Using Group Policy Settings with Windows XP Home Networking Features

Published: October 01, 2001 | Updated: August 02, 2004

By Joseph Davies

Abstract

The Microsoft® Windows® XP operating system supports a wide variety of features to enable home networking. Some of these features, however, are in conflict with connectivity needs of typical organizations. Windows XP Group Policy settings that allow the use of home networking features are location-aware, allowing a network administrator of an organization to create policy which disables the home networking feature while the user is connected to the organization intranet. When users take their laptop home and connect to their home network, the Windows XP home networking feature is available and configurable.

This article explains these Windows XP policy settings in detail and shows administrators how to configure them in a Windows 2000 Server environment.

On This Page

Acknowledgements
Introduction
Overview of Group Policy
Windows 2000 Group Policy Settings for Network and Dial-up Connections
Windows XP Group Policy Settings for Network Connections
Windows XP SP2 Group Policy Settings for Windows Firewall
Using Windows XP Group Policy Settings in a Windows 2000 Domain
Appendix A: Windows XP Computer Configuration Group Policy Settings
Appendix B: Windows XP User Configuration Group Policy Settings
Summary
Related Links

Acknowledgements

Mohammed Samji, Program Manager, Microsoft Corporation

John Kaiser, Technical Editor, Microsoft Corporation

Introduction

Windows XP includes many features that make networking in the home easier and safer. The specific features of Windows XP that are affected by Group Policy are the following:

• Network Connections folder. The Network Connections folder is a central place to view and configure all the types of network connections on your computer. Network connections include common LAN connections (such as Ethernet and wireless) and dial-up connections (such as analog phone or virtual private network connections). All your network connections are visible as icons that denote their type and status.

• Internet Connection Sharing. With Internet Connection Sharing (ICS), you can use a single network connection on a computer running Windows XP to connect your entire home network or small office network to the Internet. For example, you might have a home network that connects to the Internet by using a dial-up connection. By enabling ICS on the dial-up network connection, you are providing network address translation, addressing, and name resolution services for all computers on your home network.

• Internet Connection Firewall (ICF) and Windows Firewall . Internet Connection Firewall (ICF) in Windows XP or Windows XP with Service Pack 1 (SP1) and Windows Firewall in Windows XP with Service Pack 2 (SP2) are stateful host firewalls that provide protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. A host firewall acts as a protective boundary between a computer and the outside world. ICF and Windows Firewall help guard your network against malicious users and computers by allowing requested and excepted network traffic to pass through the firewall, while denying the entrance of potentially unsafe traffic.

• Network Bridge . Network Bridge lets you create a bridge across two or more network connections to allow network traffic to flow as if all were part of the same network segment (subnet). Network Bridge reduces network configuration complexity by transparently combining multiple LAN segments into a single network segment.

While these features make networking in the home easier and safer, they might be in conflict with the type of connectivity that is present in the workplace. This is not an issue with separate computers that exist in the workplace and home. However, a laptop computer that is taken to work and then brought home might have the following problems:

• In the workplace, network administrators might need to restrict or prohibit the ability of users to change configuration settings within the Network Connections folder. At home, you should have the ability to change Network Connections folder settings as needed.

• In the workplace, Internet connectivity is provided by the organization intranet. Your laptop computer is typically not needed to provide Internet connectivity and enabling ICS can cause computers on your subnet to get the wrong IP address configuration. At home, your laptop computer might be the computer that is needed to provide Internet access, IP address configuration, and name resolution services for other computers on your home network.

• In the workplace, separate connections are typically connected to separate subnets. Transparently connecting two subnets can cause problems in network connectivity and propagate broadcast and multicast traffic. At home, you may have multiple LAN segments (some computers connected to an Ethernet hub and other computers using wireless connections) and need to bridge them to create a single subnet.

• In the workplace, other computers may need to connect with your computer. If the Windows Firewall is enabled, is must be configured to allow traffic exceptions. At home, the exceptions for workplace traffic do not need to be configured.

Fortunately, Windows XP supports the use of different user accounts and location-aware Group Policy settings. By using a different user account when logging on to the computer when it is connected to the home network (such as a local user account), the organization intranet policies that restrict or prohibit the ability for you to change configuration settings within the Network Connections folder do not apply.

