Esporta (0) Stampa
Espandi tutto

Group Policy Settings

Aggiornamento: settembre 2010

Si applica a: Windows 7

This section describes each of the Group Policy settings that are listed in the section Windows SteadyState. For each Group Policy setting, this section lists the location within the Group Policy Editor, the recommended values, and a description of the policy.

Windows SteadyState defines three security levels—High, Medium, and Low. These security levels provide a shortcut for configuring the many settings that it exposed. For example, clicking the High security level might enable a setting, whereas clicking the Medium or Low security level would disable the setting. The recommendations for most of the Group Policy settings represented in this section are based on Windows SteadyState security levels.

Add Logoff to the Start Menu

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This policy setting applies only to the classic version of the Start Menu, and it does not affect the new style Start Menu.

This setting adds the Log Off <username> item to the Start Menu. This setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot remove the Log Off <username> item from the Start Menu.

If you disable this setting or do not configure it, users can use the Display Logoff item to add and remove the Log Off item.

This setting affects the Start Menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del. Ctrl+Alt+Del.

noteNota
To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab, and then, in the Start Menu Settings box, click Display Logoff.

Always open All Control Panel Items when opening Control Panel

 

Location

User Configuration\Administrative Templates\Control Panel

Recommended

High: Disabled

Medium: Disabled

Low: Disabled

Description

This policy sets All Control Panel Items as the default Control Panel view.

If the policy is disabled, Control Panel Home is the default view.

Disable AutoComplete for forms

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

The AutoComplete feature suggests possible matches when users are filling in forms.

If you enable this setting, the user does not receive suggested matches when filling in forms. The user cannot change this setting.

If you disable this setting, the user receives suggested matches when filling in forms.

If you do not configure this setting, the user has the freedom to turn on the AutoComplete feature for forms.

To display this option, users can open the Internet Options dialog box, click the Contents tab, and then click Settings.

Disable changing home page settings

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer

Recommended

http://www.bing.com/

Description

The home page that is specified on the General tab of the Internet Options dialog box is the default webpage that Internet Explorer® loads whenever it is run.

If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the users’ computers. For computers that are Internet Explorer 7 or Internet Explorer 8, the home page can be set within this policy to override other home page policies.

If you disable or do not configure this policy setting, the home page box is enabled and users can choose their own home page.

Disable Context menu

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus

Recommended

High: Disabled

Medium: Disabled

Low: Disabled

Description

This setting prevents the shortcut menu from appearing when users click the right mouse button while using the browser.

If you enable this policy, the shortcut menu will not appear when users point to a webpage, and then click the right mouse button.

If you disable this policy or do not configure it, users can use the shortcut menu.

You can use this policy to ensure that users do not use the shortcut menu as an alternate method of running commands that have been removed from other parts of the interface.

Disable customizing browser toolbar buttons

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Toolbars

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This policy prevents users from determining which buttons appear on the Internet Explorer and Windows Explorer standard toolbars. The buttons that appear on the toolbar can be customized with the Customize option. This is present on the Toolbars submenu of the View menu in Internet Explorer 6 and under the Toolbars submenu on the Tools menu in the Command bar in Internet Explorer 7 and Internet Explorer 8.

If you enable this policy, the Customize option will be removed from the menu.

If you disable this policy or do not configure it, users can customize which buttons appear on the Internet Explorer and Windows Explorer toolbars.

This policy can be used in coordination with the "Disable customizing browser toolbars" policy, which prevents users from determining which toolbars are displayed in Internet Explorer and Windows Explorer.

Disable customizing browser toolbars

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Toolbars

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting prevents users from determining which toolbars are displayed in Internet Explorer and Windows Explorer.

If you enable this policy, the list of toolbars, which users can display by clicking the View menu and pointing to Toolbars, will appear unavailable.

If you disable this policy or do not configure it, users can determine which toolbars are displayed in Internet Explorer and Windows Explorer.

This policy can be used in coordination with the "Disable customizing browser toolbar buttons" policy, which prevents users from adding or removing toolbars from Internet Explorer.

Disable the Advanced page

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the Advanced tab from the interface in the Internet Options dialog box.

If you enable this policy, users are prevented from seeing and changing advanced Internet settings, such as security, multimedia, and printing.

If you disable this policy or do not configure it, users can see and change these settings.

When you set this policy, you do not need to set the "Disable changing Advanced page settings" policy (located in \User Configuration\Administrative Templates\Administrative Templates\Windows Components\Internet Explorer), because this policy removes the Advanced tab from the interface.

Disable the Connections page

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This policy setting removes the Connections tab from the interface in the Internet Options dialog box.

If you enable this policy, users are prevented from seeing and changing connection and proxy settings.

If you disable this policy or do not configure it, users can see and change these settings.

