Configuring and Administering Group Policy Settings
Internet Explorer 10 adds new Group Policy settings to support new features. This topic contains Group Policy settings that are new in Internet Explorer 10, and changed in Windows® 8. You'll also find information to supplement the Help text for a few existing Group Policies.
You can also use the Group Policy Search tool to search and find Group Policy settings. To find Group Policy settings in the tree, click Windows Components, and then click Internet Explorer.
New Group Policies in Internet Explorer 10
Internet Explorer 10 provides nearly 1,500 Group Policy settings that IT pros can use to manage and control the web browser configuration. For example, Internet Explorer 10 provides Group Policy settings that govern access to settings on the Internet Options dialog box, define security zones, and add or remove websites in a security zone.
The following table lists the new policies, their location, requirements, and the Help text string for each policy setting.
| Policy | Category path | Supported on | Explanation | ||
|---|---|---|---|---|---|
Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Advanced Page |
Internet Explorer 10 |
This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode. Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website. If you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode websites will run in Enhanced Protected Mode. If you disable or do not configure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior. |
||
Turn on Enhanced Protected Mode |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Advanced Page |
Internet Explorer 10 |
Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running Windows 8 and above, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode. If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista. If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog box. |
||
Start Internet Explorer with tabs from last browsing session |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>General Page |
Internet Explorer 10 |
This policy setting configures what Internet Explorer displays when a new browsing session is started. By default, Internet Explorer displays the home page. In Internet Explorer 10, Internet Explorer can start a new browsing session with the tabs from the last browsing session. If you enable this policy setting, Internet Explorer starts a new browsing session with the tabs from the last browsing session. Users cannot change this option to start with the home page. If you disable this policy setting, Internet Explorer starts a new browsing session with the home page. Users cannot change this option to start with the tabs from the last browsing session. If you do not configure this policy setting, Internet Explorer starts with the home page. Users can change this option to start with the tabs from the last session. |
||
Allow websites to store application caches on client computers |
Administrative Templates>Windows Components> Internet Explorer>Internet Control Panel>General Page>Browsing History |
Internet Explorer 10 |
This policy setting allows websites to store file resources in application caches on client computers. If you enable this policy setting, websites will be able to store application caches on client computers and Allow website database and caches on Website Data Settings will be unavailable to users. If you disable this policy setting, websites won't be able to store application caches on client computers and Allow website database and caches on Website Data Settings will be unavailable to users. If you do not configure this policy setting, websites will be able to store application caches on client computers and Allow website database and caches on Website Data Settings will be available to users. Users can choose whether or not to allow websites to store data on their computers. |
||
Allow websites to store indexed databases on client computers |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>General Page>Browsing History |
Internet Explorer 10 |
This policy setting allows websites to store indexed database cache information on client computers. If you enable this policy setting, websites will be able to store an indexed database on client computers and Allow website database and caches on Website Data Settings will be unavailable to users. If you disable this policy setting, websites will not be able to store an indexed database on client computers and Allow website database and caches on Website Data Settings will be unavailable to users. If you do not configure this policy setting, websites will be able to store an indexed database on client computers and Allow website database and caches on Website Data Settings will be available to users. Users can choose whether or not to allow websites to store data on their computers. |
||
Set application cache storage limits for individual domains |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>General Page>Browsing History |
Internet Explorer 10 |
This policy setting sets file storage limits for application caches of websites that have been allowed to exceed their storage limit. The Set default storage limits for websites policy setting sets the data storage limits for application caches. If a domain exceeds the application cache storage limit for an individual domain, Internet Explorer sends an error to the website. No notification will be displayed to the user. This group policy sets the maximum file storage limit for domains that are trusted by users. When you set this policy setting, you provide the cache limit, in MB. The default is 50 MB. If you enable this policy setting, Internet Explorer will allow trusted domains to store additional files in application caches, up to the limit set in this policy setting. If you disable or do not configure this policy setting, Internet Explorer will use the default maximum storage limit for all application caches, which is 50 MB. |
||
