explorer
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode
Registry Value Name KeepIntranetSitesInInternetExplorer
ADMX File Name inetres.admx

Example:

 <policy name="KeepIntranetSitesInInternetExplorer" class="Both" displayName="$(string.KeepIntranetSitesInInternetExplorer)" explainText="$(string.IE_ExplainKeepIntranetSitesInInternetExplorer)" key="Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode" valueName="KeepIntranetSitesInInternetExplorer">

      <parentCategory ref="InternetExplorer" />

      <supportedOn ref="SUPPORTED_IE11" />

      <enabledValue>

        <decimal value="1" />

      </enabledValue>

      <disabledValue>

        <decimal value="0" />

      </disabledValue>

    </policy>

LocalMachineZoneAllowAccessToDataSources

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAccessToDataSources
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

  • If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you disable this policy setting, users can't load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you don't configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAccessDataSourcesAcrossDomains_9
Friendly Name Access data sources across domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
ADMX File Name inetres.admx

LocalMachineZoneAllowAutomaticPromptingForActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

  • If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they don't have installed.

  • If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

  • If you don't configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they don't have installed.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarActiveXURLaction_9
Friendly Name Automatic prompting for ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
ADMX File Name inetres.admx

LocalMachineZoneAllowAutomaticPromptingForFileDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

  • If you enable this setting, users will receive a file download dialog for automatic download attempts.

  • If you disable or don't configure this setting, users will receive a file download dialog for automatic download attempts.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarDownloadURLaction_9
Friendly Name Automatic prompting for file downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
ADMX File Name inetres.admx

LocalMachineZoneAllowFontDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowFontDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

  • If you enable this policy setting, HTML fonts can be downloaded automatically.

  • If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

  • If you disable this policy setting, HTML fonts are prevented from downloading.

  • If you don't configure this policy setting, HTML fonts can be downloaded automatically.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyFontDownload_9
Friendly Name Allow font downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
ADMX File Name inetres.admx

LocalMachineZoneAllowLessPrivilegedSites

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

  • If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that's provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

  • If you disable this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

  • If you don't configure this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyZoneElevationURLaction_9
Friendly Name Web sites in less privileged Web content zones can navigate into this zone
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
ADMX File Name inetres.admx

LocalMachineZoneAllowNETFrameworkReliantComponents

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

  • If you disable this policy setting, Internet Explorer won't execute unsigned managed components.

  • If you don't configure this policy setting, Internet Explorer won't execute unsigned managed components.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUnsignedFrameworkComponentsURLaction_9
Friendly Name Run .NET Framework-reliant components not signed with Authenticode
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
ADMX File Name inetres.admx

LocalMachineZoneAllowScriptlets

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowScriptlets
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

  • If you enable this policy setting, the user can run scriptlets.

  • If you disable this policy setting, the user can't run scriptlets.

  • If you don't configure this policy setting, the user can enable or disable scriptlets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_AllowScriptlets_9
Friendly Name Allow scriptlets
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
ADMX File Name inetres.admx

LocalMachineZoneAllowSmartScreenIE

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowSmartScreenIE
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this policy setting, SmartScreen Filter doesn't scan pages in this zone for malicious content.

  • If you don't configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_Phishing_9
Friendly Name Turn on SmartScreen Filter scan
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
ADMX File Name inetres.admx

LocalMachineZoneAllowUserDataPersistence

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowUserDataPersistence
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

  • If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you disable this policy setting, users can't preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you don't configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUserdataPersistence_9
Friendly Name Userdata persistence
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
ADMX File Name inetres.admx

LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls

This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

  • If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

  • If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

  • If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAntiMalwareCheckingOfActiveXControls_9
Friendly Name Don't run antimalware programs against ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
ADMX File Name inetres.admx

LocalMachineZoneInitializeAndScriptActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

  • If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting isn't recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

  • If you don't configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyScriptActiveXNotMarkedSafe_9
Friendly Name Initialize and script ActiveX controls not marked as safe
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
ADMX File Name inetres.admx

LocalMachineZoneJavaPermissions

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneJavaPermissions
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneJavaPermissions

This policy setting allows you to manage permissions for Java applets.

  • If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.

Low Safety enables applets to perform all operations.

Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program can't make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.

  • If you disable this policy setting, Java applets can't run.

  • If you don't configure this policy setting, the permission is set to Medium Safety.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyJavaPermissions_9
Friendly Name Java permissions
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
ADMX File Name inetres.admx

LocalMachineZoneLogonOptions

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20348.2227] and later
✅ [10.0.25398.643] and later
✅ [10.0.25965] and later
✅ Windows 10, version 2004 [10.0.19041.3758] and later
✅ Windows 11, version 22H2 with KB5032288 [10.0.22621.2792] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneLogonOptions
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneLogonOptions

This policy setting allows you to manage settings for logon options.

  • If you enable this policy setting, you can choose from the following logon options.

Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.

Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.

Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.

Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.

  • If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.

  • If you don't configure this policy setting, logon is set to Automatic logon with current username and password.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyLogon_9
Friendly Name Logon options
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
ADMX File Name inetres.admx

LocalMachineZoneNavigateWindowsAndFrames

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

  • If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

  • If you disable this policy setting, users can't open windows and frames to access applications from different domains.

  • If you don't configure this policy setting, users can open windows and frames from other domains and access applications from other domains.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNavigateSubframesAcrossDomains_9
Friendly Name Navigate windows and frames across different domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
ADMX File Name inetres.admx

LockedDownInternetZoneAllowAccessToDataSources

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

  • If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you disable this policy setting, users can't load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you don't configure this policy setting, users can't load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAccessDataSourcesAcrossDomains_2
Friendly Name Access data sources across domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
ADMX File Name inetres.admx

LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

  • If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they don't have installed.

  • If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

  • If you don't configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarActiveXURLaction_2
Friendly Name Automatic prompting for ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
ADMX File Name inetres.admx

LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

  • If you enable this setting, users will receive a file download dialog for automatic download attempts.

  • If you disable or don't configure this setting, file downloads that aren't user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarDownloadURLaction_2
Friendly Name Automatic prompting for file downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
ADMX File Name inetres.admx

LockedDownInternetZoneAllowFontDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowFontDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

  • If you enable this policy setting, HTML fonts can be downloaded automatically.