When you set this policy, you do not need to set the following policies for the Connections tab, because this policy removes the Connections tab from the interface:

  • "Disable Internet Connection Wizard"

  • "Disable changing connection settings"

  • "Disable changing proxy settings"

  • "Disable changing Automatic Configuration settings"

Disable the Content page

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

If you enable this policy setting, users are prevented from seeing and changing ratings, certificates, AutoComplete, Wallet, and Profile Assistant settings.

If you disable this policy or do not configure it, users can see and change these settings.

Disable the General page

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting removes the General tab from the interface in the Internet Options dialog box.

If you enable this policy, users are unable to see and change settings for the home page, the cache, history, webpage appearance, and accessibility.

If you disable this policy or do not configure it, users can see and change these settings.

When you set this policy, you do not need to set the following Internet Explorer policies (located in \User Configuration\Administrative Templates\Administrative Templates\Windows Components\Internet Explorer), because this policy removes the General tab from the interface:

  • "Disable changing home page settings"

  • "Disable changing Temporary Internet files settings"

  • "Disable changing history settings"

  • "Disable changing color settings"

  • "Disable changing link color settings"

  • "Disable changing font settings"

  • "Disable changing language settings"

  • "Disable changing accessibility settings"

Disable the Privacy page

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the Privacy tab from the interface in the Internet Options dialog box.

If you enable this policy, users are prevented from seeing and changing default settings for privacy.

If you disable this policy or do not configure it, users can see and change these settings.

Disable the Programs page

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting removes the Programs tab from the interface in the Internet Options dialog box.

If you enable this policy, users are prevented from seeing and changing default settings for Internet programs.

If you disable this policy or do not configure it, users can see and change these settings.

When you set this policy, you do not need to set the following policies for the Programs tab, because this policy removes the Programs tab from the interface:

  • "Disable changing Messaging settings"

  • "Disable changing Calendar and Contact settings"

  • "Disable the Reset Web Settings feature"

  • "Disable changing default browser check"

Disable the Security page

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the Security tab from the interface in the Internet Options dialog box.

If you enable this policy, users are prevented from seeing and changing settings for security zones such as scripting, downloads, and user authentication.

If you disable this policy or do not configure it, users can see and change these settings.

When you set this policy, you do not need to set the following Internet Explorer policies, because this policy removes the Security tab from the interface:

  • "Security zones: Do not allow users to change policies"

  • "Security zones: Do not allow users to add/delete sites"

Do not keep history of recently opened documents

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

noteNota
Also see the "Remove Recent Items menu from Start menu" and "Clear history of recently opened documents on exit" policies.

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents.

If you enable this setting, the operating system and Windows programs do not create shortcuts to documents that are opened while the setting is in effect. Also, they retain but do not display existing document shortcuts. The operating system empties the Recent Items menu on the Start menu, and Windows programs do not display shortcuts at the bottom of the File menu. In addition, the submenus for programs in the Start menu and Taskbar do not show lists of recently or frequently used files, folders, or websites.

If you disable or do not configure this setting, the system will store and display shortcuts to recently and frequently used files, folders, and websites.

noteNota
The system saves document shortcuts in the user profile in the \Users\User-name\Recent folder.

If you enable this setting, but you do not enable the "Remove Recent Items menu from Start menu" setting, the Recent Items menu appears on the Start menu, but it is empty.

If you enable this setting, but then you later disable it or set it to Not Configured, the document shortcuts that saved before the setting was enabled appear in the Recent Items menu, program File menus, and submenus.

This setting does not hide or prevent the user from pinning files, folders, or websites to the Jump Lists. See the "Do not allow pinning items in Jump Lists" setting. This policy also does not hide tasks that the application has provided for their Jump List. This setting does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting.

noteNota
Non-Microsoft applications that are certified with the Windows 2000, Windows XP, Windows Vista or Windows 7 operating systems must adhere to this setting.

Do not move deleted files to the Recycle Bin

 

Location

User Configuration\Administrative Templates\Windows Explorer

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

When a file or folder is deleted in Windows Explorer, a copy of the file or folder is placed in the Recycle Bin. You can use this setting to change that behavior.

If you enable this setting, files and folders that are deleted by using Windows Explorer will not be placed in the Recycle Bin and therefore will be permanently deleted.

If you disable or do not configure this setting, files and folders that are deleted by using Windows Explorer will be placed in the Recycle Bin.

Empty Temporary Internet Files folder when browser is closed

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This policy setting allows you to manage whether Internet Explorer deletes the contents of the Temporary Internet Files folder after all browser windows are closed. This protects against storing dangerous files on the computer or storing sensitive files that other users could see, in addition to managing total disk space usage.

If you enable this policy setting, Internet Explorer will delete the contents of the user's Temporary Internet Files folder when all browser windows are closed.

If you disable this policy setting, Internet Explorer will not delete the contents of the user's Temporary Internet Files folder when browser windows are closed.

