Local and Remote Network Connections

You can use Group Policy settings or a combination of policies to control access to the Network and Dial-up Connections folder, and how it can be used. For example, a Group Policy setting can be applied which makes the Advanced Settings menu unavailable in the Network and Dial-up Connections folder. For more information about using Group Policy with Windows 2000 Server, see Windows 2000 Server Help.

The following sections describe the local Group Policy settings that can be applied in Windows 2000 Professional, including a description of each setting and registry information.

Computer Configuration Group Policy Settings

The location in the Group Policy that the setting modifies is shown in Figure 21.12.

Cc977293.prcg_27(en-us,TechNet.10).gif

Figure 21.12 Computer Configuration in Group Policy

Allow configuration of connection sharing

This setting determines whether administrators can enable, disable, and configure the Internet Connection Sharing feature of a dial-up connection.

If you enable this setting or do not configure it, the system displays the Sharing tab in the Properties for a dial-up connection. On Windows 2000 Server, it also displays the Internet Connection Sharing (ICS) page in the Network Connection Wizard. (This page is available only in Windows 2000 Server.) If you disable this setting, the Sharing tab and Internet Connection Sharing wizard page are removed.

caution-icon

Caution

Allowing users in your organization to enable ICS means that they could create an unauthorized DHCP server on the subnet on which the computer is located. The ICS-enabled computer will allocate incorrect IP address configurations to all other DHCP clients on the same subnet and prevent them from communicating with other computers located on different subnets.

note-icon

Note

This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration . Also, this setting applies only to users in the Administrators group.

User Configuration Group Policy Settings

The location in the Group Policy that these policies modify is shown in Figure 21.13.

Cc977293.prcg_28(en-us,TechNet.10).gif

Figure 21.13 User Configuration in Group Policy

Enable deletion of RAS connections

This setting determines whether users can delete their private dial-up network connections. If you enable this setting or do not configure it, users can delete their private dial-up connections. Private connections are those that are available only to one user. (By default, only administrators can delete connections available to all users, but you can change the default by using the Enable deletion of RAS connections available to all users setting.) If you disable this Group Policy setting, users (including administrators) cannot delete any dial-up connections. This setting also disables the Delete option on the context menu for a dial-up connection and on the File menu in Network and Dial-up Connections.

note-icon

Note

When disabled, this setting takes precedence over the Enable deletion of RAS connections available to all users setting. Users cannot delete any dial-up connections, and the Enable deletion of RAS connections available to all users setting is ignored.

Enable deletion of RAS connections available to all users

This setting allows users to delete shared dial-up (RAS) connections. Shared connections are available to all users of the computer.

If you enable this setting, users can delete shared dial-up connections. If you do not configure this setting, only administrators can delete shared dial-up connections. If you disable this setting, no one can delete shared dial-up connections. (By default, users can still delete their private connections, but you can change the default by using the Enable deletion of RAS connections setting.)

note-icon

Note

When disabled, the Enable deletion of RAS connections setting takes precedence over this setting. Users (including administrators) cannot delete any dial-up connections and this setting is ignored.

Enable connecting and disconnecting a RAS connection

This setting determines whether users can connect and disconnect dial-up connections.

If you enable this setting, the Connect and Disconnect options for dial-up connections are available to users in the group. Users can connect or disconnect a dial-up connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. If you disable this setting, then double-clicking the icon has no effect, and the Connect and Disconnect menu items are disabled.

Enable connecting and disconnecting a LAN connection

This setting determines whether users can connect and disconnect local area connections.

If you enable this setting, the Connect and Disconnect options for local area connections are available to users in the group. Users can connect or disconnect a local area connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. If you disable this setting, then double-clicking the icon has no effect, and the Connect and Disconnect menu items are disabled.

Enable access to properties of a LAN connection

This setting determines whether users can view and change the properties of a local area connection. It also determines whether the Local Area Connection Properties dialog box is available to users.