Set application caches expiration time limit for individual domains |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>General Page>Browsing History |
Internet Explorer 10 |
This policy setting sets the number of days an inactive application cache will exist before it is removed. If the application cache is used before the expiration time limit, it will not be automatically removed. When you set this policy setting, you provide the expiration time limit in days. If you enable this policy setting, Internet Explorer will remove application caches that haven't been used within the timeframe set in this policy setting. If you disable or do not configure this policy setting, Internet Explorer will use the default application cache expiration time limit for all application caches, which is 30 days. |
||
Set default storage limits for websites |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>General Page>Browsing History |
Internet Explorer 10 |
This policy setting sets data storage limits for indexed database and application caches for individual websites. When you set this policy setting, you provide the cache limit, in MB. If you enable this policy setting, Internet Explorer displays a notification when a website exceeds the configured storage limit. If you disable or do not configure this policy setting, users can set default data storage limits for indexed databases and application caches. |
||
Set indexed database storage limits for individual domains |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>General Page>Browsing History |
Internet Explorer 10 |
This policy setting sets data storage limits for indexed databases of websites that have been allowed to exceed their storage limit. The Set default storage limits for websites policy setting sets the data storage limits for indexed databases. If a domain exceeds the indexed database storage limit for an individual domain, Internet Explorer sends an error to the website. No notification is sent to the user. This group policy sets the maximum data storage limit for domains that are trusted by users. When you set this policy setting, you provide the cache limit, in MB. The default is 500 MB. If you enable this policy setting, Internet Explorer will allow trusted domains to store additional data in indexed databases, up to the limit set in this group policy. If you disable or do not configure this policy setting, Internet Explorer will use the default maximum storage limit for all indexed databases, which is 500 MB. |
||
Set maximum application cache individual resource size |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>General Page>Browsing History |
Internet Explorer 10 |
This policy setting sets the maximum size for an individual resource file contained in a manifest file. The manifest file is used to create the application cache. If any file in the manifest exceeds the allowed size, Internet Explorer sends an error to the website. No notification will be displayed to the user. When you set this policy setting, you provide the resource size limit, in MB. The default is 50 MB. If you enable this policy setting, Internet Explorer will allow the creation of application caches whose individual manifest file entries are less than or equal to the size set in this policy setting. If you disable or do not configure this policy setting, Internet Explorer will use the default application cache individual resource size for all application caches resources, which is 50 MB. |
||
Set maximum application cache resource list size |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>General Page>Browsing History |
Internet Explorer 10 |
This policy setting sets the maximum number of resource entries that can be specified in a manifest file associated with an application cache. If the manifest associated with an application cache exceeds the number of resources allowed, including the page that referenced the manifest, Internet Explorer sends an error to the website. No notification will be displayed to the user. When you set this policy setting, you provide the resource limit as a number. The default is 1000 resources. If you enable this policy setting, Internet Explorer will allow the creation of application caches whose manifest file contains the number of resources, including the page that referenced the manifest, that are less than or equal to the limit set in this policy setting. If you disable or do not configure this policy setting, Internet Explorer will use the default maximum application cache resource list size for all application caches, which is 1000 resources. |
||
Set maximum application caches storage limit for all domains |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>General Page>Browsing History |
Internet Explorer 10 |
This policy setting sets the file storage limit for all combined application caches for a user. When you set this policy setting, you provide the storage limit in MB. When the limit is reached, Internet Explorer notifies the user, and the user must delete application caches before an updated one can be saved on their computer. The default maximum storage limit for all application caches is 1 GB. If you enable this policy setting, you can set the maximum storage limit for all application caches. If you disable or do not configure this policy setting, Internet Explorer will use the default maximum storage limit for all application caches, which is 1 GB. |
||
Set maximum indexed database storage limit for all domains |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>General Page>Browsing History |
Internet Explorer 10 |
This policy setting sets the data storage limit for all combined indexed databases for a user. When you set this policy setting, you provide the storage limit in MB. When the limit is reached, Internet Explorer notifies the user, and the user must delete indexed databases before an updated database can be saved on their computer. The default maximum storage limit for all indexed databases is 4 GB. If you enable this policy setting, you can set the maximum storage limit for all indexed databases. The default is 4 GB. If you disable or do not configure this policy setting, Internet Explorer will use the default maximum storage limit for all indexed databases, which is 4 GB. |