  • If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

  • If you disable this policy setting, HTML fonts are prevented from downloading.

  • If you don't configure this policy setting, HTML fonts can be downloaded automatically.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyFontDownload_2
Friendly Name Allow font downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
ADMX File Name inetres.admx

LockedDownInternetZoneAllowLessPrivilegedSites

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

  • If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that's provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

  • If you disable this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

  • If you don't configure this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyZoneElevationURLaction_2
Friendly Name Web sites in less privileged Web content zones can navigate into this zone
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
ADMX File Name inetres.admx

LockedDownInternetZoneAllowNETFrameworkReliantComponents

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

  • If you disable this policy setting, Internet Explorer won't execute unsigned managed components.

  • If you don't configure this policy setting, Internet Explorer won't execute unsigned managed components.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUnsignedFrameworkComponentsURLaction_2
Friendly Name Run .NET Framework-reliant components not signed with Authenticode
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
ADMX File Name inetres.admx

LockedDownInternetZoneAllowScriptlets

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowScriptlets
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

  • If you enable this policy setting, the user can run scriptlets.

  • If you disable this policy setting, the user can't run scriptlets.

  • If you don't configure this policy setting, the user can enable or disable scriptlets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_AllowScriptlets_2
Friendly Name Allow scriptlets
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
ADMX File Name inetres.admx

LockedDownInternetZoneAllowSmartScreenIE

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this policy setting, SmartScreen Filter doesn't scan pages in this zone for malicious content.

  • If you don't configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_Phishing_2
Friendly Name Turn on SmartScreen Filter scan
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
ADMX File Name inetres.admx

LockedDownInternetZoneAllowUserDataPersistence

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

  • If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you disable this policy setting, users can't preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you don't configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUserdataPersistence_2
Friendly Name Userdata persistence
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
ADMX File Name inetres.admx

LockedDownInternetZoneInitializeAndScriptActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

  • If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting isn't recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

  • If you don't configure this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyScriptActiveXNotMarkedSafe_2
Friendly Name Initialize and script ActiveX controls not marked as safe
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
ADMX File Name inetres.admx

LockedDownInternetZoneJavaPermissions

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneJavaPermissions
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneJavaPermissions

This policy setting allows you to manage permissions for Java applets.

  • If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.

Low Safety enables applets to perform all operations.

Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program can't make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.

  • If you disable this policy setting, Java applets can't run.

  • If you don't configure this policy setting, Java applets are disabled.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyJavaPermissions_2
Friendly Name Java permissions
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
ADMX File Name inetres.admx

LockedDownInternetZoneNavigateWindowsAndFrames

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

  • If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

  • If you disable this policy setting, users can't open windows and frames to access applications from different domains.

  • If you don't configure this policy setting, users can open windows and frames from other domains and access applications from other domains.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNavigateSubframesAcrossDomains_2
Friendly Name Navigate windows and frames across different domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
ADMX File Name inetres.admx

LockedDownIntranetJavaPermissions

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 [10.0.17134] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetJavaPermissions
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetJavaPermissions

This policy setting allows you to manage permissions for Java applets.

  • If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.

Low Safety enables applets to perform all operations.

Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program can't make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.

  • If you disable this policy setting, Java applets can't run.

  • If you don't configure this policy setting, Java applets are disabled.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyJavaPermissions_4
Friendly Name Java permissions
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
ADMX File Name inetres.admx

LockedDownIntranetZoneAllowAccessToDataSources

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

  • If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you disable this policy setting, users can't load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you don't configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAccessDataSourcesAcrossDomains_4
Friendly Name Access data sources across domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
ADMX File Name inetres.admx

LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

  • If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they don't have installed.

  • If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

  • If you don't configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarActiveXURLaction_4
Friendly Name Automatic prompting for ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
ADMX File Name inetres.admx

LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

  • If you enable this setting, users will receive a file download dialog for automatic download attempts.

  • If you disable or don't configure this setting, file downloads that aren't user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarDownloadURLaction_4
Friendly Name Automatic prompting for file downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
ADMX File Name inetres.admx

LockedDownIntranetZoneAllowFontDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowFontDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

  • If you enable this policy setting, HTML fonts can be downloaded automatically.

  • If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

  • If you disable this policy setting, HTML fonts are prevented from downloading.

  • If you don't configure this policy setting, HTML fonts can be downloaded automatically.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyFontDownload_4
Friendly Name Allow font downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
ADMX File Name inetres.admx

LockedDownIntranetZoneAllowLessPrivilegedSites

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

  • If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that's provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

  • If you disable this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

  • If you don't configure this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyZoneElevationURLaction_4
Friendly Name Web sites in less privileged Web content zones can navigate into this zone
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
ADMX File Name inetres.admx

LockedDownIntranetZoneAllowNETFrameworkReliantComponents

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

  • If you disable this policy setting, Internet Explorer won't execute unsigned managed components.

  • If you don't configure this policy setting, Internet Explorer won't execute unsigned managed components.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUnsignedFrameworkComponentsURLaction_4
Friendly Name Run .NET Framework-reliant components not signed with Authenticode
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
ADMX File Name inetres.admx

LockedDownIntranetZoneAllowScriptlets

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowScriptlets
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

  • If you enable this policy setting, the user can run scriptlets.

  • If you disable this policy setting, the user can't run scriptlets.

  • If you don't configure this policy setting, the user can enable or disable scriptlets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_AllowScriptlets_4
Friendly Name Allow scriptlets
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
ADMX File Name inetres.admx

LockedDownIntranetZoneAllowSmartScreenIE

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this policy setting, SmartScreen Filter doesn't scan pages in this zone for malicious content.

  • If you don't configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_Phishing_4
Friendly Name Turn on SmartScreen Filter scan
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
ADMX File Name inetres.admx

LockedDownIntranetZoneAllowUserDataPersistence

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

  • If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you disable this policy setting, users can't preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you don't configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUserdataPersistence_4
Friendly Name Userdata persistence
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
ADMX File Name inetres.admx

LockedDownIntranetZoneInitializeAndScriptActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

  • If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting isn't recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

  • If you don't configure this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyScriptActiveXNotMarkedSafe_4
Friendly Name Initialize and script ActiveX controls not marked as safe
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
ADMX File Name inetres.admx

LockedDownIntranetZoneNavigateWindowsAndFrames

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

  • If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

  • If you disable this policy setting, users can't open windows and frames to access applications from different domains.

