.png)
Group Policy Settings
Aggiornamento: settembre 2010
Si applica a: Windows 7
This section describes each of the Group Policy settings that are listed in the section Windows SteadyState. For each Group Policy setting, this section lists the location within the Group Policy Editor, the recommended values, and a description of the policy.
Windows SteadyState defines three security levels—High, Medium, and Low. These security levels provide a shortcut for configuring the many settings that it exposed. For example, clicking the High security level might enable a setting, whereas clicking the Medium or Low security level would disable the setting. The recommendations for most of the Group Policy settings represented in this section are based on Windows SteadyState security levels.
Add Logoff to the Start Menu
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar |
||
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
||
|
Description |
This policy setting applies only to the classic version of the Start Menu, and it does not affect the new style Start Menu. This setting adds the Log Off <username> item to the Start Menu. This setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot remove the Log Off <username> item from the Start Menu. If you disable this setting or do not configure it, users can use the Display Logoff item to add and remove the Log Off item. This setting affects the Start Menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del. Ctrl+Alt+Del.
|
Nota Always open All Control Panel Items when opening Control Panel
|
Location |
User Configuration\Administrative Templates\Control Panel |
|
Recommended |
High: Disabled Medium: Disabled Low: Disabled |
|
Description |
This policy sets All Control Panel Items as the default Control Panel view. If the policy is disabled, Control Panel Home is the default view. |
Disable AutoComplete for forms
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer |
|
Recommended |
High: Enabled Medium: Enabled Low: Disabled |
|
Description |
The AutoComplete feature suggests possible matches when users are filling in forms. If you enable this setting, the user does not receive suggested matches when filling in forms. The user cannot change this setting. If you disable this setting, the user receives suggested matches when filling in forms. If you do not configure this setting, the user has the freedom to turn on the AutoComplete feature for forms. To display this option, users can open the Internet Options dialog box, click the Contents tab, and then click Settings. |
Disable changing home page settings
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer |
|
Recommended |
http://www.bing.com/ |
|
Description |
The home page that is specified on the General tab of the Internet Options dialog box is the default webpage that Internet Explorer® loads whenever it is run. If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the users’ computers. For computers that are Internet Explorer 7 or Internet Explorer 8, the home page can be set within this policy to override other home page policies. If you disable or do not configure this policy setting, the home page box is enabled and users can choose their own home page. |
Disable Context menu
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus |
|
Recommended |
High: Disabled Medium: Disabled Low: Disabled |
|
Description |
This setting prevents the shortcut menu from appearing when users click the right mouse button while using the browser. If you enable this policy, the shortcut menu will not appear when users point to a webpage, and then click the right mouse button. If you disable this policy or do not configure it, users can use the shortcut menu. You can use this policy to ensure that users do not use the shortcut menu as an alternate method of running commands that have been removed from other parts of the interface. |
Disable customizing browser toolbar buttons
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Toolbars |
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
|
Description |
This policy prevents users from determining which buttons appear on the Internet Explorer and Windows Explorer standard toolbars. The buttons that appear on the toolbar can be customized with the Customize option. This is present on the Toolbars submenu of the View menu in Internet Explorer 6 and under the Toolbars submenu on the Tools menu in the Command bar in Internet Explorer 7 and Internet Explorer 8. If you enable this policy, the Customize option will be removed from the menu. If you disable this policy or do not configure it, users can customize which buttons appear on the Internet Explorer and Windows Explorer toolbars. This policy can be used in coordination with the "Disable customizing browser toolbars" policy, which prevents users from determining which toolbars are displayed in Internet Explorer and Windows Explorer. |
Disable customizing browser toolbars
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Toolbars |
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
|
Description |
This setting prevents users from determining which toolbars are displayed in Internet Explorer and Windows Explorer. If you enable this policy, the list of toolbars, which users can display by clicking the View menu and pointing to Toolbars, will appear unavailable. If you disable this policy or do not configure it, users can determine which toolbars are displayed in Internet Explorer and Windows Explorer. This policy can be used in coordination with the "Disable customizing browser toolbar buttons" policy, which prevents users from adding or removing toolbars from Internet Explorer. |
Disable the Advanced page
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel |
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