||
Turn off URL Suggestions |
Administrative Templates>Windows Components>Internet Explorer>Internet Settings>AutoComplete |
Internet Explorer 10 |
This policy setting turns off URL Suggestions. URL Suggestions allow users to autocomplete URLs in the address bar based on common URLs. The list of common URLs is stored locally and is updated once a month. No user data is sent over the internet by this feature. If you enable this policy setting, URL Suggestions will be turned off. Users will not be able to turn on URL Suggestions. If you disable this policy setting, URL Suggestions will be turned on. Users will not be able to turn off URL Suggestions. If you do not configure this policy setting, URL Suggestions will be turned on. Users will be able to turn on or turn off URL Suggestions in the Internet Options dialog. By default, URL Suggestions are turned on. |
||
Open Internet Explorer tiles on the desktop |
Administrative Templates>Windows Components>Internet Explorer>Internet Settings |
Internet Explorer 10 on Windows 8 |
This policy setting configures Internet Explorer to open Internet Explorer tiles on the desktop. If you enable this policy setting, Internet Explorer opens tiles only on the desktop. If you disable this policy setting, Internet Explorer does not open tiles on the desktop. If you do not configure this policy, users can choose how Internet Explorer tiles are opened. |
||
Set how links are opened in Internet Explorer |
Administrative Templates>Windows Components>Internet Explorer>Internet Settings |
Internet Explorer 10 on Windows 8 |
This policy setting allows you to choose how links are opened in Internet Explorer: Let Internet Explorer decide, always in Internet Explorer, or always in Internet Explorer on the desktop. If you enable this policy setting, Internet Explorer enforces your choice. Users cannot change the setting. If you disable or do not configure this policy setting, users can choose how links are opened in Internet Explorer. |
||
Set the maximum number of WebSocket connections per server |
Administrative Templates>Windows Components>Internet Explorer>Security Features>AJAX |
Internet Explorer 10 |
This policy setting allows you to change the default limit of WebSocket connections per server. The default limit is 6; you can select a value from 2 through 128. If you enable this policy setting, Internet Explorer uses the WebSocket connection limit that you set with this policy setting. If you disable or do not configure this policy setting, Internet Explorer uses the default limit of 6 WebSocket connections per server. |
||
Turn off the WebSocket Object |
Administrative Templates>Windows Components>Internet Explorer>Security Features>AJAX |
Internet Explorer 10 |
The WebSocket object allows websites to request data across domains from your browser by using the WebSocket protocol. This policy setting allows administrators to enable or disable the WebSocket object. This policy setting does not prevent client-side communication across domains via other features in Internet Explorer 10. Also, this policy setting does not prevent a site from requesting cross-domain data through a server. If you enable this policy setting, websites cannot request data across domains by using the WebSocket object. If you disable or do not configure this policy setting, websites can request data across domains by using the WebSocket object. By default, the WebSocket object is enabled. |
||
Do not display the reveal password button |
Administrative Templates>Windows Components>Internet Explorer>Security Features |
Internet Explorer 10 |
This policy setting allows you to hide the reveal password button when Internet Explorer prompts users for a password. The reveal password button is displayed during password entry. When the user clicks the button, the current password value is visible until the mouse button is released (or until the tap ends). If you enable this policy setting, the reveal password button will be hidden for all password fields. Users and developers will not be able to depend on the reveal password button being displayed in any web form or web application. If you disable or do not configure this policy setting, the reveal password button can be shown by the application as a user types in a password. The reveal password button is visible by default. On at least Windows 8, if the Do not display the reveal password button policy setting located in Computer Configuration\Administrative Templates\Windows Components\Credential User Interface is enabled for the system, it will override this policy setting. |
||
Install new versions of Internet Explorer automatically |
Administrative Templates>Windows Components>Internet Explorer |
Internet Explorer 10 |
This policy setting configures Internet Explorer to automatically install new versions of Internet Explorer when they are available. If you enable this policy setting, automatic upgrade of Internet Explorer will be turned on. If you disable this policy setting, automatic upgrade of Internet Explorer will be turned off. If you do not configure this policy, users can turn on or turn off automatic updates from the About Internet Explorer dialog box. |
||
Always send Do Not Track header |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Advanced Page |
Internet Explorer 10 |
This policy setting allows you to configure how Internet Explorer sends the Do Not Track (DNT) header. If you enable this policy setting, Internet Explorer sends the DNT: 1 header on all HTTP and HTTPS requests. The DNT: 1 header signals that servers should not track the user. If you disable this policy setting, Internet Explorer sends the DNT: 1 header only when a Tracking Protection List is enabled, or when InPrivate Browsing mode is used. If you do not configure the policy setting, users can select the Always send Do Not Track header option on the Advanced tab of the Internet Options dialog box. When this option is selected, Internet Explorer sends the DNT:1 header on all HTTP and HTTPS requests. This option is turned on by default. |