  • If you don't configure this policy setting, users can open windows and frames from other domains and access applications from other domains.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNavigateSubframesAcrossDomains_4
Friendly Name Navigate windows and frames across different domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
ADMX File Name inetres.admx

LockedDownLocalMachineZoneAllowAccessToDataSources

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

  • If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you disable this policy setting, users can't load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you don't configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAccessDataSourcesAcrossDomains_10
Friendly Name Access data sources across domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
ADMX File Name inetres.admx

LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

  • If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they don't have installed.

  • If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

  • If you don't configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarActiveXURLaction_10
Friendly Name Automatic prompting for ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
ADMX File Name inetres.admx

LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

  • If you enable this setting, users will receive a file download dialog for automatic download attempts.

  • If you disable or don't configure this setting, file downloads that aren't user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarDownloadURLaction_10
Friendly Name Automatic prompting for file downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
ADMX File Name inetres.admx

LockedDownLocalMachineZoneAllowFontDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

  • If you enable this policy setting, HTML fonts can be downloaded automatically.

  • If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

  • If you disable this policy setting, HTML fonts are prevented from downloading.

  • If you don't configure this policy setting, HTML fonts can be downloaded automatically.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyFontDownload_10
Friendly Name Allow font downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
ADMX File Name inetres.admx

LockedDownLocalMachineZoneAllowLessPrivilegedSites

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

  • If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that's provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

  • If you disable this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

  • If you don't configure this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyZoneElevationURLaction_10
Friendly Name Web sites in less privileged Web content zones can navigate into this zone
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
ADMX File Name inetres.admx

LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

  • If you disable this policy setting, Internet Explorer won't execute unsigned managed components.

  • If you don't configure this policy setting, Internet Explorer won't execute unsigned managed components.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUnsignedFrameworkComponentsURLaction_10
Friendly Name Run .NET Framework-reliant components not signed with Authenticode
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
ADMX File Name inetres.admx

LockedDownLocalMachineZoneAllowScriptlets

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

  • If you enable this policy setting, the user can run scriptlets.

  • If you disable this policy setting, the user can't run scriptlets.

  • If you don't configure this policy setting, the user can enable or disable scriptlets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_AllowScriptlets_10
Friendly Name Allow scriptlets
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
ADMX File Name inetres.admx

LockedDownLocalMachineZoneAllowSmartScreenIE

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this policy setting, SmartScreen Filter doesn't scan pages in this zone for malicious content.

  • If you don't configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_Phishing_10
Friendly Name Turn on SmartScreen Filter scan
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
ADMX File Name inetres.admx

LockedDownLocalMachineZoneAllowUserDataPersistence

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

  • If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you disable this policy setting, users can't preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you don't configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUserdataPersistence_10
Friendly Name Userdata persistence
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
ADMX File Name inetres.admx

LockedDownLocalMachineZoneInitializeAndScriptActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

  • If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting isn't recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

  • If you don't configure this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyScriptActiveXNotMarkedSafe_10
Friendly Name Initialize and script ActiveX controls not marked as safe
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
ADMX File Name inetres.admx

LockedDownLocalMachineZoneJavaPermissions

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneJavaPermissions
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneJavaPermissions

This policy setting allows you to manage permissions for Java applets.

  • If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.

Low Safety enables applets to perform all operations.

Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program can't make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.

  • If you disable this policy setting, Java applets can't run.

  • If you don't configure this policy setting, Java applets are disabled.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyJavaPermissions_10
Friendly Name Java permissions
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
ADMX File Name inetres.admx

LockedDownLocalMachineZoneNavigateWindowsAndFrames

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

  • If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

  • If you disable this policy setting, users can't open windows and frames to access applications from different domains.

  • If you don't configure this policy setting, users can open windows and frames from other domains and access applications from other domains.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNavigateSubframesAcrossDomains_10
Friendly Name Navigate windows and frames across different domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
ADMX File Name inetres.admx

LockedDownRestrictedSitesZoneAllowAccessToDataSources

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

  • If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you disable this policy setting, users can't load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you don't configure this policy setting, users can't load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAccessDataSourcesAcrossDomains_8
Friendly Name Access data sources across domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
ADMX File Name inetres.admx

LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

  • If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they don't have installed.

  • If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

  • If you don't configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarActiveXURLaction_8
Friendly Name Automatic prompting for ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
ADMX File Name inetres.admx

LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

  • If you enable this setting, users will receive a file download dialog for automatic download attempts.

  • If you disable or don't configure this setting, file downloads that aren't user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarDownloadURLaction_8
Friendly Name Automatic prompting for file downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
ADMX File Name inetres.admx

LockedDownRestrictedSitesZoneAllowFontDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

  • If you enable this policy setting, HTML fonts can be downloaded automatically.

  • If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

  • If you disable this policy setting, HTML fonts are prevented from downloading.

  • If you don't configure this policy setting, users are queried whether to allow HTML fonts to download.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyFontDownload_8
Friendly Name Allow font downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
ADMX File Name inetres.admx

LockedDownRestrictedSitesZoneAllowLessPrivilegedSites

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

  • If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that's provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

  • If you disable this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

  • If you don't configure this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyZoneElevationURLaction_8
Friendly Name Web sites in less privileged Web content zones can navigate into this zone
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
ADMX File Name inetres.admx

LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

  • If you disable this policy setting, Internet Explorer won't execute unsigned managed components.

  • If you don't configure this policy setting, Internet Explorer won't execute unsigned managed components.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUnsignedFrameworkComponentsURLaction_8
Friendly Name Run .NET Framework-reliant components not signed with Authenticode
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
ADMX File Name inetres.admx

LockedDownRestrictedSitesZoneAllowScriptlets

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

  • If you enable this policy setting, the user can run scriptlets.

  • If you disable this policy setting, the user can't run scriptlets.

  • If you don't configure this policy setting, the user can enable or disable scriptlets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_AllowScriptlets_8
Friendly Name Allow scriptlets
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
ADMX File Name inetres.admx

LockedDownRestrictedSitesZoneAllowSmartScreenIE

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this policy setting, SmartScreen Filter doesn't scan pages in this zone for malicious content.