If you do not configure this policy, Internet Explorer will not delete the contents of the Temporary Internet Files folder when browser windows are closed.

File menu: Disable New menu option

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting prevents users from opening a new browser window from the File menu.

If this policy is enabled, users cannot open a new browser window by clicking the File menu, pointing to the New menu, and clicking Window. The user interface is not changed, but a new window will not open, and the users will be informed that the command is not available.

If you disable this policy or do not configure it, users can open a new browser window from the File menu.

CautionAttenzione
This policy does not prevent users from opening a new browser window by right-clicking a link, and then clicking the Open in New Window command. To prevent users from using the shortcut menu to open new browser windows, you should also set the "Disable Open in New Window menu option" policy, which disables this command on the shortcut menu, or set the "Disable context menu" policy, which disables the entire shortcut menu.

noteNota
The user can still open new tabs.

Force classic Start menu

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting affects the presentation of the Start menu.

The classic Start menu in Windows 2000 Professional allows users to begin common tasks, whereas the new Start menu consolidates common items onto one menu. When the classic Start Menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and Network. The new Start menu starts them directly.

If you enable this setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons.

If you disable this setting, the Start menu opens in the new style, and the desktop icons appear on the Start page.

If you do not configure this setting, the default is the new style, and the user can change the view.

Hide Favorites menu

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This policy setting prevents users from adding, removing, editing, or viewing the list of Favorite links.

The Favorites list is a way to store popular links for future use.

If you enable this policy, the Favorites menu is removed from the interface, and the Favorites button on the browser toolbar appears unavailable. The Add to Favorites command on the shortcut menu is disabled, and when users click it, they are informed that the command is unavailable.

If you disable this policy or do not configure it, users can manage their Favorites list.

noteNota
If you enable this policy, users also cannot click Synchronize on the Tools menu (in Internet Explorer 6) to manage their favorite links that are set up for offline viewing.

Hide Network Locations icon on desktop

 

Location

User Configuration\Administrative Templates\Desktop

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This policy setting removes the Network Locations icon from the desktop.

This setting affects only the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network.

noteNota
In operating systems earlier than Windows Vista, this policy applies to the My Network Places icon.

Hide the notification area

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting affects the notification area (previously called the "system tray") on the taskbar.

The notification area is located on the far right side of the task bar, and it includes the icons for current notifications and the clock.

If this setting is enabled, the user’s entire notification area, including the notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the clock.

If this setting is disabled or is not configured, the notification area is shown in the user's taskbar.

noteNota
Enabling this setting overrides the "Turn off notification area cleanup" setting because if the notification area is hidden, there is no need to clean up the icons.

Hide these specified drives in My Computer

 

Location

User Configuration\Administrative Templates\Windows Explorer

noteNota
Also see the "Prevent access to drives from My Computer" setting.

Recommended

High: Restrict all drives

Medium: Disabled

Low: Disabled

Description

This setting removes the icons that represent selected hard disk drives from My Computer and Windows Explorer. Also, the letters that represent the selected drives do not appear in the standard Open dialog box.

To use this setting, select a drive or combination of drives in the drop-down list. To display all drives, disable this setting or select the "Do not restrict drives" option in the drop-down list.

noteNota
This setting removes the hard disk drive icons. Users can still gain access to drive contents by using other methods, such as by typing the path to a directory on the drive in the Map Network Drive dialog box, in the Run dialog box, or in a Command Prompt window.

This setting does not prevent users from using programs to access these drives or their contents. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.

noteNota
Non-Microsoft applications that are certified with the Windows 2000, Windows XP, Windows Vista or Windows 7 operating systems must adhere to this setting.

Interactive logon: Do not display last user name

 

Location

Computer Configuration\Windows Settings\Local Policies\Security Options

Recommended

Enabled

Default: Disabled

Description

This security setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen.

If this policy is enabled, the name of the last user to successfully log on is not displayed in the logon screen.

If this policy is disabled, the name of the last user to log on is displayed.

Lock the Taskbar

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting affects the taskbar, which is used to switch between running applications.

The taskbar includes the Start button, the list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it is locked, it cannot be moved or resized.

If you enable this setting, users cannot move or resize the taskbar. When the taskbar is locked, auto-hide and other taskbar options are still available in the taskbar’s properties.

If you disable this setting or do not configure it, users can configure the taskbar position.

noteNota
Enabling this setting also locks the QuickLaunch bar and any other toolbars that users have on their taskbar. The toolbar's position is locked, and users cannot show and hide various toolbars by using the taskbar’s context menu.

Network access: Do not allow storage of credentials or .NET Passports for network authentication

 

Location

Computer Configuration\Windows Settings\Local Policies\Security Options

Recommended

Enabled

Default: Disabled

Description

This security setting determines whether Stored User Names and Passwords saves passwords, credentials, or .NET Passports for later use when it gains domain authentication.