||
Notify users if Internet Explorer is not the default web browser |
Administrative Templates>Windows Components>Internet Explorer |
Internet Explorer 10 |
This policy setting allows you to choose whether users will be notified if Internet Explorer is not the default web browser. If you enable this policy setting, users will be notified if Internet Explorer is not the default web browser. Users cannot change the setting. If you disable this policy setting, users will not be notified if Internet Explorer is not the default web browser. Users cannot change the setting. If you do not configure this policy setting, users can choose whether to be notified that Internet Explorer is not the default web browser through the Tell me if Internet Explorer is not the default web browser check box on the Programs tab in the Internet Options dialog box. Note that starting with Internet Explorer 10 on Windows 8, the check box is located on the Advanced tab in the Internet Options dialog box. |
||
Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects |
Administrative Templates>Windows Components>Internet Explorer>Security Features>Add-on Management |
Internet Explorer 10 on Windows 8 |
This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be Disabled, and users cannot enable Flash. If you disable this policy setting, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box. Note that Adobe Flash can still be disabled through the Add-on List and Deny all add-ons unless specifically allowed in the Add-on List policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the Add-on List and Deny all add-ons unless specifically allowed in the Add-on List policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. |
||
Turn off flip ahead feature |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Advanced Page |
Internet Explorer 10 on Windows 8 |
This policy setting allows you to turn off the flip ahead feature. When turned on, flip ahead allows users to quickly flip to the next page of a website by swiping across the screen or by clicking Forward. Your browsing history will be sent to Microsoft to improve how flip ahead works. Flip ahead is not available on Internet Explorer for the desktop. If you enable this policy setting, flip ahead will be turned off. If you disable this policy setting, flip ahead will be turned on. If you do not configure this setting, flip ahead can be turned on or off through the Settings charm. |
||
Enable dragging of content from different domains across windows |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Security Page>Locked-Down Internet Zone
|
Internet Explorer 6.0 in Windows XP with SP2, or Windows Server 2003 with SP1 |
This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting. In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog. In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. |
||
Enable dragging of content from different domains within a window |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Security Page>Locked-Down Internet Zone Note See note below this table for additional zones. |
Internet Explorer 6.0 in Windows XP with SP2, or Windows Server 2003 with SP1 |
This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting. If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog. In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. |
||
Render legacy filters |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Security Page>Internet Zone Note See note below this table for additional zones. |
Internet Explorer 10 |
This policy setting specifies whether Internet Explorer renders legacy visual filters in this zone. If you enable this policy setting, you can control whether or not Internet Explorer renders legacy filters by selecting Enable, or Disable, under Options in Local Group Policy Editor. If you disable, or do not configure this policy setting, users can choose whether or not to render filters in this zone. Users can change this setting on the Security tab of the Internet Options dialog box. Filters are not rendered by default in this zone. |
||
Render legacy filters |
Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Security Page>Intranet Zone Note See note below this table for additional zones. |
Internet Explorer 10 |
This policy setting specifies whether Internet Explorer renders legacy visual filters in this zone. If you enable this policy setting, you can control whether or not Internet Explorer renders legacy filters by selecting Enable, or Disable, under Options in Local Group Policy Editor. If you disable, or do not configure this policy setting, users can choose whether or not to render filters in this zone. Users can change this setting on the Security tab of the Internet Options dialog box. Filters are not rendered by default in this zone. |
.gif)
NoteThe Group Policy settings Enable dragging of content from different domains across a window and Enable dragging of content from different domains within a window are available in multiple console tree paths. The complete list includes the following:
Trusted Sites Zone
Locked-down Trusted Sites Zone
Restricted Sites Zone
Locked-down Restricted Sites Zone
Local Machine Zone
Locked-down Local Machine Zone
Intranet Zone
Locked-down Intranet Zone
Locked-down Internet Zone
Internet Zone
To add these new Group Policy settings, Internet Explorer 10 installs a new administrative template (inetres.admx) file in the %WinDir%\PolicyDefinitions directory. In addition, Internet Explorer 10 also installs a new language file (inetres.adml) for the administrative template in the %WinDir%\PolicyDefinitions\LCID directory, where LCID is a language ID, such as en-US.
Group Policies changed in Windows 8
The following table lists the Group Policies that have changed in Windows 8. These Group Policies were released with earlier versions of Internet Explorer.