|
Description |
This setting removes the Advanced tab from the interface in the Internet Options dialog box. If you enable this policy, users are prevented from seeing and changing advanced Internet settings, such as security, multimedia, and printing. If you disable this policy or do not configure it, users can see and change these settings. When you set this policy, you do not need to set the "Disable changing Advanced page settings" policy (located in \User Configuration\Administrative Templates\Administrative Templates\Windows Components\Internet Explorer), because this policy removes the Advanced tab from the interface. |
Disable the Connections page
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel |
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
|
Description |
This policy setting removes the Connections tab from the interface in the Internet Options dialog box. If you enable this policy, users are prevented from seeing and changing connection and proxy settings. If you disable this policy or do not configure it, users can see and change these settings. When you set this policy, you do not need to set the following policies for the Connections tab, because this policy removes the Connections tab from the interface:
|
Disable the Content page
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel |
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
|
Description |
If you enable this policy setting, users are prevented from seeing and changing ratings, certificates, AutoComplete, Wallet, and Profile Assistant settings. If you disable this policy or do not configure it, users can see and change these settings. |
Disable the General page
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel |
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
|
Description |
This setting removes the General tab from the interface in the Internet Options dialog box. If you enable this policy, users are unable to see and change settings for the home page, the cache, history, webpage appearance, and accessibility. If you disable this policy or do not configure it, users can see and change these settings. When you set this policy, you do not need to set the following Internet Explorer policies (located in \User Configuration\Administrative Templates\Administrative Templates\Windows Components\Internet Explorer), because this policy removes the General tab from the interface:
|
Disable the Privacy page
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel |
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
|
Description |
This setting removes the Privacy tab from the interface in the Internet Options dialog box. If you enable this policy, users are prevented from seeing and changing default settings for privacy. If you disable this policy or do not configure it, users can see and change these settings. |
Disable the Programs page
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel |
|
Recommended |
High: Enabled Medium: Enabled Low: Disabled |
|
Description |
This setting removes the Programs tab from the interface in the Internet Options dialog box. If you enable this policy, users are prevented from seeing and changing default settings for Internet programs. If you disable this policy or do not configure it, users can see and change these settings. When you set this policy, you do not need to set the following policies for the Programs tab, because this policy removes the Programs tab from the interface:
|
Disable the Security page
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel |
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
|
Description |
This setting removes the Security tab from the interface in the Internet Options dialog box. If you enable this policy, users are prevented from seeing and changing settings for security zones such as scripting, downloads, and user authentication. If you disable this policy or do not configure it, users can see and change these settings. When you set this policy, you do not need to set the following Internet Explorer policies, because this policy removes the Security tab from the interface:
|
Do not keep history of recently opened documents
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar
|
||||
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
||||
|
Description |
This setting prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents. If you enable this setting, the operating system and Windows programs do not create shortcuts to documents that are opened while the setting is in effect. Also, they retain but do not display existing document shortcuts. The operating system empties the Recent Items menu on the Start menu, and Windows programs do not display shortcuts at the bottom of the File menu. In addition, the submenus for programs in the Start menu and Taskbar do not show lists of recently or frequently used files, folders, or websites. If you disable or do not configure this setting, the system will store and display shortcuts to recently and frequently used files, folders, and websites.
If you enable this setting, but you do not enable the "Remove Recent Items menu from Start menu" setting, the Recent Items menu appears on the Start menu, but it is empty. If you enable this setting, but then you later disable it or set it to Not Configured, the document shortcuts that saved before the setting was enabled appear in the Recent Items menu, program File menus, and submenus. This setting does not hide or prevent the user from pinning files, folders, or websites to the Jump Lists. See the "Do not allow pinning items in Jump Lists" setting. This policy also does not hide tasks that the application has provided for their Jump List. This setting does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting.