If it is enabled, this setting prevents the Stored User Names and Passwords from storing passwords and credentials.

noteNota
When you configure this security setting, changes will not take effect until you restart Windows.

Network security: Do not store LAN Manager hash value on next password change

 

Location

Computer Configuration\Windows Settings\Local Policies\Security Options

Recommended

Enabled

Default on Windows Vista: Enabled

Default on Windows XP: Disabled.

Description

This security setting determines if, at the next password change, the LAN Manager hash value for the new password is stored. The LAN Manager hash value is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT® hash value. Because the LAN Manager hash value is stored on the local computer in the security database, passwords can be compromised if the security database is attacked.

noteNota
Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.

This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and Windows Server 2003 to communicate with computers running Windows 95 and Windows 98.

Prevent access to drives from My Computer

 

Location

User Configuration\Administrative Templates\Windows Explorer

noteNota
Also see the "Hide these specified drives in My Computer" setting.

Recommended

High: Restrict all drives

Medium: Disabled

Low: Disabled

Description

This setting prevents users from using My Computer to gain access to the content of selected hard disk drives.

If you enable this setting, users can browse the directory structure of the selected drives in My Computer or Windows Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.

To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list.

noteNota
The icons that represent the specified drives still appear in My Computer, but if users double-click the icons, a message appears to explain that a setting prevents the action.

This setting does not prevent users from using programs to access local and network drives. It does not prevent them from using the Disk Management snap-in to view and change drive characteristics.

Prevent access to registry editing tools

 

Location

User Configuration\Administrative Templates\System

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting disables the Windows registry editor Regedit.exe.

If this setting is enabled and the user tries to start a registry editor, a message appears to explain that a setting prevents the action.

To prevent users from using other administrative tools, use the "Run only specified Windows applications" setting.

Prevent access to the command prompt

 

Location

User Configuration\Administrative Templates\System

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting prevents users from running the interactive command prompt, Cmd.exe. This setting also determines whether batch files (.cmd and .bat) can run on the computer.

If you enable this setting and the user tries to open a Command Prompt window, the system displays a message to explain that a setting prevents the action.

noteNota
Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services.

Prevent adding, dragging, dropping and closing the Taskbar's toolbars

 

Location

User Configuration\Administrative Templates\Desktop

noteNota
Also see the "Prohibit adjusting desktop toolbars" setting.

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting prevents users from manipulating desktop toolbars.

If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars.

noteNota
If users have added or removed toolbars, this setting prevents them from restoring the default configuration.

TipSuggerimento
To view the toolbars that can be added to the desktop, right-click a docked toolbar (such as the taskbar), and point to Toolbars.

Prevent addition of printers

 

Location

User Configuration\Administrative Templates\Control Panel\Printers

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting removes the Add Printer option from the Start menu. (To find the Add Printer option, click Start, click Printers, and then click Add Printer.) This setting also removes Add Printer from the Printers folder in Control Panel.

Users cannot add printers by dragging a printer icon into the Printers folder. If they try, a message appears to explain that the setting prevents the action.

However, this setting does not prevent users from using the Add Hardware Wizard to add a printer. Nor does it prevent users from running other programs to add printers.

This setting does not delete printers that users have already added. However, if users have not added a printer when this setting is applied, they cannot print.

noteNota
You can use printer permissions to restrict the use of printers without specifying a setting. In the Printers folder, right-click a printer, click Properties, and click the Security tab.

If this policy is disabled or not configured, users can add printers by using the methods described.

Prevent changes to Taskbar and Start Menu Settings

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting removes the Taskbar and Start Menu item from Settings on the Start Menu. This setting also prevents the user from opening the taskbar’s Properties dialog box.

If the user right-clicks the taskbar and clicks Properties, a message appears to explain that a setting prevents the action.

Prevent deletion of printers

 

Location

User Configuration\Administrative Templates\Control Panel\Printers

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting prevents users from deleting local and network printers.

If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears to explain that a setting prevents the action.

This setting does not prevent users from running other programs to delete a printer.

If this policy is disabled or not configured, users can delete printers by using the methods described.

Prohibit access to the Control Panel

 

Location

User Configuration\Administrative Templates\Control Panel

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting disables all Control Panel programs.

This setting prevents Control.exe (the program file for Control Panel) from starting. As a result, users cannot start Control Panel or adjust any Control Panel settings.

This setting also removes Control Panel from the Start Menu and removes the Control Panel folder from Windows Explorer.

If users try to select a Control Panel item from the Properties item on a context menu, a message appears to explain that a setting prevents the action.

Removable Disks: Deny write access

 

Location

Computer Configuration\Administrative Templates\System\Removable Storage Access

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This policy setting denies write access to removable storage devices.

If you enable this policy setting, write access will be denied to removable storage devices.