  • If you don't configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_Phishing_8
Friendly Name Turn on SmartScreen Filter scan
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
ADMX File Name inetres.admx

LockedDownRestrictedSitesZoneAllowUserDataPersistence

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

  • If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you disable this policy setting, users can't preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you don't configure this policy setting, users can't preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUserdataPersistence_8
Friendly Name Userdata persistence
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
ADMX File Name inetres.admx

LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

  • If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting isn't recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

  • If you don't configure this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyScriptActiveXNotMarkedSafe_8
Friendly Name Initialize and script ActiveX controls not marked as safe
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
ADMX File Name inetres.admx

LockedDownRestrictedSitesZoneJavaPermissions

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions

This policy setting allows you to manage permissions for Java applets.

  • If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.

Low Safety enables applets to perform all operations.

Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program can't make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.

  • If you disable this policy setting, Java applets can't run.

  • If you don't configure this policy setting, Java applets are disabled.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyJavaPermissions_8
Friendly Name Java permissions
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
ADMX File Name inetres.admx

LockedDownRestrictedSitesZoneNavigateWindowsAndFrames

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

  • If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.

  • If you disable this policy setting, users can't open other windows and frames from other domains or access applications from different domains.

  • If you don't configure this policy setting, users can't open other windows and frames from different domains or access applications from different domains.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNavigateSubframesAcrossDomains_8
Friendly Name Navigate windows and frames across different domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
ADMX File Name inetres.admx

LockedDownTrustedSitesZoneAllowAccessToDataSources

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

  • If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you disable this policy setting, users can't load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you don't configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAccessDataSourcesAcrossDomains_6
Friendly Name Access data sources across domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
ADMX File Name inetres.admx

LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

  • If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they don't have installed.

  • If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

  • If you don't configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarActiveXURLaction_6
Friendly Name Automatic prompting for ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
ADMX File Name inetres.admx

LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

  • If you enable this setting, users will receive a file download dialog for automatic download attempts.

  • If you disable or don't configure this setting, file downloads that aren't user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarDownloadURLaction_6
Friendly Name Automatic prompting for file downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
ADMX File Name inetres.admx

LockedDownTrustedSitesZoneAllowFontDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

  • If you enable this policy setting, HTML fonts can be downloaded automatically.

  • If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

  • If you disable this policy setting, HTML fonts are prevented from downloading.

  • If you don't configure this policy setting, HTML fonts can be downloaded automatically.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyFontDownload_6
Friendly Name Allow font downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
ADMX File Name inetres.admx

LockedDownTrustedSitesZoneAllowLessPrivilegedSites

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

  • If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that's provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

  • If you disable this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

  • If you don't configure this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyZoneElevationURLaction_6
Friendly Name Web sites in less privileged Web content zones can navigate into this zone
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
ADMX File Name inetres.admx

LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

  • If you disable this policy setting, Internet Explorer won't execute unsigned managed components.

  • If you don't configure this policy setting, Internet Explorer won't execute unsigned managed components.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUnsignedFrameworkComponentsURLaction_6
Friendly Name Run .NET Framework-reliant components not signed with Authenticode
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
ADMX File Name inetres.admx

LockedDownTrustedSitesZoneAllowScriptlets

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

  • If you enable this policy setting, the user can run scriptlets.

  • If you disable this policy setting, the user can't run scriptlets.

  • If you don't configure this policy setting, the user can enable or disable scriptlets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_AllowScriptlets_6
Friendly Name Allow scriptlets
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
ADMX File Name inetres.admx

LockedDownTrustedSitesZoneAllowSmartScreenIE

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this policy setting, SmartScreen Filter doesn't scan pages in this zone for malicious content.

  • If you don't configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_Phishing_6
Friendly Name Turn on SmartScreen Filter scan
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
ADMX File Name inetres.admx

LockedDownTrustedSitesZoneAllowUserDataPersistence

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

  • If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you disable this policy setting, users can't preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you don't configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUserdataPersistence_6
Friendly Name Userdata persistence
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
ADMX File Name inetres.admx

LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

  • If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting isn't recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

  • If you don't configure this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyScriptActiveXNotMarkedSafe_6
Friendly Name Initialize and script ActiveX controls not marked as safe
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
ADMX File Name inetres.admx

LockedDownTrustedSitesZoneJavaPermissions

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions

This policy setting allows you to manage permissions for Java applets.

  • If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.

Low Safety enables applets to perform all operations.

Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program can't make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.

  • If you disable this policy setting, Java applets can't run.

  • If you don't configure this policy setting, Java applets are disabled.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyJavaPermissions_6
Friendly Name Java permissions
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
ADMX File Name inetres.admx

LockedDownTrustedSitesZoneNavigateWindowsAndFrames

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

  • If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

  • If you disable this policy setting, users can't open windows and frames to access applications from different domains.

  • If you don't configure this policy setting, users can open windows and frames from other domains and access applications from other domains.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNavigateSubframesAcrossDomains_6
Friendly Name Navigate windows and frames across different domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
ADMX File Name inetres.admx

MimeSniffingSafetyFeatureInternetExplorerProcesses

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses

This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type.

  • If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.

  • If you disable this policy setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type.

  • If you don't configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IESF_PolicyExplorerProcesses_6
Friendly Name Internet Explorer Processes
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING
ADMX File Name inetres.admx

MKProtocolSecurityRestrictionInternetExplorerProcesses

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses

The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail.

  • If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.

  • If you disable this policy setting, applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes.

  • If you don't configure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IESF_PolicyExplorerProcesses_3
Friendly Name Internet Explorer Processes
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
ADMX File Name inetres.admx

NewTabDefaultPage

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/NewTabDefaultPage
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/NewTabDefaultPage

This policy setting allows you to specify what's displayed when the user opens a new tab.

  • If you enable this policy setting, you can choose which page to display when the user opens a new tab: blank page (about:blank), the first home page, the new tab page or the new tab page with my news feed.