Group Policy settings to allow the use of ICS, ICF, Windows Firewall, and Network Bridge are tied to the network to which the computer was connected when the Group Policy settings were applied. Network administrators can define Group Policy settings that restrict or disable networking features that can cause problems with network connectivity and apply to the computer when it is connected to the organization intranet. When the user takes the computer home and connects it to their home network, the organization intranet Group Policy settings might not be applied, allowing the computer to perform Internet connection and bridging functions not allowed on the organization intranet.

Note: Throughout this paper, the term "administrator" is used to denote a user account that has administrator-level permissions (rather than an individual whose purpose is to manage computer networks). User accounts have administrator permissions because they are members of the Administrators group on the local computer. To view the user accounts (and groups) that are members of your local Administrators group, use the Computer Management snap-in.

Throughout this paper, the term "network configuration operator" is used to denote a user account that is a member of the Network Configuration Operators group.

Overview of Group Policy

Group Policy provides directory-based desktop configuration management. You use Group Policy to define configurations for groups of users and computers. With Group Policy, you can define the various components of the user's desktop environment that a system administrator needs to manage; for example, the programs that are available to users, the programs that appear on the user's desktop, and Start menu options.

The Group Policy settings that you create are contained in a Group Policy object (GPO). There is a local computer GPO and domain-based GPOs. By associating a GPO with selected Active Directory service system containerssites, domains, and organizational units (OUs)you can apply these settings to the users and computers in those Active Directory containers.

To create and modify GPOs, you use the Group Policy Microsoft Management Console (MMC) snap-in. You must be an administrator to configure GPOs. If your computer is connected to a network, network policy settings might also prevent you from completing this procedure. If you do not have write access to a Group Policy object, you cannot see the settings contained in that object.

Group Policy includes settings for User Configuration, which affect users, and Computer Configuration, which affect computers.

Computer Configuration Group Policy

Computer Configuration Group Policy is used to change registry settings in the HKEY_LOCAL_MACHINE hive of the local registry. Updates to Computer Configuration Group Policy occur automatically when the computer starts, achieves network connectivity, and locates a domain controller. The computer attempts to download the latest Computer Configuration Group Policy based on the computer account's membership in a domain system container.

Updates also occur if changes to Computer Configuration Group Policy are detected when the Winlogon service polls for changes in Group Policy, which occurs by default every 90 minutes. You can also manually update Computer Configuration Group Policy by issuing the gpupdate /target:computer command on a computer running Windows XP or the secedit /refreshpolicy machine_policy command on a computer running Windows 2000.

User Configuration Group Policy

User Configuration Group Policy is used to change registry settings in the HKEY_CURRENT_USER hive of the local registry. Updates to User Configuration Group Policy occur when a user supplies correct credentials and logs on to the domain. The computer attempts to download the latest User Configuration Group Policy based on the user account's membership in a domain system container.

Updates also occur if changes to User Configuration Group Policy are detected when the Winlogon service polls for changes in Group Policy, which occurs by default every 90 minutes. You can also manually update User Configuration Group Policy by issuing the gpupdate /target:user command on a computer running Windows XP or the secedit /refreshpolicy user_policy command on a computer running Windows 2000.

Windows 2000 Group Policy Settings for Network and Dial-up Connections

The default Group Policy settings supplied with Windows 2000 provides for the following Computer Configuration Group Policy settings in the Computer Configuration\Administrative Templates\Network\Network and Dial-up Connections node of the Group Policy snap-in:

• Allow configuration of connection sharing

The default Group Policy settings supplied with Windows 2000 provides for the following User Configuration Group Policy settings in the User Configuration\Administrative Templates\Network\Network and Dial-up Connections node of the Group Policy snap-in:

• Enable deletion of RAS connections

• Enable deletion of RAS connections available to all users

• Enable connecting and disconnecting a RAS connection

• Enable connecting and disconnecting a LAN connection

• Enable access to properties of a LAN connection

• Allow access to current user's RAS connection properties

• Enable access to properties of RAS connections available to all users

• Enable renaming of connections, if supported

• Enable renaming of RAS connections belonging to the current user

• Enable adding or removing components of a RAS or LAN connection

• Allow connection components to be enabled or disabled

• Enable access to properties of components of a LAN connection

• Enable access to properties of components of a RAS connection

• Display and enable the Network Connection wizard

• Enable status statistics for an active connection

• Enable the Dial-up Preferences item on the Advanced menu

• Enable the Advanced Settings item on the Advanced menu

• Allow configuration of connection sharing

• Allow TCP/IP advanced configuration

For computers running Windows 2000, these User Configuration Group Policy settings apply to all users, including administrators and network configuration operators.