If you disable or do not configure this policy setting, write access will be allowed to removable storage devices.

noteNota
To require that users write data to storage that is protected with BitLocker™, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.

Remove "Map Network Drive" and "Disconnect Network Drive"

 

Location

User Configuration\Administrative Templates\Windows Explorer

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting prevents users from using Windows Explorer or Network Locations to map or disconnect network drives.

If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in Windows Explorer and Network Locations and from menus that appear when you right-click the Windows Explorer or Network Locations icons.

This setting does not prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box.

noteNota
This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives.

noteNota
Non-Microsoft applications that are certified with the Windows 2000, Windows XP, Windows Vista or Windows 7 operating systems must adhere to this setting.

Remove access to the context menus for the taskbar

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting hides the menus that appear when you right-click the taskbar and items on the taskbar, such as the Start button, the clock, and the taskbar buttons.

This setting does not prevent users from using other methods to issue the commands that appear in these menus.

Remove CD Burning features

 

Location

User Configuration\Administrative Templates\Windows Explorer

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

Windows Explorer allows you to create and modify writable CDs if you have a CD writer connected to your computer.

If you enable this setting, all features in Windows Explorer that allow you to use your CD writer are removed.

If you disable or do not configure this setting, users are able to use the Windows Explorer CD burning features.

noteNota
This setting does not prevent users from using non-Microsoft applications to create or modify CDs by using a CD writer.

Remove Change Password

 

Location

User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting prevents users from changing their Windows password on demand.

This setting disables the Change Password button on the Windows Security dialog box (which appears when you press Ctrl+Alt+Del).

However, users are still able to change their password when prompted by the operating system. The system prompts users for a new password when an administrator requires a new password or when their password is expiring.

Remove common program groups from Start Menu

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes items in the All Users profile from the Programs menu on the Start Menu.

By default, the Programs menu contains items from the All Users profile and items from the user's profile. If you enable this setting, only items in the user's profile appear in the Programs menu.

TipSuggerimento
To see the Program menu items in the All Users profile, on the hard disk drive that hosts the operating system, go to ProgramData\Microsoft\Windows\Start Menu\Programs.

Remove Default Programs link from the Start menu

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the Default Programs link from the Start Menu.

Clicking the Default Programs link from the Start Menu opens the Default Programs control panel and allows you to specify default programs for certain activities, such as Web browsing or sending email. It also allows you to determine which programs are accessible from the Start Menu, desktop, and other locations.

noteNota
This setting does not prevent the Set Default Programs for the This Computer option from appearing in the Default Programs control panel.

Remove Documents icon from Start Menu

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the Documents icon from the Start Menu and its submenus.

This setting removes only the icon. It does not prevent the user from using other methods to gain access to the contents of the Documents folder.

noteNota
To make the changes to this setting effective, you must log off and then log on.

Remove drag-and-drop and context menus on the Start menu

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

noteNota
Also see the "Prevent changes to Taskbar and Start menu Settings" and the "Remove access to the context menus for taskbar" settings.

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting prevents users from using the drag-and-drop method to reorder or remove items on the Start menu. Also, it removes context menus from the Start menu.

If you disable this setting or do not configure it, users can remove or reorder Start menu items by dragging and dropping the item. Users can display context menus by right-clicking a Start menu item.

This setting does not prevent users from using other methods to customize the Start menu or perform the tasks that are available from the context menus.

Remove Favorites menu from Start menu

 

Location

User Configuration\Administrative Templates\Start menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting prevents users from adding the Favorites menu to the Start menu or classic Start menu.

If you enable this setting, the Display Favorites item does not appear in the Advanced Start Menu options box.

If you disable or do not configure this setting, the Display Favorites item is available.

noteNota
The Favorites menu does not appear on the Start menu by default. To display the Favorites menu, right-click Start, click Properties, and click Customize.

If you are using the Start menu, click the Advanced tab, and then under Start Menu Items, click Favorites.

If you are using the classic Start menu, under Advanced Start Menu Options, click Display Favorites.

noteNota
The items that appear in the Favorites menu when you install Windows are preconfigured by the operating system to appeal to most users. However, users can add and remove items from this menu, and system administrators can create a customized Favorites menu for a user group.

noteNota
This setting affects only the Start menu. The Favorites menu still appears in Windows Explorer and in Internet Explorer.

Remove frequent programs list from the Start menu

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

If you enable this setting, the frequently used programs list is removed from the Start menu.

If you disable this setting or do not configure it, the frequently used programs list remains on the simple Start menu.

Remove Help menu from Start menu

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting removes the Help and Support option from the Start menu.

This setting affects only the Start menu. It does not remove Help and Support from Windows Explorer, and it does not prevent users from running Help and Support.

Remove links and access to Windows Update

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

noteNota
Also see the "Hide the ‘Add programs from Microsoft’ option" setting.