|
Do not move deleted files to the Recycle Bin
|
Location |
User Configuration\Administrative Templates\Windows Explorer |
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
|
Description |
When a file or folder is deleted in Windows Explorer, a copy of the file or folder is placed in the Recycle Bin. You can use this setting to change that behavior. If you enable this setting, files and folders that are deleted by using Windows Explorer will not be placed in the Recycle Bin and therefore will be permanently deleted. If you disable or do not configure this setting, files and folders that are deleted by using Windows Explorer will be placed in the Recycle Bin. |
Empty Temporary Internet Files folder when browser is closed
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
|
Description |
This policy setting allows you to manage whether Internet Explorer deletes the contents of the Temporary Internet Files folder after all browser windows are closed. This protects against storing dangerous files on the computer or storing sensitive files that other users could see, in addition to managing total disk space usage. If you enable this policy setting, Internet Explorer will delete the contents of the user's Temporary Internet Files folder when all browser windows are closed. If you disable this policy setting, Internet Explorer will not delete the contents of the user's Temporary Internet Files folder when browser windows are closed. If you do not configure this policy, Internet Explorer will not delete the contents of the Temporary Internet Files folder when browser windows are closed. |
File menu: Disable New menu option
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus |
||||
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
||||
|
Description |
This setting prevents users from opening a new browser window from the File menu. If this policy is enabled, users cannot open a new browser window by clicking the File menu, pointing to the New menu, and clicking Window. The user interface is not changed, but a new window will not open, and the users will be informed that the command is not available. If you disable this policy or do not configure it, users can open a new browser window from the File menu.
|
Attenzione Force classic Start menu
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar |
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
|
Description |
This setting affects the presentation of the Start menu. The classic Start menu in Windows 2000 Professional allows users to begin common tasks, whereas the new Start menu consolidates common items onto one menu. When the classic Start Menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and Network. The new Start menu starts them directly. If you enable this setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons. If you disable this setting, the Start menu opens in the new style, and the desktop icons appear on the Start page. If you do not configure this setting, the default is the new style, and the user can change the view. |
Hide Favorites menu
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus |
||
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
||
|
Description |
This policy setting prevents users from adding, removing, editing, or viewing the list of Favorite links. The Favorites list is a way to store popular links for future use. If you enable this policy, the Favorites menu is removed from the interface, and the Favorites button on the browser toolbar appears unavailable. The Add to Favorites command on the shortcut menu is disabled, and when users click it, they are informed that the command is unavailable. If you disable this policy or do not configure it, users can manage their Favorites list.
|
Hide Network Locations icon on desktop
|
Location |
User Configuration\Administrative Templates\Desktop |
||
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
||
|
Description |
This policy setting removes the Network Locations icon from the desktop. This setting affects only the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network.
|
Hide the notification area
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar |
||
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
||
|
Description |
This setting affects the notification area (previously called the "system tray") on the taskbar. The notification area is located on the far right side of the task bar, and it includes the icons for current notifications and the clock. If this setting is enabled, the user’s entire notification area, including the notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the clock. If this setting is disabled or is not configured, the notification area is shown in the user's taskbar.
|
Hide these specified drives in My Computer
|
Location |
User Configuration\Administrative Templates\Windows Explorer
|
||||
|
Recommended |
High: Restrict all drives Medium: Disabled Low: Disabled |
||||
|
Description |
This setting removes the icons that represent selected hard disk drives from My Computer and Windows Explorer. Also, the letters that represent the selected drives do not appear in the standard Open dialog box. To use this setting, select a drive or combination of drives in the drop-down list. To display all drives, disable this setting or select the "Do not restrict drives" option in the drop-down list.
This setting does not prevent users from using programs to access these drives or their contents. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
|
Interactive logon: Do not display last user name
|
Location |
Computer Configuration\Windows Settings\Local Policies\Security Options |
|
Recommended |
Enabled Default: Disabled |
|
Description |
This security setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen. If this policy is enabled, the name of the last user to successfully log on is not displayed in the logon screen. If this policy is disabled, the name of the last user to log on is displayed. |
Lock the Taskbar
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar |
||
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
||
|
Description |
This setting affects the taskbar, which is used to switch between running applications. The taskbar includes the Start button, the list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it is locked, it cannot be moved or resized. If you enable this setting, users cannot move or resize the taskbar. When the taskbar is locked, auto-hide and other taskbar options are still available in the taskbar’s properties. If you disable this setting or do not configure it, users can configure the taskbar position.
