Tag: User Configuration
Disallow Autoplay for non-volume devices
This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting AutoPlay is not allowed for MTP devices like cameras or phones. If you disable or do not configure this policy setting AutoPlay is enabled for non-volume devices.
Turn off Autoplay
This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result the setup file of programs and the music on audio media start immediately. Prior to Windows XP SP2 Autoplay is disabled by default on removable drives such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Starting with Windows XP SP2 Autoplay is enabled for removable drives as well including Zip drives and some USB mass storage devices. If you enable this policy setting Autoplay is disabled on CD-ROM and removable media drives or disabled on all drives. This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default. If you disable or do not configure this policy setting AutoPlay is enabled. Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
Prevent AutoPlay from remembering user choices.
This policy setting allows you to prevent AutoPlay from remembering user’s choice of what to do when a device is connected. If you enable this policy setting AutoPlay prompts the user to choose what to do when a device is connected. If you disable or do not configure this policy setting AutoPlay remembers user’s choice of what to do when a device is connected.
Set the default behavior for AutoRun
This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun. inf files. They often launch the installation program or other routines. Prior to Windows Vista when media containing an autorun command is inserted the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user’s knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. If you enable this policy setting an Administrator can change the default Windows Vista or later behavior for autorun to: a) Completely disable autorun commands or b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command. If you disable or not configure this policy setting Windows Vista or later will prompt the user whether autorun command is to be run.
Inclusion list for moderate risk file types
This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). If you enable this policy setting you can specify file types which pose a moderate risk. If you disable this policy setting Windows uses its default trust logic. If you do not configure this policy setting Windows uses its default trust logic.
Inclusion list for low file types
This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types Windows will not prompt the user before accessing the file regardless of the file’s zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). If you enable this policy setting you can specify file types that pose a low risk. If you disable this policy setting Windows uses its default trust logic. If you do not configure this policy setting Windows uses its default trust logic.
Inclusion list for high risk file types
This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone Windows blocks the user from accessing the file. If the file is from the Internet zone Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list). If you enable this policy setting you can create a custom list of high-risk file types. If you disable this policy setting Windows uses its built-in list of file types that pose a high risk. If you do not configure this policy setting Windows uses its built-in list of high-risk file types.
Default risk level for file attachments
This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments you may also need to configure the trust logic for file attachments. High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone Windows blocks the user from accessing the file. If the file is from the Internet zone Windows prompts the user before accessing the file. Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone Windows prompts the user before accessing the file. Low Risk: If the attachment is in the list of low-risk file types Windows will not prompt the user before accessing the file regardless of the file’s zone information. If you enable this policy setting you can specify the default risk level for file types. If you disable this policy setting Windows sets the default risk level to moderate. If you do not configure this policy setting Windows sets the default risk level to moderate.
Hide mechanisms to remove zone information
This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file’s property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening. If you enable this policy setting Windows hides the check box and Unblock button. If you disable this policy setting Windows shows the check box and Unblock button. If you do not configure this policy setting Windows hides the check box and Unblock button.
Do not preserve zone information in file attachments
This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted Internet intranet local). This requires NTFS in order to function correctly and will fail without notice on FAT32. By not preserving the zone information Windows cannot make proper risk assessments. If you enable this policy setting Windows does not mark file attachments with their zone information. If you disable this policy setting Windows marks file attachments with their zone information. If you do not configure this policy setting Windows marks file attachments with their zone information.