If you enable this setting, the Local Area Connection Properties dialog box appears when users right-click the icon representing a local area connection, and then click Properties . Also, when users select the connection, Properties is available on the File menu. If you disable this setting, users cannot open the Local Area Connection Properties dialog box.

important-icon

Important

This setting supersedes settings that remove or disable parts of the Local AreaConnection Properties dialog box, such as those that hide tabs, remove the check boxes for enabling or disabling components, or that disable the Properties button for components that a connection uses. If you disable this policy, then the settings that disable parts of the Local Area Connection Properties dialog box are ignored.

Allow access to current users RAS connection properties

This setting determines whether users can view and change the properties of their private dial-up connections.

Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the Network Connection Wizard, click Only for myself . This setting determines whether the Dial-up Connection Properties dialog box is available to users.

If you enable this setting, the Local Area Connection Properties dialog box appears when users right-click the icon representing a local area connection, and then click Properties Also, when users select the connection, Properties is available on the File menu. If you disable this setting, users cannot open the Local Area Connection Properties dialog box.

important-icon

Important

This setting supersedes settings that remove or disable parts of the Dial-up Connection Properties dialog box, such as those that hide tabs, remove the check boxes for enabling or disabling components, or that disable the Properties button for components that a connection uses. If you disable this setting, it overrides these subsidiary policies.

Enable access to properties of RAS connections available to all users

This setting determines whether a user can view and change the properties of dial-up connections that are available to all users of the computer. This setting also determines whether the Dial-up Connection Properties dialog box is available to users.

If you enable this setting, the Local Area Connection Properties dialog box appears when users right-click the icon representing a local area connection, and then click Properties . Also, when users select the connection, Properties is available on the File menu. If you disable this setting, users cannot open the Local Area Connection Properties dialog box.

To create a dial-up connection that is available to all users, on the Connection Availability page in the Network Connection Wizard, click the For all users option. To find connections available to all users, see the Connections folder on your system drive (Documents and Settings\All Users\Application Data\Microsoft\Network\Connections).

important-icon

Important

This setting supersedes settings that remove or disable parts of the Dial-up Connection Properties dialog box, such as those that hide tabs, remove the check boxes for enabling or disabling components, or that disable the Properties button for components that a connection uses. If you disable this setting, it overrides these subsidiary policies.

Enable renaming of connections, if supported

This setting determines whether users can rename the dial-up and local area connections available to all users.

If you enable this setting, the Rename option is enabled. Users can rename connections by clicking the icon representing a connection or by using the File menu. If you disable this setting, the Rename option is disabled.

Enable renaming of RAS connections belonging to the current user

This setting determines whether users can rename their private dial-up connections.

Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the Network Connection Wizard, click Only for myself .

If you enable this setting, the Rename option is enabled for users' private dial-up connections. If you disable this setting, the Rename option is disabled on the user's private connections.

Enable adding or removing components of a RAS or LAN connection

This setting determines whether administrators can add and remove network components.

If you enable this setting, the Install and Uninstall buttons for components of connections in Network and Dial-up Connections are enabled. Also, administrators can gain access to network components in the Windows Components Wizard. If you disable this setting, the Install and Uninstall buttons for components of connections are disabled, and administrators are not permitted access to network components in the Windows Components Wizard.

The Install button opens the dialog boxes used to add network components. Clicking the Uninstall button removes the selected component in the components list (above the button). The Install and Uninstall buttons appear when administrators right-click a connection, and then click Properties . These buttons are on the General tab for local area connections and on the Networking tab for dial-up connections.

tip-icon

Tip

The Windows Components wizard permits administrators to add and remove components. To use the wizard, double-click Add/Remove Programs in Control Panel. To go directly to the network components in the Windows Components wizard, click the Advanced menu in Network and Dial-up Connections, and then click Optional Networking Components .

Allow connection components to be enabled or disabled

This setting determines whether administrators can enable and disable the components used by dial-up and local area connections.