|
Network access: Do not allow storage of credentials or .NET Passports for network authentication
|
Location |
Computer Configuration\Windows Settings\Local Policies\Security Options |
||
|
Recommended |
Enabled Default: Disabled |
||
|
Description |
This security setting determines whether Stored User Names and Passwords saves passwords, credentials, or .NET Passports for later use when it gains domain authentication. If it is enabled, this setting prevents the Stored User Names and Passwords from storing passwords and credentials.
|
Network security: Do not store LAN Manager hash value on next password change
|
Location |
Computer Configuration\Windows Settings\Local Policies\Security Options |
||
|
Recommended |
Enabled Default on Windows Vista: Enabled Default on Windows XP: Disabled. |
||
|
Description |
This security setting determines if, at the next password change, the LAN Manager hash value for the new password is stored. The LAN Manager hash value is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT® hash value. Because the LAN Manager hash value is stored on the local computer in the security database, passwords can be compromised if the security database is attacked.
This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and Windows Server 2003 to communicate with computers running Windows 95 and Windows 98. |
Prevent access to drives from My Computer
|
Location |
User Configuration\Administrative Templates\Windows Explorer
|
||
|
Recommended |
High: Restrict all drives Medium: Disabled Low: Disabled |
||
|
Description |
This setting prevents users from using My Computer to gain access to the content of selected hard disk drives. If you enable this setting, users can browse the directory structure of the selected drives in My Computer or Windows Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list.
This setting does not prevent users from using programs to access local and network drives. It does not prevent them from using the Disk Management snap-in to view and change drive characteristics. |
Prevent access to registry editing tools
|
Location |
User Configuration\Administrative Templates\System |
|
Recommended |
High: Enabled Medium: Enabled Low: Disabled |
|
Description |
This setting disables the Windows registry editor Regedit.exe. If this setting is enabled and the user tries to start a registry editor, a message appears to explain that a setting prevents the action. To prevent users from using other administrative tools, use the "Run only specified Windows applications" setting. |
Prevent access to the command prompt
|
Location |
User Configuration\Administrative Templates\System |
||
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
||
|
Description |
This setting prevents users from running the interactive command prompt, Cmd.exe. This setting also determines whether batch files (.cmd and .bat) can run on the computer. If you enable this setting and the user tries to open a Command Prompt window, the system displays a message to explain that a setting prevents the action.
|
Prevent adding, dragging, dropping and closing the Taskbar's toolbars
|
Location |
User Configuration\Administrative Templates\Desktop
|
||||
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
||||
|
Description |
This setting prevents users from manipulating desktop toolbars. If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars.
|
Suggerimento Prevent addition of printers
|
Location |
User Configuration\Administrative Templates\Control Panel\Printers |
||
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
||
|
Description |
This setting removes the Add Printer option from the Start menu. (To find the Add Printer option, click Start, click Printers, and then click Add Printer.) This setting also removes Add Printer from the Printers folder in Control Panel. Users cannot add printers by dragging a printer icon into the Printers folder. If they try, a message appears to explain that the setting prevents the action. However, this setting does not prevent users from using the Add Hardware Wizard to add a printer. Nor does it prevent users from running other programs to add printers. This setting does not delete printers that users have already added. However, if users have not added a printer when this setting is applied, they cannot print.
If this policy is disabled or not configured, users can add printers by using the methods described. |
Prevent changes to Taskbar and Start Menu Settings
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar |
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
|
Description |
This setting removes the Taskbar and Start Menu item from Settings on the Start Menu. This setting also prevents the user from opening the taskbar’s Properties dialog box. If the user right-clicks the taskbar and clicks Properties, a message appears to explain that a setting prevents the action. |
Prevent deletion of printers
|
Location |
User Configuration\Administrative Templates\Control Panel\Printers |
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
|
Description |
This setting prevents users from deleting local and network printers. If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears to explain that a setting prevents the action. This setting does not prevent users from running other programs to delete a printer. If this policy is disabled or not configured, users can delete printers by using the methods described. |
Prohibit access to the Control Panel
|
Location |
User Configuration\Administrative Templates\Control Panel |
|
Recommended |
High: Enabled Medium: Enabled Low: Disabled |
|
Description |
This setting disables all Control Panel programs. This setting prevents Control.exe (the program file for Control Panel) from starting. As a result, users cannot start Control Panel or adjust any Control Panel settings. This setting also removes Control Panel from the Start Menu and removes the Control Panel folder from Windows Explorer. If users try to select a Control Panel item from the Properties item on a context menu, a message appears to explain that a setting prevents the action. |
Removable Disks: Deny write access
|
Location |
Computer Configuration\Administrative Templates\System\Removable Storage Access |
||
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
||
|
Description |
This policy setting denies write access to removable storage devices. If you enable this policy setting, write access will be denied to removable storage devices. If you disable or do not configure this policy setting, write access will be allowed to removable storage devices.