  • If you disable or don't configure this policy setting, the user can select his or her preference for this behavior.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name NewTabAction
Friendly Name Specify default behavior for a new tab
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing
ADMX File Name inetres.admx

NotificationBarInternetExplorerProcesses

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/NotificationBarInternetExplorerProcesses
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/NotificationBarInternetExplorerProcesses

This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes.

  • If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes.

  • If you disable this policy setting, the Notification bar won't be displayed for Internet Explorer processes.

  • If you don't configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IESF_PolicyExplorerProcesses_10
Friendly Name Internet Explorer Processes
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Security Features > Notification bar
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND
ADMX File Name inetres.admx

PreventManagingSmartScreenFilter

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/PreventManagingSmartScreenFilter
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/PreventManagingSmartScreenFilter

This policy setting prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware.

  • If you enable this policy setting, the user isn't prompted to turn on SmartScreen Filter. All website addresses that aren't on the filter's allow list are sent automatically to Microsoft without prompting the user.

  • If you disable or don't configure this policy setting, the user is prompted to decide whether to turn on SmartScreen Filter during the first-run experience.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Disable_Managing_Safety_Filter_IE9
Friendly Name Prevent managing SmartScreen Filter
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\PhishingFilter
ADMX File Name inetres.admx

PreventPerUserInstallationOfActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/PreventPerUserInstallationOfActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/PreventPerUserInstallationOfActiveXControls

This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis.

  • If you enable this policy setting, ActiveX controls can't be installed on a per-user basis.

  • If you disable or don't configure this policy setting, ActiveX controls can be installed on a per-user basis.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DisablePerUserActiveXInstall
Friendly Name Prevent per-user installation of ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Security\ActiveX
Registry Value Name BlockNonAdminActiveXInstall
ADMX File Name inetres.admx

ProtectionFromZoneElevationInternetExplorerProcesses

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses

Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.

  • If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.

  • If you disable this policy setting, no zone receives such protection for Internet Explorer processes.

  • If you don't configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IESF_PolicyExplorerProcesses_9
Friendly Name Internet Explorer Processes
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
ADMX File Name inetres.admx

RemoveRunThisTimeButtonForOutdatedActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls

This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer.

  • If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.

  • If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once.

For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name VerMgmtDisableRunThisTime
Friendly Name Remove "Run this time" button for outdated ActiveX controls in Internet Explorer
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Security Features > Add-on Management
Registry Key Name Software\Microsoft\Windows\CurrentVersion\Policies\Ext
Registry Value Name RunThisTimeEnabled
ADMX File Name inetres.admx

ResetZoomForDialogInIEMode

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20348.261] and later
✅ Windows 10, version 1903 [10.0.18362.1832] and later
✅ Windows 10, version 2004 with KB5005611 [10.0.19041.1266] and later
✅ Windows 11, version 21H2 with KB5006746 [10.0.22000.282] and later
✅ Windows 11, version 22H2 [10.0.22621] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/ResetZoomForDialogInIEMode
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/ResetZoomForDialogInIEMode

This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode.

If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode won't get propagated from its parent page.

If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page.

For more information, see https://go.microsoft.com/fwlink/?linkid=2220107

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name ResetZoomForDialogInIEMode
Friendly Name Reset zoom to default for HTML dialogs in Internet Explorer mode
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode
Registry Value Name ResetZoomForDialogInIEMode
ADMX File Name inetres.admx

RestrictActiveXInstallInternetExplorerProcesses

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses

This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.

  • If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes.

  • If you disable this policy setting, prompting for ActiveX control installations won't be blocked for Internet Explorer processes.

  • If you don't configure this policy setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IESF_PolicyExplorerProcesses_11
Friendly Name Internet Explorer Processes
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL
ADMX File Name inetres.admx

RestrictedSitesZoneAllowAccessToDataSources

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

  • If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you disable this policy setting, users can't load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you don't configure this policy setting, users can't load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAccessDataSourcesAcrossDomains_7
Friendly Name Access data sources across domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowActiveScripting

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowActiveScripting
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowActiveScripting

This policy setting allows you to manage whether script code on pages in the zone is run.

  • If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.

  • If you disable this policy setting, script code on pages in the zone is prevented from running.

  • If you don't configure this policy setting, script code on pages in the zone is prevented from running.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyActiveScripting_7
Friendly Name Allow active scripting
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

  • If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they don't have installed.

  • If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

  • If you don't configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarActiveXURLaction_7
Friendly Name Automatic prompting for ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

  • If you enable this setting, users will receive a file download dialog for automatic download attempts.

  • If you disable or don't configure this setting, file downloads that aren't user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarDownloadURLaction_7
Friendly Name Automatic prompting for file downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowBinaryAndScriptBehaviors

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors

This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.

  • If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.

  • If you disable this policy setting, binary and script behaviors aren't available unless applications have implemented a custom security manager.

  • If you don't configure this policy setting, binary and script behaviors aren't available unless applications have implemented a custom security manager.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyBinaryBehaviors_7
Friendly Name Allow binary and script behaviors
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowCopyPasteViaScript

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript

This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.

  • If you enable this policy setting, a script can perform a clipboard operation.

If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.

  • If you disable this policy setting, a script can't perform a clipboard operation.

  • If you don't configure this policy setting, a script can't perform a clipboard operation.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAllowPasteViaScript_7
Friendly Name Allow cut, copy or paste operations from the clipboard via script
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles

This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.

  • If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.

  • If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.

  • If you don't configure this policy setting, users are queried to choose whether to drag or copy files from this zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyDropOrPasteFiles_7
Friendly Name Allow drag and drop or copy and paste files
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowFileDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowFileDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowFileDownloads

This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.

  • If you enable this policy setting, files can be downloaded from the zone.

  • If you disable this policy setting, files are prevented from being downloaded from the zone.

  • If you don't configure this policy setting, files are prevented from being downloaded from the zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyFileDownload_7
Friendly Name Allow file downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowFontDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowFontDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

  • If you enable this policy setting, HTML fonts can be downloaded automatically.

  • If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

  • If you disable this policy setting, HTML fonts are prevented from downloading.

  • If you don't configure this policy setting, users are queried whether to allow HTML fonts to download.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyFontDownload_7
Friendly Name Allow font downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowLessPrivilegedSites

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

  • If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that's provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

  • If you disable this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

  • If you don't configure this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyZoneElevationURLaction_7
Friendly Name Web sites in less privileged Web content zones can navigate into this zone
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowLoadingOfXAMLFiles

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles

This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.