Note
These updates reflect the following changes:
- New Group Policy setting names
- New Help text reflecting how the setting differs for users running the Windows 8 operating system.
| Policy name | Console tree path | Requirements | Help text |
|---|---|---|---|
Prevent access to Delete Browsing History |
Administrative Templates>Windows Components>Internet Explorer>Delete Browsing History |
At least Internet Explorer 7 |
This policy setting prevents the user from performing actions which will delete browsing history. If you disable or do not configure this policy setting, the user can access the Delete Browsing History dialog box. Starting with Windows 8, users can click the Delete Browsing History button on the Settings charm. If you enable this policy setting, the user cannot access the Delete Browsing History dialog box. Starting with Windows 8, users cannot click the Delete Browsing History button on the Settings charm. |
Turn off Shortcut Menu |
Administrative Templates>Windows Components>Internet Explorer>Browser menus |
At least Internet Explorer 5 |
This policy setting prevents the shortcut menu from appearing when a user right-clicks a webpage while using Internet Explorer. Starting with Windows 8, this policy setting only applies to Internet Explorer on the desktop. If you enable this policy setting, the shortcut menu will not appear when a user right-clicks a webpage. If you disable or do not configure this policy setting, users can use the shortcut menu. |
Enforce full-screen mode |
Administrative Templates>Windows Components>Internet Explorer |
At least Internet Explorer 7 |
This policy setting allows you to enforce full-screen mode, which disables the navigation bar, the menu bar, and the Command bar. Starting with Windows 8, this policy only applies to Internet Explorer on the desktop. The navigation bar includes features for browsing webpages, searching the web by using a selection of search tools, viewing a history of visited pages, printing, and accessing email and newsgroups. The menu bar contains menus that open lists of commands for printing, customizing Internet Explorer, copying and pasting text, managing favorites, and accessing Help. The Command bar enables the user to access and manage favorites, feeds, shortcuts to home page, and more. Full-screen mode disables not only these three bars, but also the shortcuts to these bars. If you enable this policy setting, the navigation bar, the menu bar, and the Command bar are not visible, and the user cannot access them. If you disable or do not configure this policy setting, the user can view and access the navigation bar, the menu bar, and the Command bar. |
Prevent access to Internet Explorer Help |
Administrative Templates>Windows Components>Internet Explorer |
At least Internet Explorer 7 |
This policy setting prevents the user from accessing Help in Internet Explorer. If you enable this policy setting, the following occurs:
If you disable or do not configure this policy setting, the Internet Explorer Help menu is available to the user. The user can also use the Command bar and F1 to access Help. |
Prevent changing proxy settings |
Administrative Templates>Windows Components>Internet Explorer |
At least Internet Explorer 5 |
This policy setting specifies if a user can change proxy settings. If you enable this policy setting, the user will not be able to configure proxy settings. If you disable or do not configure this policy setting, the user can configure proxy settings. |
Turn off Print Menu |
Administrative Templates>Windows Components>Internet Explorer>Browser menus |
At least Internet Explorer 5 |
This policy setting allows you to manage whether users can access the Print menu. Starting with Windows 8, this policy setting also allows you to manage whether users can access the Print flyout for Internet Explorer and any printers under the Devices charm. If you enable this policy setting, the Print menu in Internet Explorer will not be available. Starting with Windows 8, the Print flyout for Internet Explorer will not be available, and users will not see printers under the Devices charm. If you disable or do not configure this policy setting, the Print menu in Internet Explorer will be available. Starting with Windows 8, the Print flyout for Internet Explorer will be available, and users will see installed printers under the Devices charm. |
Additional information for Group Policies
In the Help text strings for each of the Group Policies in this section, there is a link to this topic in the Internet Explorer TechNet library. Each of these Group Policies has interactions with other Group Policies, or has implications that are worth discussing outside of their Help text statements.