|
Remove "Map Network Drive" and "Disconnect Network Drive"
|
Location |
User Configuration\Administrative Templates\Windows Explorer |
||||
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
||||
|
Description |
This setting prevents users from using Windows Explorer or Network Locations to map or disconnect network drives. If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in Windows Explorer and Network Locations and from menus that appear when you right-click the Windows Explorer or Network Locations icons. This setting does not prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box.
|
Remove access to the context menus for the taskbar
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar |
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
|
Description |
This setting hides the menus that appear when you right-click the taskbar and items on the taskbar, such as the Start button, the clock, and the taskbar buttons. This setting does not prevent users from using other methods to issue the commands that appear in these menus. |
Remove CD Burning features
|
Location |
User Configuration\Administrative Templates\Windows Explorer |
||
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
||
|
Description |
Windows Explorer allows you to create and modify writable CDs if you have a CD writer connected to your computer. If you enable this setting, all features in Windows Explorer that allow you to use your CD writer are removed. If you disable or do not configure this setting, users are able to use the Windows Explorer CD burning features.
|
Remove Change Password
|
Location |
User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options |
|
Recommended |
High: Enabled Medium: Enabled Low: Disabled |
|
Description |
This setting prevents users from changing their Windows password on demand. This setting disables the Change Password button on the Windows Security dialog box (which appears when you press Ctrl+Alt+Del). However, users are still able to change their password when prompted by the operating system. The system prompts users for a new password when an administrator requires a new password or when their password is expiring. |
Remove common program groups from Start Menu
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar |
||
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
||
|
Description |
This setting removes items in the All Users profile from the Programs menu on the Start Menu. By default, the Programs menu contains items from the All Users profile and items from the user's profile. If you enable this setting, only items in the user's profile appear in the Programs menu.
|
Remove Default Programs link from the Start menu
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar |
||
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
||
|
Description |
This setting removes the Default Programs link from the Start Menu. Clicking the Default Programs link from the Start Menu opens the Default Programs control panel and allows you to specify default programs for certain activities, such as Web browsing or sending email. It also allows you to determine which programs are accessible from the Start Menu, desktop, and other locations.
|
Remove Documents icon from Start Menu
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar |
||
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
||
|
Description |
This setting removes the Documents icon from the Start Menu and its submenus. This setting removes only the icon. It does not prevent the user from using other methods to gain access to the contents of the Documents folder.
|
Remove drag-and-drop and context menus on the Start menu
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar
|
||
|
Recommended |
High: Enabled Medium: Enabled Low: Disabled |
||
|
Description |
This setting prevents users from using the drag-and-drop method to reorder or remove items on the Start menu. Also, it removes context menus from the Start menu. If you disable this setting or do not configure it, users can remove or reorder Start menu items by dragging and dropping the item. Users can display context menus by right-clicking a Start menu item. This setting does not prevent users from using other methods to customize the Start menu or perform the tasks that are available from the context menus. |
Remove Favorites menu from Start menu
|
Location |
User Configuration\Administrative Templates\Start menu and Taskbar |
||||||
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
||||||
|
Description |
This setting prevents users from adding the Favorites menu to the Start menu or classic Start menu. If you enable this setting, the Display Favorites item does not appear in the Advanced Start Menu options box. If you disable or do not configure this setting, the Display Favorites item is available.
