Category: At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Service Pack 1

This policy setting defines whether a reference to an object is accessible when the user navigates within the same domain or to a new domain. If you enable this policy setting an object reference is no longer accessible when navigating within or across domains for Internet Explorer processes. If you disable this policy setting an object reference is retained when navigating within or across domains for Internet Explorer processes. If you do not configure this policy setting an object reference is no longer accessible when navigating within or across domains for Internet Explorer processes.

Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet Intranet Local Machine zone and so on). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. This policy setting allows administrators to define applications for which they want this security feature to be prevented or allowed. If you enable this policy setting and enter a Value of 1 elevation to more privileged zones can be prevented. If you enter a Value of 0 elevation to any zone is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes configured in this box take precedence over that setting. If you disable or do not configure this policy setting the security feature is allowed.

Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet Intranet Local Machine zone etc. ). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. If you enable this policy setting any zone can be protected from zone elevation by Internet Explorer processes. If you disable this policy setting no zone receives such protection for Internet Explorer processes. If you do not configure this policy setting any zone can be protected from zone elevation by Internet Explorer processes.

Internet Explorer may be configured to prevent active content obtained through restricted protocols from running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted protocols is prevented or allowed. If you enable this policy setting restricting content obtained through restricted protocols is allowed for all processes other than File Explorer or Internet Explorer. If you disable this policy setting restricting content obtained through restricted protocols is prevented for all processes other than File Explorer or Internet Explorer. If you do not configure this policy setting no policy is enforced for processes other than File Explorer and Internet Explorer.

The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. If you enable this policy setting the MK Protocol is prevented for File Explorer and Internet Explorer and resources hosted on the MK protocol will fail. If you disable this policy setting applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes. If you do not configure this policy setting the MK Protocol is prevented for File Explorer and Internet Explorer and resources hosted on the MK protocol will fail.

This policy setting defines whether a reference to an object is accessible when the user navigates within the same domain or to a new domain. If you enable this policy setting object reference is no longer accessible when navigating within or across domains for all processes. If you disable or do not configure this policy setting object reference is retained when navigating within or across domains in the Restricted Zone sites.

The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. This policy setting allows administrators to define applications for which they want this security feature to be prevented or allowed. If you enable this policy setting and enter a Value of 1 use of the MK protocol is prevented. If you enter a Value of 0 use of the MK protocol is allowed. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes configured in this box take precedence over that setting. If you disable or do not configure this policy setting the policy setting is ignored.