  • If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user can't change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files.

  • If you disable this policy setting, XAML files aren't loaded inside Internet Explorer. The user can't change this behavior.

  • If you don't configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_XAML_7
Friendly Name Allow loading of XAML files
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowMETAREFRESH

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH

This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.

  • If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.

  • If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can't be redirected to another Web page.

  • If you don't configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can't be redirected to another Web page.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAllowMETAREFRESH_7
Friendly Name Allow META REFRESH
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowNETFrameworkReliantComponents

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

  • If you disable this policy setting, Internet Explorer won't execute unsigned managed components.

  • If you don't configure this policy setting, Internet Explorer won't execute unsigned managed components.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUnsignedFrameworkComponentsURLaction_7
Friendly Name Run .NET Framework-reliant components not signed with Authenticode
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls

This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.

  • If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites.

  • If you disable this policy setting, the user doesn't see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted
Friendly Name Allow only approved domains to use ActiveX controls without prompt
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl

This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.

  • If you enable this policy setting, the TDC ActiveX control won't run from websites in this zone.

  • If you disable this policy setting, the TDC Active X control will run from all sites in this zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAllowTDCControl_Both_Restricted
Friendly Name Allow only approved domains to use the TDC ActiveX control
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls

This policy setting determines whether a page can control embedded WebBrowser controls via script.

  • If you enable this policy setting, script access to the WebBrowser control is allowed.

  • If you disable this policy setting, script access to the WebBrowser control isn't allowed.

  • If you don't configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_WebBrowserControl_7
Friendly Name Allow scripting of Internet Explorer WebBrowser controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowScriptInitiatedWindows

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows

This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.

  • If you enable this policy setting, Windows Restrictions security won't apply in this zone. The security zone runs without the added layer of security provided by this feature.

  • If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars can't be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

  • If you don't configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars can't be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyWindowsRestrictionsURLaction_7
Friendly Name Allow script-initiated windows without size or position constraints
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowScriptlets

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptlets
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

  • If you enable this policy setting, the user can run scriptlets.

  • If you disable this policy setting, the user can't run scriptlets.

  • If you don't configure this policy setting, the user can enable or disable scriptlets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_AllowScriptlets_7
Friendly Name Allow scriptlets
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowSmartScreenIE

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this policy setting, SmartScreen Filter doesn't scan pages in this zone for malicious content.

  • If you don't configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_Phishing_7
Friendly Name Turn on SmartScreen Filter scan
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowUpdatesToStatusBarViaScript

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript

This policy setting allows you to manage whether script is allowed to update the status bar within the zone.

  • If you enable this policy setting, script is allowed to update the status bar.

  • If you disable or don't configure this policy setting, script isn't allowed to update the status bar.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_ScriptStatusBar_7
Friendly Name Allow updates to status bar via script
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowUserDataPersistence

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

  • If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you disable this policy setting, users can't preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you don't configure this policy setting, users can't preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUserdataPersistence_7
Friendly Name Userdata persistence
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 [10.0.17134] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer

This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.

If you selected Enable in the drop-down box, VBScript can run without user intervention.

If you selected Prompt in the drop-down box, users are asked to choose whether to allow VBScript to run.

If you selected Disable in the drop-down box, VBScript is prevented from running.

If you don't configure or disable this policy setting, VBScript is prevented from running.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAllowVBScript_7
Friendly Name Allow VBScript to run in Internet Explorer
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls

This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

  • If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

  • If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

  • If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAntiMalwareCheckingOfActiveXControls_7
Friendly Name Don't run antimalware programs against ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneDownloadSignedActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls

This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.

  • If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.

  • If you disable the policy setting, signed controls can't be downloaded.

  • If you don't configure this policy setting, signed controls can't be downloaded.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyDownloadSignedActiveX_7
Friendly Name Download signed ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneDownloadUnsignedActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls

This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.

  • If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.

  • If you disable this policy setting, users can't run unsigned controls.

  • If you don't configure this policy setting, users can't run unsigned controls.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyDownloadUnsignedActiveX_7
Friendly Name Download unsigned ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneEnableCrossSiteScriptingFilter

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter

This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.

  • If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.

  • If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyTurnOnXSSFilter_Both_Restricted
Friendly Name Turn on Cross-Site Scripting Filter
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows

This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows.

If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users can't change this setting.

If you enable this policy setting and click Disable, users can't drag content from one domain to a different domain when both the source and destination are in different windows. Users can't change this setting.

In Internet Explorer 10, if you disable this policy setting or don't configure it, users can't drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog.

In Internet Explorer 9 and earlier versions, if you disable this policy or don't configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users can't change this setting.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted
Friendly Name Enable dragging of content from different domains across windows
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows

This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window.

If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users can't change this setting.

If you enable this policy setting and click Disable, users can't drag content from one domain to a different domain when the source and destination are in the same window. Users can't change this setting in the Internet Options dialog.

In Internet Explorer 10, if you disable this policy setting or don't configure it, users can't drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.

In Internet Explorer 9 and earlier versions, if you disable this policy setting or don't configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users can't change this setting in the Internet Options dialog.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted
Friendly Name Enable dragging of content from different domains within a window
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneEnableMIMESniffing

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableMIMESniffing
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableMIMESniffing

This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.

  • If you enable this policy setting, the MIME Sniffing Safety Feature won't apply in this zone. The security zone will run without the added layer of security provided by this feature.

  • If you disable this policy setting, the actions that may be harmful can't run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.

  • If you don't configure this policy setting, the actions that may be harmful can't run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyMimeSniffingURLaction_7
Friendly Name Enable MIME Sniffing
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer

This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.

  • If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form.

  • If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form.

  • If you don't configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_LocalPathForUpload_7
Friendly Name Include local path when user is uploading files to a server
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneInitializeAndScriptActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

  • If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting isn't recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

  • If you don't configure this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyScriptActiveXNotMarkedSafe_7
Friendly Name Initialize and script ActiveX controls not marked as safe
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneJavaPermissions

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneJavaPermissions
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneJavaPermissions

This policy setting allows you to manage permissions for Java applets.