Windows XP Group Policy Settings for Network Connections

The default Group Policy settings supplied with Windows XP for the local computer GPO provides for the following Computer Configuration Group Policy settings in the Computer Configuration\Administrative Templates\Network\Network Connections node of the Group Policy snap-in:

• Prohibit use of Internet Connection Sharing on your DNS domain network

• Prohibit use of Internet Connection Firewall on your DNS domain network

• Prohibit installation and configuration of Network Bridge on your DNS domain network

• IEEE 802.1x Certificate Authority for Machine Authentication

These settings are described in more detail in Appendix A.

The first three settings are location-aware, and only apply if the network to which they are attached is the same network from which the settings were obtained. A network administrator can enable all three settings in the organization's Group Policy. When the laptop computer is connected to an organization intranet, ICS, ICF, and Network Bridge are disabled and cannot be configured. However, when the laptop user takes the laptop home and connects to a home network, these settings are effectively ignored and ICS, ICF, and Network Bridge can be enabled and configured.

The default Group Policy settings supplied with Windows XP for the local computer GPO provides for the following User Configuration Group Policy settings in the User Configuration\Administrative Templates\Network\Network and Dial-up Connections node of the Group Policy snap-in:

• Ability to rename LAN connections or remote access connections available to all users

• Prohibit access to properties of components of a LAN connection

• Prohibit access to properties of components of a remote access connection

• Prohibit TCP/IP advanced configuration

• Prohibit access to the Advanced Settings item on the Advanced menu

• Prohibit adding and removing components for a LAN or remote access connection

• Prohibit access to properties of a LAN connection

• Prohibit Enabling/Disabling components of a LAN connection

• Ability to change properties of an all user remote access connection

• Prohibit changing properties of a private remote access connection

• Prohibit deletion of remote access connections

• Ability to delete all user remote access connections

• Prohibit connecting and disconnecting a remote access connection

• Ability to Enable/Disable a LAN connection

• Prohibit access to the New Connection Wizard

• Ability to rename LAN connections

• Ability to rename all user remote access connections

• Prohibit renaming private remote access connections

• Prohibit access to the Dial-up Preferences item on the Advanced menu

• Prohibit viewing of status for an active connection

• Enable Windows 2000 Network Connection settings for Administrators

These settings are described in more detail in Appendix B.

With the exception of the last setting, the default User Configuration Group Policy settings supplied with Windows XP settings provide similar functionality as the settings for Windows 2000. An important difference in Windows XP behavior is that, by default, settings that restrict the ability to configure network connections do not apply to administrators. This is the opposite of the behavior for Windows 2000. If you want your computers running Windows XP to exhibit the same behavior as Windows 2000, enable the "Enable Windows 2000 Network Connection settings for Administrators" Group Policy setting.

Windows XP SP2 Group Policy Settings for Windows Firewall

Windows XP SP2 includes a new set of Computer Configuration Group Policy Windows Firewall settings to allow a network administrator to configure Windows Firewall operational modes, excepted traffic, and other settings using a GPO.

When using the new Windows Firewall Group Policy settings, you can configure two different profiles:

• Domain profile The domain profile is the set of Windows Firewall settings that are needed when the computer is connected to the network that contains the domain controllers of the organization. For example, the domain profile might contain excepted traffic for the applications needed by a managed computer in an enterprise network.

• Standard profile The standard profile is the set of Windows Firewall settings that are needed when the computer is not connected to the network that contains the domain controllers of the organization. A good example is when an organization laptop is taken on the road and connects to the Internet using a public broadband or wireless Internet service provider. Because the organization laptop is directly connected to the Internet, the standard profile should contain more restrictive settings than the domain profile.

These new settings are located at Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall.

Windows XP with SP2 relies on network determination to determine which profile settings to apply. For more information, see Network Determination Behavior for Network-Related Group Policy Settings.

For more information, see Appendix A of Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2.