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting prevents users from connecting to the Windows Update website.

This setting blocks user access to the Windows Update website at http://windowsupdate.microsoft.com. Also, the setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer.

Windows Update, the online extension of Windows, offers software updates to keep a user’s system up-to-date. The Windows Update Product Catalog determines operating system files, security fixes, and Microsoft updates that users need to update, and it shows the newest versions that are available to download.

Remove Lock Computer

 

Location

User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting prevents users from locking the computer.

When the computer is locked, the desktop is hidden and the system cannot be used. Only the user who locked the computer or the system administrator can unlock it.

TipSuggerimento
To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and click Lock Computer.

Remove Music icon from Start menu

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the Music icon from the Start menu.

Remove My Documents icon on the desktop

 

Location

User Configuration\Administrative Templates\Desktop

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the My Documents icon from the desktop, from Windows Explorer, from programs that use the Windows Explorer windows, and from the standard Open dialog box.

This setting does not prevent the user from using other methods to gain access to the contents of the My Documents folder.

This setting does not remove the My Documents icon from the Start menu. To do so, use the "Remove Documents icon from Start Menu" setting.

noteNota
To make changes to this setting effective, you must log off and then log on.

Remove Network Connections from Start menu

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

noteNota
Also see the "Disable programs on Settings menu" and "Disable Control Panel" settings and the settings in the Network Connections folder (Computer Configuration and User Configuration\Administrative Templates\Administrative Templates\Network\Network Connections).

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting prevents users from running Network Connections.This setting prevents the Network Connections folder from opening. This setting also removes Network Connections from Settings on the Start menu.

Network Connections still appears in Control Panel and in Windows Explorer, but if users try to start it, a message appears to explain that a setting prevents the action.

Remove Network icon from Start menu

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the Network icon from the Start menu.

Remove Pictures icon from Start menu

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the Pictures icon from the Start menu.

Remove programs on Settings menu

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

noteNota
Also see the "Disable Control Panel," "Disable Display in Control Panel," and "Remove Network Connections from Start menu" settings.

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting prevents Control Panel, Printers, and Network Connections from running.

This setting removes the Control Panel, Printers, and Network and Connection folders from Start menu, Computer, and Windows Explorer settings. It also prevents the programs represented by these folders (such as Control.exe) from running.

However, users can still start Control Panel items by using other methods, such as right-clicking the desktop to start Display or right-clicking Computer to start System.

Remove Recent Items menu from Start menu

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the Recent Items menu from the Start menu, and it removes the Documents menu from the classic Start menu.

The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that users can easily reopen their documents.

If you enable this setting, the operating system saves document shortcuts, but it does not display the Recent Items menu in the Start menu, and users cannot turn on the menu.

If you later disable the setting so that the Recent Items menu appears in the Start menu, the document shortcuts that were saved before the setting was enabled and while it was in effect appear in the Recent Items menu.When the setting is disabled, the Recent Items menu appears in the Start menu, and users cannot remove it.

If the setting is not configured, users can turn the Recent Items menu on and off.

noteNota
This setting does not prevent Windows programs from displaying shortcuts to recently opened documents. See the "Do not keep history of recently opened documents" setting.

This setting also does not hide document shortcuts that are displayed in the Open dialog box. See the "Hide the drop-down list of recent files" setting.

Remove Recycle Bin icon from desktop

 

Location

User Configuration\Administrative Templates\Desktop

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting removes the Recycle Bin icon from the desktop, from Windows Explorer, from programs that use the Windows Explorer windows, and from the standard Open dialog box.

This setting does not prevent the user from using other methods to gain access to the contents of the Recycle Bin folder.

noteNota
To make changes to this setting effective, you must log off and then log on.

Remove Run menu from Start menu

 

Location

User Configuration\Administrative Templates\Start Menu and Taskbar

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager.

If you enable this setting, the following changes occur:

  • The Run command is removed from the Start menu.

  • The New Task (Run) command is removed from Task Manager.

  • The user will be blocked from performing the following tasks in the Internet Explorer address bar:

    • Entering a UNC path:

      \\<server>\<share>

    • Accessing local drives for example, drive C)

    • Accessing local folders ( for example, \temp>)

Also, users with extended keyboards can no longer display the Run dialog box by pressing the Application key (the key with the Windows logo) + R.

If you disable or do not configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use the Internet Explorer address bar.

noteNota
This setting affects the specified interface only. It does not prevent users from using other methods to run programs.

noteNota
Non-Microsoft applications that are certified with the Windows 2000, Windows XP, Windows Vista or Windows 7 operating systems must adhere to this setting.

Remove Task Manager

 

Location

User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting prevents users from starting Task Manager (Taskmgr.exe).

If this setting is enabled and users try to start Task Manager, a message appears to explain that a setting prevents the action.