|
Remove frequent programs list from the Start menu
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar |
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
|
Description |
If you enable this setting, the frequently used programs list is removed from the Start menu. If you disable this setting or do not configure it, the frequently used programs list remains on the simple Start menu. |
Remove Help menu from Start menu
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar |
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
|
Description |
This setting removes the Help and Support option from the Start menu. This setting affects only the Start menu. It does not remove Help and Support from Windows Explorer, and it does not prevent users from running Help and Support. |
Remove links and access to Windows Update
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar
|
||
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
||
|
Description |
This setting prevents users from connecting to the Windows Update website. This setting blocks user access to the Windows Update website at http://windowsupdate.microsoft.com. Also, the setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. Windows Update, the online extension of Windows, offers software updates to keep a user’s system up-to-date. The Windows Update Product Catalog determines operating system files, security fixes, and Microsoft updates that users need to update, and it shows the newest versions that are available to download. |
Remove Lock Computer
|
Location |
User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options |
||
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
||
|
Description |
This setting prevents users from locking the computer. When the computer is locked, the desktop is hidden and the system cannot be used. Only the user who locked the computer or the system administrator can unlock it.
|
Remove Music icon from Start menu
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar |
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
|
Description |
This setting removes the Music icon from the Start menu. |
Remove My Documents icon on the desktop
|
Location |
User Configuration\Administrative Templates\Desktop |
||
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
||
|
Description |
This setting removes the My Documents icon from the desktop, from Windows Explorer, from programs that use the Windows Explorer windows, and from the standard Open dialog box. This setting does not prevent the user from using other methods to gain access to the contents of the My Documents folder. This setting does not remove the My Documents icon from the Start menu. To do so, use the "Remove Documents icon from Start Menu" setting.
|
Remove Network Connections from Start menu
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar
|
||
|
Recommended |
High: Enabled Medium: Enabled Low: Disabled |
||
|
Description |
This setting prevents users from running Network Connections.This setting prevents the Network Connections folder from opening. This setting also removes Network Connections from Settings on the Start menu. Network Connections still appears in Control Panel and in Windows Explorer, but if users try to start it, a message appears to explain that a setting prevents the action. |
Remove Network icon from Start menu
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar |
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
|
Description |
This setting removes the Network icon from the Start menu. |
Remove Pictures icon from Start menu
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar |
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
|
Description |
This setting removes the Pictures icon from the Start menu. |
Remove programs on Settings menu
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar
|
||
|
Recommended |
High: Enabled Medium: Enabled Low: Disabled |
||
|
Description |
This setting prevents Control Panel, Printers, and Network Connections from running. This setting removes the Control Panel, Printers, and Network and Connection folders from Start menu, Computer, and Windows Explorer settings. It also prevents the programs represented by these folders (such as Control.exe) from running. However, users can still start Control Panel items by using other methods, such as right-clicking the desktop to start Display or right-clicking Computer to start System. |
Remove Recent Items menu from Start menu
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar |
||
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
||
|
Description |
This setting removes the Recent Items menu from the Start menu, and it removes the Documents menu from the classic Start menu. The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that users can easily reopen their documents. If you enable this setting, the operating system saves document shortcuts, but it does not display the Recent Items menu in the Start menu, and users cannot turn on the menu. If you later disable the setting so that the Recent Items menu appears in the Start menu, the document shortcuts that were saved before the setting was enabled and while it was in effect appear in the Recent Items menu.When the setting is disabled, the Recent Items menu appears in the Start menu, and users cannot remove it. If the setting is not configured, users can turn the Recent Items menu on and off.
|
Remove Recycle Bin icon from desktop
|
Location |
User Configuration\Administrative Templates\Desktop |
||
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
||
|
Description |
This setting removes the Recycle Bin icon from the desktop, from Windows Explorer, from programs that use the Windows Explorer windows, and from the standard Open dialog box. This setting does not prevent the user from using other methods to gain access to the contents of the Recycle Bin folder.
|
Remove Run menu from Start menu
|
Location |
User Configuration\Administrative Templates\Start Menu and Taskbar |
||||
|
Recommended |
High: Enabled Medium: Enabled Low: Disabled |
||||
|
Description |
This setting allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager. If you enable this setting, the following changes occur:
Also, users with extended keyboards can no longer display the Run dialog box by pressing the Application key (the key with the Windows logo) + R. If you disable or do not configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use the Internet Explorer address bar.