Using Windows XP Group Policy Settings in a Windows 2000 Domain

If you use the default Group Policy settings supplied with Windows 2000, you are not using the new default Group Policy settings supplied with Windows XP and, consequently, you will not be able to disable the use of ICF and Network Bridge. Additionally, you will have different behavior on computers running Windows XP with respect to administrator restrictions on configuring network connections.

To use the new default Group Policy settings supplied with Windows XP associated with the Network Connections folder, you must update your domain system containers to use the Windows XP core Group Policy settings. The core Group Policy settings are contained in a file named System.adm.

To use the core Windows XP Group Policy settings in your Windows 2000 domain, do the following:

1. Login to a computer running Windows XP Professional as an administrator.

2. Copy the file systemroot\Inf\System.adm to a floppy disk or network location with the name System_xp.adm.

3. Login as a domain administrator at a Windows 2000 domain controller.

4. Copy the file System_xp.adm from the floppy disk or network location to the systemroot\Inf folder on the domain controller.

5. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

6. Right-click the domain system container to which you want to apply the Windows XP core Group Policy settings and click Properties.

7. In the domain system container properties dialog box, click the Group Policy tab.

8. Click the correct GPO in the list, and then click Edit.

9. In the console tree of the Group Policy snap-in, navigate to Computer Configuration\Administrative Templates or User Configuration\Administrative Templates.

10. In the console tree of the Group Policy snap-in, right click Administrative templates, and then click Add/Remove Templates.

11. In the Add/Remove Templates dialog box, click system under Name, and then click Remove. This step removes the current core Group Policy settings supplied with Windows 2000.

12. In the Add/Remove Templates dialog box, click Add.

13. In the Policy Templates dialog box, click the file named System_xp.adm, and then click Open. This step adds the default core Group Policy settings supplied with Windows XP.

14. In the Add/Remove Templates dialog box, click Close.

15. Close the Group Policy snap-in.

16. In the domain system container properties dialog box, click OK.

17. Repeat steps 6 through 16 for each domain container to which you want to apply the Windows XP core Group Policy settings.

To modify the settings of the GPO for a given domain container, do the following:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

2. Right-click the domain system container to which you want to change Group Policy settings and click Properties.

3. In the domain system container properties dialog box, click the Group Policy tab.

4. Click the correct GPO in the list, and then click Edit.

5. Modify the User Configuration or Computer Configuration settings with the Group Policy snap-in.

To modify User Configuration settings for Network Connections, navigate to User Configuration\Administrative Templates\Network\Network Connections in the console tree.

To modify Computer Configuration settings for Network Connections, navigate to Computer Configuration\Administrative Templates\Network\Network Connections in the console tree.

For more information about using Windows XP Group Policy settings in a Windows 2000 domain, see the Windows XP white paper, Managing Windows XP in a Windows 2000 Server Environment.

Appendix A: Windows XP Computer Configuration Group Policy Settings

This section describes the Windows XP Group Policy settings for the Network Connections folder that apply to the computer and are configured from the User Configuration\Administrative Templates\Network\Network Connections node in the Group Policy snap-in.

Prohibit use of Internet Connection Sharing on your DNS domain network

This setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network.

If you enable this setting:

• ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer.

• The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed.

• The Internet Connection Sharing page is removed from the New Connection Wizard.

• The Network Setup Wizard is disabled.

If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.)

This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.

For detailed information about how Windows XP determines which network to which it is currently connected, see Network Determination Behavior for Network-Related Group Policy Settings.

By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS.

Notes

• ICS is only available when two or more network connections are present.

• When the "Prohibit access to properties of a LAN connection," "Ability to change properties of an all user remote access connection," or "Prohibit changing properties of a private remote access connection" user Group Policy settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked.

• Users who do not have administrator permissions are already prohibited from configuring Internet Connection Sharing, regardless of this setting.

Prohibit use of Internet Connection Firewall on your DNS domain network

This setting determines whether users can enable the Internet Connection Firewall (ICF) feature on a connection, and if the ICF service can run on a computer. The ICF is a stateful packet filter for home and small office users to protect them from Internet network security threats.

If you enable this setting:

• Internet Connection Firewall cannot be enabled or configured by users (including administrators), and the Internet Connection Firewall service cannot run on the computer.