  • If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.

Low Safety enables applets to perform all operations.

Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program can't make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.

  • If you disable this policy setting, Java applets can't run.

  • If you don't configure this policy setting, Java applets are disabled.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyJavaPermissions_7
Friendly Name Java permissions
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME

This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.

  • If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.

  • If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.

  • If you don't configure this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyLaunchAppsAndFilesInIFRAME_7
Friendly Name Launching applications and files in an IFRAME
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneLogonOptions

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneLogonOptions
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneLogonOptions

This policy setting allows you to manage settings for logon options.

  • If you enable this policy setting, you can choose from the following logon options.

Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.

Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.

Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.

Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.

  • If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.

  • If you don't configure this policy setting, logon is set to Prompt for username and password.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyLogon_7
Friendly Name Logon options
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneNavigateWindowsAndFrames

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

  • If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.

  • If you disable this policy setting, users can't open other windows and frames from other domains or access applications from different domains.

  • If you don't configure this policy setting, users can't open other windows and frames from different domains or access applications from different domains.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNavigateSubframesAcrossDomains_7
Friendly Name Navigate windows and frames across different domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneRunActiveXControlsAndPlugins

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins

This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.

  • If you enable this policy setting, controls and plug-ins can run without user intervention.

If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.

  • If you disable this policy setting, controls and plug-ins are prevented from running.

  • If you don't configure this policy setting, controls and plug-ins are prevented from running.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyRunActiveXControls_7
Friendly Name Run ActiveX controls and plugins
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode

This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.

  • If you disable this policy setting, Internet Explorer won't execute signed managed components.

  • If you don't configure this policy setting, Internet Explorer won't execute signed managed components.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicySignedFrameworkComponentsURLaction_7
Friendly Name Run .NET Framework-reliant components signed with Authenticode
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting

This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.

  • If you enable this policy setting, script interaction can occur automatically without user intervention.

If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.

  • If you disable this policy setting, script interaction is prevented from occurring.

  • If you don't configure this policy setting, script interaction is prevented from occurring.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyScriptActiveXMarkedSafe_7
Friendly Name Script ActiveX controls marked safe for scripting
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneScriptingOfJavaApplets

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets

This policy setting allows you to manage whether applets are exposed to scripts within the zone.

  • If you enable this policy setting, scripts can access applets automatically without user intervention.

If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.

  • If you disable this policy setting, scripts are prevented from accessing applets.

  • If you don't configure this policy setting, scripts are prevented from accessing applets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyScriptingOfJavaApplets_7
Friendly Name Scripting of Java applets
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles

This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).

  • If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open.

  • If you disable this policy setting, these files don't open.

  • If you don't configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_UnsafeFiles_7
Friendly Name Show security warning for potentially unsafe files
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneTurnOnProtectedMode

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode

This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.

  • If you enable this policy setting, Protected Mode is turned on. The user can't turn off Protected Mode.

  • If you disable this policy setting, Protected Mode is turned off. The user can't turn on Protected Mode.

  • If you don't configure this policy setting, the user can turn on or turn off Protected Mode.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_TurnOnProtectedMode_7
Friendly Name Turn on Protected Mode
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictedSitesZoneUsePopupBlocker

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneUsePopupBlocker
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneUsePopupBlocker

This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link aren't blocked.

  • If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.

  • If you disable this policy setting, pop-up windows aren't prevented from appearing.

  • If you don't configure this policy setting, most unwanted pop-up windows are prevented from appearing.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyBlockPopupWindows_7
Friendly Name Use Pop-up Blocker
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
ADMX File Name inetres.admx

RestrictFileDownloadInternetExplorerProcesses

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictFileDownloadInternetExplorerProcesses
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictFileDownloadInternetExplorerProcesses

This policy setting enables blocking of file download prompts that aren't user initiated.

  • If you enable this policy setting, file download prompts that aren't user initiated will be blocked for Internet Explorer processes.

  • If you disable this policy setting, prompting will occur for file downloads that aren't user initiated for Internet Explorer processes.

  • If you don't configure this policy setting, the user's preference determines whether to prompt for file downloads that aren't user initiated for Internet Explorer processes.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IESF_PolicyExplorerProcesses_12
Friendly Name Internet Explorer Processes
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Security Features > Restrict File Download
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
ADMX File Name inetres.admx

ScriptedWindowSecurityRestrictionsInternetExplorerProcesses

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses

Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars aren't visible to the user or obfuscate other Windows' title and status bars.

  • If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes.

  • If you disable this policy setting, scripts can continue to create popup windows and windows that obfuscate other windows.

  • If you don't configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IESF_PolicyExplorerProcesses_8
Friendly Name Internet Explorer Processes
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
ADMX File Name inetres.admx

SearchProviderList

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/SearchProviderList
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/SearchProviderList

This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.

  • If you enable this policy setting, the user can't configure the list of search providers on his or her computer, and any default providers installed don't appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers.

Note

This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.

  • If you disable or don't configure this policy setting, the user can configure his or her list of search providers.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name SpecificSearchProvider
Friendly Name Restrict search providers to a specific list
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
Registry Value Name UsePolicySearchProvidersOnly
ADMX File Name inetres.admx

SecurityZonesUseOnlyMachineSettings

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 [10.0.17134] and later
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/SecurityZonesUseOnlyMachineSettings

Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level.

  • If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer.

  • If you disable this policy or don't configure it, users of the same computer can establish their own security zone settings.

This policy is intended to ensure that security zone settings apply uniformly to the same computer and don't vary from user to user.

Also, see the "Security zones: Don't allow users to change policies" policy.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name Security_HKLM_only
Friendly Name Security Zones: Use only machine settings
Location Computer Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Registry Value Name Security_HKLM_only
ADMX File Name inetres.admx

SendSitesNotInEnterpriseSiteListToEdge

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20348] and later
✅ Windows 10, version 1903 [10.0.18362.1350] and later
✅ Windows 10, version 2004 with KB4598291 [10.0.19041.789] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge

This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode Site List.

Enabling this setting automatically opens all sites not included in the Enterprise Mode Site List in Microsoft Edge.

Disabling, or not configuring this setting, opens all sites based on the currently active browser.

Note

If you've also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11.