|
Remove Task Manager
|
Location |
User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options |
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
|
Description |
This setting prevents users from starting Task Manager (Taskmgr.exe). If this setting is enabled and users try to start Task Manager, a message appears to explain that a setting prevents the action. Task Manager lets users start and stop programs; monitor the performance of their computers; view and monitor all programs running on their computers, including system services; find the executable names of programs; and change the priority of the process in which programs run. |
Remove Windows Explorer's default context menu
|
Location |
User Configuration\Administrative Templates\Windows Explorer |
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
|
Description |
This setting removes shortcut menus from the desktop and Windows Explorer. Shortcut menus appear when you right-click an item in Windows Explorer. If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in Windows Explorer. This setting does not prevent users from using other methods to issue commands that are available on the shortcut menus. |
Removes the Folder Options menu item from the Tools menu
|
Location |
User Configuration\Administrative Templates\Windows Explorer
|
||
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
||
|
Description |
This setting removes the Folder Options item from all Windows Explorer menus and removes the Folder Options item from Control Panel. As a result, users cannot use the Folder Options dialog box.
|
Restrict users to the explicitly permitted list of snap-ins
|
Location |
User Configuration\Administrative Templates\Windows Components\Microsoft Management Console |
||
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
||
|
Description |
This setting lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins. If you enable this setting, all snap-ins are prohibited, except those that you explicitly permit. Use this setting if you plan to prohibit the use of most snap-ins. To explicitly permit a snap-in, open the Restricted/Permitted snap-ins folder and enable the settings that represent the snap-in you want to permit. If a snap-in setting in the folder is disabled or not configured, the snap-in is prohibited. If you disable this setting or do not configure it, all snap-ins are permitted, except those that you explicitly prohibit. Use this setting if you plan to permit the use of most snap-ins. To explicitly prohibit a snap-in, open the Restricted/Permitted snap-ins folder and disable the settings that represent the snap-ins you want to prohibit. If a snap-in setting in the folder is enabled or not configured, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in the MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
|
Search: Disable Find Files via F3 within the browser
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer |
|
Recommended |
High: Enabled Medium: Enabled Low: Disabled |
|
Description |
This setting disables using the F3 key to search in Internet Explorer and Windows Explorer. If you enable this policy, the search functionality of the F3 key is disabled. Users cannot press F3 to search the Internet (from Internet Explorer) or to search the hard disk drive (from Windows Explorer). If the user presses F3, a message appears to explain that this feature has been disabled. If you disable this policy or do not configure it, users can press F3 to search the Internet (from Internet Explorer) or the hard disk drive (from Windows Explorer). This policy is intended for situations in which administrators do not want users to explore the Internet or the hard disk drive. This policy can be used in coordination with the "File Menu: Disable Open menu option" policy (located in \User Configuration\Administrative Templates\Administrative Templates\Windows Components\Internet Explorer\Browser Menus), which prevents users from opening files by using the browser. |
Shutdown: Allow system to be shut down without having to log on
|
Location |
Computer Configuration\Windows Settings\Local Policies\Security Options |
|
Recommended |
Disabled Default on workstations: Enabled. Default on servers: Disabled. |
|
Description |
This security setting determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the “Shut down the system” user right before they can perform a system shutdown. |
Tools menu: Disable Internet Options... menu option
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus
|
||
|
Recommended |
High: Enabled Medium: Enabled Low: Enabled |
||
|
Description |
This setting prevents users from opening the Internet Options dialog box from the Tools menu in Internet Explorer. If you enable this policy, users cannot change their Internet options, such as the default home page, cache size, and connection and proxy settings, from the Tools menu in the browser. When users click the Internet Options command on the Tools menu, an error message appears to explain that a setting prevents the action. If you disable this policy or do not configure it, users can change their Internet settings from the browser’s Tools menu.
|
Turn off AutoPlay
|
Location |
User Configuration\Administrative Templates\Windows Components\AutoPlay Policies |
||
|
Recommended |
High: All Drives Medium: Disabled Low: Disabled |
||
|
Description |
This setting turns off the AutoPlay feature. AutoPlay begins reading from a drive as soon as you insert media in the drive. As a result, the setup files of programs and the music on audio media start immediately. Prior to Windows XP SP2, AutoPlay is disabled by default on removable storage devices, such as the floppy disk drive (but not the CD-ROM drive), and on network drives. Starting with Windows XP SP2, AutoPlay is enabled for removable storage devices, including ZIP drives and some USB mass storage devices. If you enable this setting, you can disable AutoPlay on CD-ROM and removable media drives, or disable AutoPlay on all drives. This setting disables AutoPlay on additional types of drives. You cannot use this setting to enable AutoPlay on drives on which it is disabled by default.