• The option to enable the Internet Connection Firewall through the Advanced tab is removed.

• The Internet Connection Firewall is not enabled for remote access connections created through the Make New Connection Wizard.

• The Network Setup Wizard is disabled.

If you disable this setting or do not configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but administrators can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled.

This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.

For Windows XP with SP2, this setting can be overridden by Windows Firewall settings. For more information, see Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2.

Prohibit installation and configuration of Network Bridge on your DNS domain network

The setting determines whether a user can install and configure the Network Bridge. The Network Bridge allows users to create a layer 2 transparent bridge, enabling them to connect two or more LAN segments together to create a single network segment (subnet). This connection appears in the Network Connections folder.

If you enable this setting:

• Network Bridge cannot be enabled or configured by users (including administrators), and the Network Bridge service cannot run on the computer.

• The option to enable the Network Bridge through the context menu of LAN connections is removed.

If you disable this setting or do not configure it, the user will be able to create or modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer.

This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.

IEEE 802.1x Certificate Authority for Machine Authentication

This setting determines whether you want to use a manually configured thumbprint (hash) of the certificate authority to use when performing machine authentication for IEEE 802.1x connections, which include wireless and authenticating switch connections.

If you enable this setting, you must type or paste the thumbprint or hash of the certificate authority used for 802.1x authentication in Certificate Authority Hash. You can obtain the thumbprint from Thumbprint field on the Details tab from the properties of a certificate in the Certificates snap-in.

If you disable or do not configure this setting, the certificate authority for IEEE 802.1x machine authentication will not be configured on your client. This might cause machine authentication to fail.

Note The certificate authority that is configured by this setting only applies to machine authentication, not to user authentication.

Appendix B: Windows XP User Configuration Group Policy Settings

This section describes the Windows XP Group Policy settings for the Network Connections folder that apply to the user and are configured from the Computer Configuration\Administrative Templates\Network\Network Connections node in the Group Policy editor snap-in.

Ability to rename LAN connections or remote access connections available to all users

This setting determines whether users can rename LAN connections and remote access connections that are for all users of the computer. This setting does not apply to remote access connections that are created for a specific user.

If you enable this setting, users can rename connections by right-clicking the icon representing a connection and clicking Rename or by using the File menu.

If you disable this setting, the Rename context menu option for LAN and all-user remote access connections is disabled for all users (including network configuration operators).

If this setting is not configured, only administrators and network configuration operators have the right to rename LAN or all user remote access connections.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• When configured, this setting always takes precedence over the "Ability to rename LAN connections" and "Ability to rename all user remote access connections" settings.

• This setting does not prevent users from using other programs, such as Internet Explorer, to rename remote access connections.

Prohibit access to properties of components of a LAN connection

This setting determines whether administrators and network configuration operators can change the properties of components used by a LAN connection. The Local Area Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list.

If you enable this setting, the Properties button is unavailable for users and network configuration operators.

If you disable this setting or do not configure it, the Properties button is enabled for administrators and network configuration operators.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled.

• When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the Properties button for LAN connection components.

• Network configuration operators only have permission to change TCP/IP properties. Properties for all other components are unavailable to these users.

• Users that are not administrators or network configuration operators are already prohibited from accessing properties of components for a LAN connection, regardless of this setting.

Prohibit access to properties of components of a remote access connection

This setting determines whether administrators and network configuration operators can change the properties of components used by a private or all-user remote access connection. The Remote Access Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list.

If you enable this setting, the Properties button is unavailable for users and network configuration operators.

If you disable this setting or do not configure it, the Properties button is enabled for all users.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled.

• When the "Ability to change properties of an all user remote access connection" or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Remote Access Connection Properties dialog box, the Properties button for remote access connection components is blocked.

• This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.

Prohibit TCP/IP advanced configuration

This setting determines whether users can configure advanced TCP/IP settings. To open the Advanced TCP/IP Settings dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access connections, click the Networking tab. In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button.

If you enable this setting, the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users except administrators. As a result, users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information.

If you disable this setting, the Advanced button is enabled, and all users can open the Advanced TCP/IP Settings dialog box.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• This setting is superseded by settings that prohibit access to properties of connections or connection components. When these policies are set to deny access to the connection properties dialog box or Properties button for connection components, users cannot gain access to the Advanced button for TCP/IP configuration.