If you enable this setting, the Properties dialog box for a connection includes a check box beside the name of each component that the connection uses. Selecting the check box enables the component, and clearing the check box disables the component. Disabling this setting dims the check boxes for enabling and disabling components. As a result, administrators cannot enable or disable the components that a connection uses.

Enable access to properties of components of a LAN connection

This setting determines whether administrators can change the properties of components used by a local area connection.

This setting determines whether the Properties button for components of a local area connection is enabled. If you enable this setting or do not configure it, the Properties button is enabled. If you disable this setting, the Properties button is disabled.

To find the Properties button, right-click the connection, and then click Properties . You will see a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click Properties .

note-icon

Note

Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled.

Enable access to properties of components of a RAS connection

This setting determines whether users can view and change the properties of components used by a dial-up connection.

This setting determines whether the Properties button for components used by a dial-up connection is enabled. If you enable this setting or do not configure it, the Properties button is enabled. If you disable this setting, the Properties button is disabled.

To find the Properties button, right-click the connection and then click Properties , and then click the Networking tab. You will see a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click Properties .

Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled.

Display and enable the Network Connection Wizard

This setting determines whether users can use the Network Connection Wizard, which creates new network connections.

If you enable this setting, Make New Connection appears in the Network and Dial-up Connections folder. Clicking Make New Connection starts the Network Connection Wizard. If you disable this setting, Make New Connection does not appear. As a result, users cannot start the Network Connection Wizard.

Enable status statistics for an active connection

This setting determines whether users can view the Status page for an active connection.

Status displays information about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection.

If you enable this setting, Status appears when users double-click an active connection. Also, an option to display Status appears on a menu when users right-click the icon for an active connection, and the option appears on the File menu when users select an active connection. If you disable this setting, Status is disabled, and Status doesn't appear.

Enable the Dial-up Preferences item on the Advanced menu

This setting determines whether Dial-up Preferences on the Advanced menu in Network and Dial-up Connections is enabled.

If you enable this setting, Dial-up Preferences is enabled. If you disable this setting, it is disabled. By default, Dial-up Preferences is enabled.

Dial-up Preferences allows users to configure Autodial and callback features.

Enable the Advanced Settings item on the Advanced menu

This setting determines whether Advanced Settings on the Advanced menu in Network and Dial-up Connections is enabled.

If you enable this setting, Advanced Settings is enabled. If you disable this setting, it is disabled. By default, Advanced Settings is enabled.

Advanced Settings allows administrators to view and change bindings and view and change the order in which the computer accesses connections, network providers, and print providers.

Allow configuration of connection sharing

This setting determines whether administrators and can enable, disable, and configure the ICS feature of a dial-up connection.

If you enable this setting or do not configure it, the system displays the Sharing tab in the properties for a dial-up connection. On a computer running Windows 2000 Server, it also displays the Internet Connection Sharing page in the Network Connection Wizard. (This page is available only in Windows 2000 Server.) If you disable this setting, the Sharing tab and the Internet Connection Sharing Wizard page are removed.

This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.

important-icon

Important

This setting applies only to users in the Administrators and group.

For more information about disabling the configuration of ICS at the computer level, see Computer Configuration Group Policy Settings earlier in this chapter.

Allow TCP/IP advanced configuration

This setting determines whether users can use Network and Dial-up Connections to configure TCP/IP, DNS, and WINS settings.

If you enable this setting, the Advanced button on Internet Protocol (TCP/IP) Properties is enabled. As a result, users can open Advanced TCP/IP Settings and modify IP settings, such as DNS and WINS server information. If you disable this setting, the Advanced button is disabled and the users cannot open Advanced TCP/IP Settings .

important-icon

Important

If the Enable access to properties of a LAN connection setting or the Enable access to properties of components of a LAN connection setting are disabled, users cannot gain access to the Advanced button. As a result, this setting is ignored.