Note

This MDM policy is still outstanding.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name RestrictInternetExplorer
Friendly Name Send all sites not included in the Enterprise Mode Site List to Microsoft Edge
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode
Registry Value Name RestrictIE
ADMX File Name inetres.admx

Example:

  <policy name="RestrictInternetExplorer" class="Both" displayName="$(string.RestrictInternetExplorer)" explainText="$(string.IE_ExplainRestrictInternetExplorer)" key="Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode" valueName="RestrictIE">

      <parentCategory ref="InternetExplorer" />

      <supportedOn ref="SUPPORTED_IE11WIN10_1607" />

      <enabledValue>

        <decimal value="1" />

      </enabledValue>

      <disabledValue>

        <decimal value="0" />

      </disabledValue>

    </policy>

SpecifyUseOfActiveXInstallerService

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/SpecifyUseOfActiveXInstallerService
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/SpecifyUseOfActiveXInstallerService

This policy setting allows you to specify how ActiveX controls are installed.

  • If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls.

  • If you disable or don't configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name OnlyUseAXISForActiveXInstall
Friendly Name Specify use of ActiveX Installer Service for installation of ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer
Registry Key Name Software\Policies\Microsoft\Windows\AxInstaller
Registry Value Name OnlyUseAXISForActiveXInstall
ADMX File Name inetres.admx

TrustedSitesZoneAllowAccessToDataSources

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAccessToDataSources
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

  • If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you disable this policy setting, users can't load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you don't configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAccessDataSourcesAcrossDomains_5
Friendly Name Access data sources across domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
ADMX File Name inetres.admx

TrustedSitesZoneAllowAutomaticPromptingForActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

  • If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they don't have installed.

  • If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

  • If you don't configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they don't have installed.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarActiveXURLaction_5
Friendly Name Automatic prompting for ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
ADMX File Name inetres.admx

TrustedSitesZoneAllowAutomaticPromptingForFileDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

  • If you enable this setting, users will receive a file download dialog for automatic download attempts.

  • If you disable or don't configure this setting, users will receive a file download dialog for automatic download attempts.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNotificationBarDownloadURLaction_5
Friendly Name Automatic prompting for file downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
ADMX File Name inetres.admx

TrustedSitesZoneAllowFontDownloads

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowFontDownloads
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

  • If you enable this policy setting, HTML fonts can be downloaded automatically.

  • If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

  • If you disable this policy setting, HTML fonts are prevented from downloading.

  • If you don't configure this policy setting, HTML fonts can be downloaded automatically.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyFontDownload_5
Friendly Name Allow font downloads
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
ADMX File Name inetres.admx

TrustedSitesZoneAllowLessPrivilegedSites

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

  • If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that's provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

  • If you disable this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

  • If you don't configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyZoneElevationURLaction_5
Friendly Name Web sites in less privileged Web content zones can navigate into this zone
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
ADMX File Name inetres.admx

TrustedSitesZoneAllowNETFrameworkReliantComponents

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

  • If you disable this policy setting, Internet Explorer won't execute unsigned managed components.

  • If you don't configure this policy setting, Internet Explorer will execute unsigned managed components.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUnsignedFrameworkComponentsURLaction_5
Friendly Name Run .NET Framework-reliant components not signed with Authenticode
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
ADMX File Name inetres.admx

TrustedSitesZoneAllowScriptlets

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowScriptlets
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

  • If you enable this policy setting, the user can run scriptlets.

  • If you disable this policy setting, the user can't run scriptlets.

  • If you don't configure this policy setting, the user can enable or disable scriptlets.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_AllowScriptlets_5
Friendly Name Allow scriptlets
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
ADMX File Name inetres.admx

TrustedSitesZoneAllowSmartScreenIE

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowSmartScreenIE
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this policy setting, SmartScreen Filter doesn't scan pages in this zone for malicious content.

  • If you don't configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_Policy_Phishing_5
Friendly Name Turn on SmartScreen Filter scan
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
ADMX File Name inetres.admx

TrustedSitesZoneAllowUserDataPersistence

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowUserDataPersistence
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

  • If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you disable this policy setting, users can't preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you don't configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyUserdataPersistence_5
Friendly Name Userdata persistence
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
ADMX File Name inetres.admx

TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls

This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

  • If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

  • If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

  • If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyAntiMalwareCheckingOfActiveXControls_5
Friendly Name Don't run antimalware programs against ActiveX controls
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
ADMX File Name inetres.admx

TrustedSitesZoneInitializeAndScriptActiveXControls

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

  • If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting isn't recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

  • If you don't configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyScriptActiveXNotMarkedSafe_5
Friendly Name Initialize and script ActiveX controls not marked as safe
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
ADMX File Name inetres.admx

TrustedSitesZoneJavaPermissions

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneJavaPermissions
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneJavaPermissions

This policy setting allows you to manage permissions for Java applets.

  • If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.

Low Safety enables applets to perform all operations.

Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program can't make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.

  • If you disable this policy setting, Java applets can't run.

  • If you don't configure this policy setting, the permission is set to Low Safety.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyJavaPermissions_5
Friendly Name Java permissions
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
ADMX File Name inetres.admx

TrustedSitesZoneLogonOptions

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20348.2227] and later
✅ [10.0.25398.643] and later
✅ [10.0.25965] and later
✅ Windows 10, version 2004 [10.0.19041.3758] and later
✅ Windows 11, version 22H2 with KB5032288 [10.0.22621.2792] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneLogonOptions
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneLogonOptions

This policy setting allows you to manage settings for logon options.

  • If you enable this policy setting, you can choose from the following logon options.

Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.

Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.

Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.

Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.

  • If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.

  • If you don't configure this policy setting, logon is set to Automatic logon with current username and password.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyLogon_5
Friendly Name Logon options
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
ADMX File Name inetres.admx

TrustedSitesZoneNavigateWindowsAndFrames

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

  • If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

  • If you disable this policy setting, users can't open windows and frames to access applications from different domains.

  • If you don't configure this policy setting, users can open windows and frames from other domains and access applications from other domains.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name IZ_PolicyNavigateSubframesAcrossDomains_5
Friendly Name Navigate windows and frames across different domains
Location Computer and User Configuration
Path Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
Registry Key Name Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
ADMX File Name inetres.admx

Policy configuration service provider