• Nonadministrators (excluding network configuration operators) do not have permission to access TCP/IP advanced configuration for a LAN connection, regardless of this setting.

• Changing this setting from Enabled to Not Configured does not enable the Advanced button until the user logs off.

Prohibit access to the Advanced Settings item on the Advanced menu

This setting determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators. The Advanced Settings item lets users view and change bindings and view and change the order in which the computer accesses connections, network providers, and print providers.

If you enable this setting, the Advanced Settings item is disabled for nonadministrators.

If you disable this setting or do not configure it, the Advanced Settings item is enabled for administrators.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• Nonadministrators are already prohibited from accessing the Advanced Settings dialog box, regardless of this setting.

Prohibit adding and removing components for a LAN or remote access connection

This setting determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators.

If you enable this setting, the Install and Uninstall buttons for components of connections are disabled, and nonadministrators are not permitted to access network components in the Windows Components Wizard.

The Install button opens the dialog boxes used to add network components. Clicking the Uninstall button removes the selected component in the components list.

The Install and Uninstall buttons appear in the properties dialog box for connections. These buttons are on the General tab for LAN connections and on the Networking tab for remote access connections.

If you disable this setting or do not configure it, the Install and Uninstall buttons for components of connections in the Network Connections folder are enabled. Also, administrators can gain access to network components in the Windows Components Wizard.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• When the "Prohibit access to properties of a LAN connection", "Ability to change properties of an all user remote access connection", or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the connection properties dialog box, the Install and Uninstall buttons for connections are blocked.

• Nonadministrators are already prohibited from adding and removing connection components, regardless of this setting.

Prohibit access to properties of a LAN connection

This setting determines whether users can change the properties of a LAN connection (whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users).

If you enable this setting, the Properties menu items are disabled for all users except administrators, and nonadministrators cannot open the Local Area Connection Properties dialog box.

If you disable this setting or do not configure it, a Properties menu item appears when users right-click the icon representing a LAN connection. Also, when users select the connection, Properties is enabled on the File menu.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users.

• Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting.

Prohibit Enabling/Disabling components of a LAN connection

This setting determines whether nonadministrators can enable and disable the components used by LAN connections.

If you enable this setting, the check boxes for enabling and disabling components are disabled. As a result, nonadministrators cannot enable or disable the components that a connection uses.

If you disable this setting or do not configure it, the Properties dialog box for a connection includes a check box beside the name of each component that the connection uses. Selecting the check box enables the component, and clearing the check box disables the component.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the check boxes for enabling and disabling the components of a LAN connection.

• Nonadministrators are already prohibited from enabling or disabling components for a LAN connection, regardless of this setting.

Ability to change properties of an all user remote access connection

This setting determines whether a user can view and change the properties of remote access connections that are available to all users of the computer. To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the For all users option. This setting determines whether the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog box is available to users.

If you enable this setting, a Properties menu item appears when any user right-clicks the icon for a remote access connection. Also, when any user selects the connection, Properties appears on the File menu.

If you disable this setting, the Properties menu items are disabled, and nonadministrators cannot open the remote access connection properties dialog box.

If you do not configure this setting, only administrators and network configuration operators can change properties of all-user remote access connections.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• This setting takes precedence over settings that manipulate the availability of features inside the Remote Access Connection Properties dialog box. If this setting is disabled, nothing within the properties dialog box for a remote access connection will be available to users.

• This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.

Prohibit changing properties of a private remote access connection

Determines whether users can view and change the properties of their private remote access connections. Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the Only for myself option. This setting determines whether the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog box for a private connection is available to users.

If you enable this setting, the Properties menu items are disabled, and no users (excluding administrators) can open the Remote Access Connection Properties dialog box for a private connection.

If you disable this setting or do not configure it, a Properties menu item appears when any user right-clicks the icon representing a private remote access connection. Also, when any user selects the connection, Properties appears on the File menu.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• This setting takes precedence over settings that manipulate the availability of features in the Remote Access Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a remote access connection will be available to users.

• This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.

Prohibit deletion of remote access connections

This setting determines whether users can delete remote access connections.

If you enable this setting, users (excluding administrators) cannot delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connection and on the File menu in the Network Connections folder.