Task Manager lets users start and stop programs; monitor the performance of their computers; view and monitor all programs running on their computers, including system services; find the executable names of programs; and change the priority of the process in which programs run.

Remove Windows Explorer's default context menu

 

Location

User Configuration\Administrative Templates\Windows Explorer

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting removes shortcut menus from the desktop and Windows Explorer. Shortcut menus appear when you right-click an item in Windows Explorer.

If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in Windows Explorer. This setting does not prevent users from using other methods to issue commands that are available on the shortcut menus.

Removes the Folder Options menu item from the Tools menu

 

Location

User Configuration\Administrative Templates\Windows Explorer

noteNota
Also see the "Enable Active Desktop" setting in User Configuration\Administrative Templates\AdministrativeTemplates\Desktop\Active Desktop and the "Prohibit user configuration of Offline Files" setting in User Configuration\Administrative Templates\Administrative Templates\Network\Offline Files.

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting removes the Folder Options item from all Windows Explorer menus and removes the Folder Options item from Control Panel. As a result, users cannot use the Folder Options dialog box.

noteNota
The Folder Options dialog box lets users set many properties of Windows Explorer, such as Active Desktop, Web view, Offline Files, hidden system files, and file types.

Restrict users to the explicitly permitted list of snap-ins

 

Location

User Configuration\Administrative Templates\Windows Components\Microsoft Management Console

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins.

If you enable this setting, all snap-ins are prohibited, except those that you explicitly permit. Use this setting if you plan to prohibit the use of most snap-ins.

To explicitly permit a snap-in, open the Restricted/Permitted snap-ins folder and enable the settings that represent the snap-in you want to permit. If a snap-in setting in the folder is disabled or not configured, the snap-in is prohibited.

If you disable this setting or do not configure it, all snap-ins are permitted, except those that you explicitly prohibit. Use this setting if you plan to permit the use of most snap-ins.

To explicitly prohibit a snap-in, open the Restricted/Permitted snap-ins folder and disable the settings that represent the snap-ins you want to prohibit. If a snap-in setting in the folder is enabled or not configured, the snap-in is permitted.

When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in the MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.

noteNota
If you enable this setting, and you do not enable any settings in the Restricted/Permitted snap-ins folder, users cannot use any MMC snap-ins.

Search: Disable Find Files via F3 within the browser

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This setting disables using the F3 key to search in Internet Explorer and Windows Explorer.

If you enable this policy, the search functionality of the F3 key is disabled. Users cannot press F3 to search the Internet (from Internet Explorer) or to search the hard disk drive (from Windows Explorer). If the user presses F3, a message appears to explain that this feature has been disabled.

If you disable this policy or do not configure it, users can press F3 to search the Internet (from Internet Explorer) or the hard disk drive (from Windows Explorer).

This policy is intended for situations in which administrators do not want users to explore the Internet or the hard disk drive.

This policy can be used in coordination with the "File Menu: Disable Open menu option" policy (located in \User Configuration\Administrative Templates\Administrative Templates\Windows Components\Internet Explorer\Browser Menus), which prevents users from opening files by using the browser.

Shutdown: Allow system to be shut down without having to log on

 

Location

Computer Configuration\Windows Settings\Local Policies\Security Options

Recommended

Disabled

Default on workstations: Enabled.

Default on servers: Disabled.

Description

This security setting determines whether a computer can be shut down without having to log on to Windows.

When this policy is enabled, the Shut Down command is available on the Windows logon screen.

When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the “Shut down the system” user right before they can perform a system shutdown.

Tools menu: Disable Internet Options... menu option

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus

noteNota
Also, see policies for Internet options in the \Administrative Templates\Windows Components\Internet Explorer and in \Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel folders.

Recommended

High: Enabled

Medium: Enabled

Low: Enabled

Description

This setting prevents users from opening the Internet Options dialog box from the Tools menu in Internet Explorer.

If you enable this policy, users cannot change their Internet options, such as the default home page, cache size, and connection and proxy settings, from the Tools menu in the browser. When users click the Internet Options command on the Tools menu, an error message appears to explain that a setting prevents the action.

If you disable this policy or do not configure it, users can change their Internet settings from the browser’s Tools menu.

CautionAttenzione
This policy does not prevent users from viewing and changing Internet settings by clicking the Internet Options icon in Control Panel.

Turn off AutoPlay

 

Location

User Configuration\Administrative Templates\Windows Components\AutoPlay Policies

Recommended

High: All Drives

Medium: Disabled

Low: Disabled

Description

This setting turns off the AutoPlay feature.

AutoPlay begins reading from a drive as soon as you insert media in the drive. As a result, the setup files of programs and the music on audio media start immediately.

Prior to Windows XP SP2, AutoPlay is disabled by default on removable storage devices, such as the floppy disk drive (but not the CD-ROM drive), and on network drives.