|
Turn off displaying the Internet Explorer Help menu
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer |
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
|
Description |
This policy setting allows you to turn off the Help menu in Internet Explorer. If you enable this policy setting, users will not be able to use the Internet Explorer Help. The Help icon will be removed from the command bar, and the Help menu in the menu bar will not be functional. The use of the shortcut key F1 for Help will be restricted. If you disable or do not configure this policy setting, the Help menu in Internet Explorer will be available to users and they can also use F1 to access Help. |
Turn off feed and Web Slices discovery
|
Location |
User Configuration\Administrative Templates\Windows Components\RSS Feeds |
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
|
Description |
This policy setting prevents users from having Internet Explorer automatically detect whether a feed or Web Slice is available for an associated webpage. If you enable this policy setting, users will not receive a notification on the toolbar that a feed or Web Slice is available. If you disable or do not configure this policy setting, users can see when a feed or Web Slice is available, and click the Feed Discovery button. |
Turn off Print menu
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus |
|
Recommended |
High: Enabled Medium: Enabled Low: Disabled |
|
Description |
This policy setting allows you to manage whether users can access the Print menu. If you enable this policy setting, the Print menu in Internet Explorer will not be available. If you disable or do not configure this policy setting, the Print menu in Internet Explorer will be available. |
Section Heading
|
Location |
User Configuration\Administrative Templates\Windows Components\RSS Feeds |
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
|
Description |
This policy setting prevents users from using Internet Explorer as a feed reader. This setting has no impact on the Windows RSS Platform. If you enable this policy setting, the user cannot access the Feeds list located in the Favorites center. If you disable or do not configure this policy setting, users can access the Feeds list in the Favorites center. |
Turn off Windows+X hotkeys
|
Location |
User Configuration\Administrative Templates\Windows Explorer |
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
|
Description |
This setting disables the Windows+X hotkeys. Keyboards with a Windows key provide users with shortcuts to common features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts Windows Explorer. If you enable this setting, the Windows+X shortcut keys are unavailable. If you disable or do not configure this setting, the Windows+X shortcut keys are available. |
Turn on the auto-complete feature for user names and passwords on forms
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer |
|
Recommended |
High: Enabled Medium: Enabled Low: Disabled |
|
Description |
This AutoComplete feature can remember and suggest user names and passwords on forms. If you enable this setting, users cannot change text in "User name and passwords on forms" or "Prompt me to save passwords." The AutoComplete feature for “User names and passwords on forms” will be turned on. You have to decide whether to select "Prompt me to save passwords." If you disable this setting, the user cannot change text in "User name and passwords on forms" or "Prompt me to save passwords." The AutoComplete feature for “User names and passwords on forms” is turned off. The user also cannot opt to be prompted to save passwords. If you do not configure this setting, the user has the freedom of turning on AutoComplete for “User names and passwords on forms” and the option of prompting to save passwords. To display this option, users can open Internet Options, click the Contents tab, and then click Settings. |
View menu: Disable Full Screen menu option
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus |
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
|
Description |
This setting prevents users from displaying the browser in full-screen (kiosk) mode, without the standard toolbar. If you enable this policy, the Full Screen command on the View menu will appear unavailable, and pressing F11 will not display the browser in a full screen. If you disable this policy or do not configure it, users can display the browser in full-screen mode. This policy is intended to prevent users from displaying the browser without toolbars, which might be confusing for some beginner users. |
View menu: Disable Source menu option
|
Location |
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus |
||
|
Recommended |
High: Enabled Medium: Disabled Low: Disabled |
||
|
Description |
This setting prevents users from viewing the HTML source of webpages by clicking the Source command on the View menu. If you enable this policy, the Source command on the View menu will appear unavailable. If you disable this policy or do not configure it, users can view the HTML source of webpages from the View menu in a browser.
|