If you disable this setting or do not configure it, all users can delete their private remote access connections. Private connections are those that are available only to one user.

By default, only administrators and network configuration operators can delete connections available to all users, but you can change the default by using the "Ability to delete all user remote access connections" setting.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• When enabled, this setting takes precedence over the "Ability to delete all user remote access connections" setting. Users cannot delete any remote access connections, and the "Ability to delete all user remote access connections" setting is ignored.

• LAN connections are created and deleted automatically when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection.

• This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.

Ability to delete all user remote access connections

This setting determines whether users can delete all user remote access connections. To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option.

If you enable this setting, all users can delete shared remote access connections. In addition, if your file system is NTFS, users need to have Write access to Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk to delete a shared remote access connection.

If you disable this setting, users (excluding administrators) cannot delete all-user remote access connections. By default, users can still delete their private connections, but you can change the default by using the "Prohibit deletion of remote access connections" setting.

If you do not configure this setting, only Administrators and Network Configuration Operators can delete all user remote access connections.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• When enabled, the "Prohibit deletion of remote access connections" setting takes precedence over this setting. Users (including administrators) cannot delete any remote access connections, and this setting is ignored.

• LAN connections are created and deleted automatically by the system when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection.

• This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.

Prohibit connecting and disconnecting a remote access connection

This setting determines whether users can connect and disconnect remote access connections.

If you enable this setting, double-clicking the icon for nonadministrators has no effect, and the Connect and Disconnect menu items are disabled for nonadministrators.

If you disable this setting or do not configure it, the Connect and Disconnect options for remote access connections are available to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

Ability to Enable/Disable a LAN connection

This setting determines whether users can enable or disable LAN connections.

If you enable this setting, the Enable and Disable options for LAN connections are available to users (including nonadministrators). Users can enable and disable a LAN connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu.

If you disable this setting , double-clicking the icon has no effect, and the Enable and Disable menu items are disabled for all users (excluding administrators).

• If you do not configure this setting, only administrators and network configuration operators can enable and disable LAN connections.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• Administrators can still enable and disable LAN connections from Device Manager when this setting is disabled.

Prohibit access to the New Connection Wizard

This setting determines whether users can use the New Connection Wizard, which creates new network connections.

If you enable this setting, the Make New Connection icon does not appear in the Start menu on in the Network Connections folder. As a result, users (excluding administrators) cannot start the New Connection Wizard.

If you disable this setting or do not configure it, the Make New Connection icon appears in the Start menu and in the Network Connections folder for all users. Clicking the Make New Connection icon starts the New Connection Wizard.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• Changing this setting from Enabled to Not Configured does not restore the Make New Connection icon until the user logs off . When other changes to this setting are applied, the icon does not appear or disappear in the Network Connections folder until the folder is refreshed.

• This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.

Ability to rename LAN connections

This setting determines whether nonadministrators can rename a LAN connection.

If you enable this setting, the Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the connection or by using the File menu.

If you disable this setting, the Rename option is disabled for nonadministrators only.

If you do not configure this setting, only administrators and network configuration operators can rename LAN connections.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• This setting does not apply to administrators.

• When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either enabled or disabled), this setting does not apply.

Ability to rename all user remote access connections

This setting determines whether nonadministrators can rename all-user remote access connections. To create an all-user connection, on the Connection Availability page in the New Connection Wizard, click the For all users option.

If you enable this setting, the Rename option is enabled for all-user remote access connections. Any user can rename all-user connections by clicking an icon representing the connection or by using the File menu.

If you disable this setting, the Rename option is disabled for nonadministrators only.

If you do not configure the setting, only administrators and network configuration operators can rename all-user remote access connections.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• This setting does not apply to Administrators

• When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either Enabled or Disabled), this setting does not apply.

• This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.

Prohibit renaming private remote access connections

This setting determines whether users can rename their private remote access connections. Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the Only for myself option.

If you enable this setting, the Rename option is disabled for all users (excluding administrators).

If you disable this setting or do not configure it, the Rename option is enabled for all users' private remote access connections. Users can rename their private connection by clicking the name under the icon representing the connection or by using the File menu.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

• This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.

Prohibit access to the Dial-up Preferences item on the Advanced menu

This setting determines whether the Dial-up Preferences item on the Advanced menu in Network Connections folder is enabled. The Dial-up Preferences item lets users create and change connections before logon and configure automatic dialing and callback features.