Starting with Windows XP SP2, AutoPlay is enabled for removable storage devices, including ZIP drives and some USB mass storage devices.

If you enable this setting, you can disable AutoPlay on CD-ROM and removable media drives, or disable AutoPlay on all drives.

This setting disables AutoPlay on additional types of drives. You cannot use this setting to enable AutoPlay on drives on which it is disabled by default.

noteNota
This setting appears in both the Computer Configuration and User Configuration folders. If the settings conflict, the setting in Computer Configuration takes precedence over the setting in User Configuration.

Turn off displaying the Internet Explorer Help menu

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This policy setting allows you to turn off the Help menu in Internet Explorer.

If you enable this policy setting, users will not be able to use the Internet Explorer Help.

The Help icon will be removed from the command bar, and the Help menu in the menu bar will not be functional. The use of the shortcut key F1 for Help will be restricted.

If you disable or do not configure this policy setting, the Help menu in Internet Explorer will be available to users and they can also use F1 to access Help.

Turn off feed and Web Slices discovery

 

Location

User Configuration\Administrative Templates\Windows Components\RSS Feeds

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This policy setting prevents users from having Internet Explorer automatically detect whether a feed or Web Slice is available for an associated webpage.

If you enable this policy setting, users will not receive a notification on the toolbar that a feed or Web Slice is available.

If you disable or do not configure this policy setting, users can see when a feed or Web Slice is available, and click the Feed Discovery button.

Turn off Print menu

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This policy setting allows you to manage whether users can access the Print menu.

If you enable this policy setting, the Print menu in Internet Explorer will not be available.

If you disable or do not configure this policy setting, the Print menu in Internet Explorer will be available.

Section Heading

 

Location

User Configuration\Administrative Templates\Windows Components\RSS Feeds

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This policy setting prevents users from using Internet Explorer as a feed reader. This setting has no impact on the Windows RSS Platform.

If you enable this policy setting, the user cannot access the Feeds list located in the Favorites center.

If you disable or do not configure this policy setting, users can access the Feeds list in the Favorites center.

Turn off Windows+X hotkeys

 

Location

User Configuration\Administrative Templates\Windows Explorer

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting disables the Windows+X hotkeys.

Keyboards with a Windows key provide users with shortcuts to common features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts Windows Explorer.

If you enable this setting, the Windows+X shortcut keys are unavailable.

If you disable or do not configure this setting, the Windows+X shortcut keys are available.

Turn on the auto-complete feature for user names and passwords on forms

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer

Recommended

High: Enabled

Medium: Enabled

Low: Disabled

Description

This AutoComplete feature can remember and suggest user names and passwords on forms.

If you enable this setting, users cannot change text in "User name and passwords on forms" or "Prompt me to save passwords." The AutoComplete feature for “User names and passwords on forms” will be turned on. You have to decide whether to select "Prompt me to save passwords."

If you disable this setting, the user cannot change text in "User name and passwords on forms" or "Prompt me to save passwords." The AutoComplete feature for “User names and passwords on forms” is turned off. The user also cannot opt to be prompted to save passwords.

If you do not configure this setting, the user has the freedom of turning on AutoComplete for “User names and passwords on forms” and the option of prompting to save passwords. To display this option, users can open Internet Options, click the Contents tab, and then click Settings.

View menu: Disable Full Screen menu option

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting prevents users from displaying the browser in full-screen (kiosk) mode, without the standard toolbar.

If you enable this policy, the Full Screen command on the View menu will appear unavailable, and pressing F11 will not display the browser in a full screen.

If you disable this policy or do not configure it, users can display the browser in full-screen mode.

This policy is intended to prevent users from displaying the browser without toolbars, which might be confusing for some beginner users.

View menu: Disable Source menu option

 

Location

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus

Recommended

High: Enabled

Medium: Disabled

Low: Disabled

Description

This setting prevents users from viewing the HTML source of webpages by clicking the Source command on the View menu.

If you enable this policy, the Source command on the View menu will appear unavailable.

If you disable this policy or do not configure it, users can view the HTML source of webpages from the View menu in a browser.

CautionAttenzione
This policy does not prevent users from viewing the HTML source of a webpage by right-clicking a webpage to open the shortcut menu, and then clicking View Source. To prevent users from viewing the HTML source of a webpage from the shortcut menu, set the "Disable context menu" policy, which disables the entire shortcut menu.

Il documento è risultato utile?
(1500 caratteri rimanenti)
Grazie per i commenti inviati.

Aggiunte alla community

AGGIUNGI
Microsoft sta conducendo un sondaggio in linea per comprendere l'opinione degli utenti in merito al sito Web di MSDN. Se si sceglie di partecipare, quando si lascia il sito Web di MSDN verrà visualizzato il sondaggio in linea.

Si desidera partecipare?
Mostra:
© 2014 Microsoft