Notify users if Internet Explorer is not the default web browser
This new Group Policy is related to the Prevent changing default browser check Group Policy setting. The old Group Policy covers Internet Explorer 5 through Internet Explorer 9. The new Group Policy starts with Internet Explorer 10. Also, in Internet Explorer 10, the Tell me if Internet Explorer is not the default web browser check box is on the Advanced tab in the Internet Options dialog box. For earlier versions, it was on the Programs tab of the Internet Options dialog box.
| Policy name | Requirements | Change |
|---|---|---|
Prevent changing default browser check |
Internet Explorer 5 –Internet Explorer 9 |
Tell me if Internet Explorer is not the default web browser check box is on the Programs tab of the Internet Options dialog box. |
Notify users if Internet Explorer is not the default web browser |
Internet Explorer 10 |
Tell me if Internet Explorer is not the default web browser check box is on the Advanced tab in the Internet Options dialog box. |
Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects
Starting in Windows 8, Adobe Flash is included as an Internet Explorer platform feature. Administrators have a new Group Policy, as well as two legacy Group Policies, to use for managing Flash and other add-ons. Here is the list of Group Policies, with their requirements and associated Help text:
| Policy name | Requirements | Help text |
|---|---|---|
Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects |
Internet Explorer 10 on Windows 8 |
This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings. If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box. Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and Deny all add-ons unless specifically allowed in the Add-on List policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. |
Deny all Add-ons unless specifically allowed in the Add-on list |
At least Internet Explorer 6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1 |
This policy setting allows you to ensure that any Internet Explorer Add-ons not listed in the "Add-on list" policy setting are denied. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages. By default, the "Add-on list" policy setting defines a list of Add-ons to be allowed or denied through Group Policy. However, users can still use the Add-on Manager within Internet Explorer to manage Add-ons not listed within the "Add-on list" policy setting. This policy setting effectively removes this option from users – all Add-ons are assumed to be denied unless they are specifically allowed through the "Add-on list" policy setting. If you enable this policy setting, Internet Explorer only allows Add-ons that are specifically listed (and allowed) through the "Add-on list" policy setting. If you disable or do not configure this policy setting, users may use Add-on Manager to allow or deny any Add-ons that are not included in the "Add-on list" policy setting. Note: If an Add-on is listed in the "Add-on list" policy setting, the user cannot change its state through Add-on Manager (unless its value has been set to allow user management - see the "Add-on list" policy for more details). |
Add-on list |
At least Internet Explorer 6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1 |
This policy setting allows you to manage a list of Add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages. This list can be used with the Deny all Add-ons unless specifically allowed in the "Add-on list" policy setting, which defines whether Add-ons not listed here are assumed to be denied. If you enable this policy setting, you can enter a list of Add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information: Name of the Value - the CLSID (class identifier) for the Add-on you wish to add to the list. The CLSID should be in brackets for example, '{000000000-0000-0000-0000-0000000000000}´. The CLSID for an Add-on can be obtained by reading the OBJECT tag from a Web page on which the Add-on is referenced. Value - A number indicating whether Internet Explorer should deny or allow the Add-on to be loaded. To specify that an Add-on should be denied enter a 0 (zero) into this field. To specify that an Add-on should be allowed, enter a 1 (one) into this field. To specify that an Add-on should be allowed and also permit the user to manage the Add-on through Add-on Manager, enter a 2 (two) into this field. If you disable this policy setting, the list is deleted. The Deny all Add-ons unless specifically allowed in the Add-on list policy setting will still determine whether Add-ons not in this list are assumed to be denied. |
The new Group Policy for managing how Internet Explorer technology can be used with Flash only manages Flash, and it overrules the legacy Group Policies if Flash is allowed with those Group Policies. If an administrator enables the new policy setting, Internet Explorer ignores settings made for Adobe Flash with the Add-on List and Deny all add-ons unless specifically allowed in the Add-ons list policy settings.
| Add-on List and Deny all Add-ons unless specifically allowed in the Add-on list Group Policy settings | Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects Group Policy setting | Effect on Adobe Flash |
|---|---|---|
Allow Flash |
Enabled |
Disables Flash |
Allow Flash |
Disabled, or not configured |
Enables Flash |
Deny Flash |
Enabled |
Disables Flash |
Deny Flash |
Disabled, or not configured |
Disables Flash |
Group Policies do not mention Flash |
Enabled |
Disables Flash |
Group Policies do not mention Flash |
Disabled, or not configured |
Enables Flash |
If you have enabled the Deny all add-ons unless specifically allowed in the Add-on list to prevent Flash from being used in your organization, you can enable, disable, or not configure the new Group Policy and Flash will still be disabled in your organization. The new Group Policy also prevents other applications that use Internet Explorer technology from using it to instantiate Flash objects.
See Also
Concepts
Appendix B: Replacements for Internet Explorer Maintenance
Other Resources
Internet Explorer 10 - Overview for IT Pros
Internet Explorer 10 FAQ for IT Pros