If you enable this setting, the Dial-up Preferences item is disabled for all users (excluding administrators).

If you disable this setting or do not configure it, the Dial-up Preferences item is enabled for all users.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

Prohibit viewing of status for an active connection

This setting determines whether users can view the status for an active connection. Connection status is available from the connection status taskbar icon or from the Status dialog box. The Status dialog box displays information about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection.

If you enable this setting, the connection status taskbar icon and Status dialog box are not available to users (excluding administrators). The Status option is disabled in the context menu for the connection and on the File menu in the Network Connections folder. Users cannot choose to show the connection icon in the taskbar from the Connection Properties dialog box.

If you disable this setting or do not configure it, the connection status taskbar icon and Status dialog box are available to all users.

Notes

• The description of this setting assumes that the policy is applied to a computer running Windows XP. If this policy is applied to a computer running Windows 2000, this setting also applies to administrators.

• If the "Enable Network Connections settings for Administrators" Group Policy setting is enabled, this setting also applies to administrators on computers running Windows XP.

Enable Windows 2000 Network Connection settings for Administrators

This setting determines whether the settings that define or prohibit the ability to perform administrative tasks within the Network Connections folder apply to administrators. For computers running Windows 2000, the Group Policy settings that determine the capabilities of administering the Dial-up and Network Connections folder also applied to administrators. By default for computers running Windows XP, the Group Policy settings that determine capabilities of administering the Network Connections folder do not apply to administrators.

If you enable this setting, Group Policy settings that determine the capabilities of administering the Network Connections folder also apply to administrators. These settings are the default Windows 2000 Group Policy settings in the User Configuration\Administrative Templates\Network\Dial-up and Network Connections node and the following Windows XP Group Policy settings in the User Configuration\Administrative Templates\Network\Network Connections node:

• Ability to rename LAN connections or remote access connections available to all users

• Prohibit access to properties of components of a LAN connection

• Prohibit access to properties of components of a remote access connection

• Ability to access TCP/IP advanced configuration

• Prohibit access to the Advanced Settings Item on the Advanced Menu

• Prohibit adding and removing components for a LAN or remote access connection

• Prohibit access to properties of a LAN connection

• Prohibit Enabling/Disabling components of a LAN connection

• Ability to change properties of an all user remote access connection

• Prohibit changing properties of a private remote access connection

• Prohibit deletion of remote access connections

• Ability to delete all user remote access connections

• Prohibit connecting and disconnecting a remote access connection

• Ability to Enable/Disable a LAN connection

• Prohibit access to the New Connection Wizard

• Prohibit renaming private remote access connections

• Prohibit access to the Dial-up Preferences item on the Advanced menu

• Prohibit viewing of status for an active connection

If you disable this setting or do not configure it, the Group Policy settings that determine capabilities of administering the Network Connections folder do not apply to administrators.

This setting is intended to be used in the following situations:

• The Windows 2000 behavior is required to be maintained.

• The Group Policy object that these settings are being applied to contains both Windows 2000 and Windows XP computers, and identical behavior with respect to the ability of administrators to administer properties of network connections is required between all computers in the Active Directory system container (site, domain, or organizational unit).

Summary

Group Policy settings to allow the use of ICS, ICF, Windows Firewall, and Network Bridge are tied to the network to which the computer was connected when the Group Policy settings were applied. Network administrators can define Group Policy settings that restrict or disable networking features that can cause problems with network connectivity and apply to the computer when it is connected to the organization intranet. When the user takes the computer home and connects it to their home network, the organization intranet Group Policy settings are not applied, allowing the computer to perform Internet connection and bridging functions not allowed on the organization intranet.

Related Links

See the following resources for further information:

• Managing Windows XP in a Windows 2000 Server Environment at https://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mngwinxp.mspx

• User Data and Settings Management for Windows XP in a Windows 2000 Environment at https://www.microsoft.com/technet/prodtechnol/winxppro/maintain/xpusrdat.mspx.

• Windows 2000 Group Policy at https://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp

• Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 at https://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en.

• Network Determination Behavior for Network-Related Group Policy Settings at https://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx.

For the latest information about Windows XP, see the Windows XP Web site at https://www.microsoft.com/windowsxp.