Category: At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Service Pack 1

This policy setting allows you to manage whether the listed processes respect add-on management user preferences (as entered into Add-on Manager) or policy settings. By default only Internet Explorer processes use the add-on management user preferences and policy settings. This policy setting allows you to extend support for these user preferences and policy settings to specific processes listed in the process list. If you enable this policy setting and enter a Value of 1 the process entered will respect the add-on management user preferences and policy settings. If you enter a Value of 0 the add-on management user preferences and policy settings are ignored by the specified process. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored. Do not enter Internet Explorer processes in this list because these processes always respect add-on management user preferences and policy settings. If the All Processes policy setting is enabled the processes configured in this policy setting take precedence over that setting. If you do not configure this policy processes other than the Internet Explorer processes will not be affected by add-on management user preferences or policy settings (unless “All Processes” is enabled).

For each zone the Binary and Scripted Behavior security restrictions may be configured to allow only a list of admin-approved behaviors. This list may be configured here and applies to all processes which have opted in to the behavior and to all zones. (Behaviors are components that encapsulate specific functionality or behavior on a page. )If you enable this policy setting this sets the list of behaviors permitted in each zone for which Script and Binary Behaviors is set to ‘admin-approved’. Behaviors must be entered in #package#behavior notation e. g. #default#vml. If you disable this policy setting no behaviors will be allowed in zones set to ‘admin-approved’ just as if those zones were set to ‘disable’. If you do not configure this policy setting only VML will be allowed in zones set to ‘admin-approved’. Note. If this policy is set in both Computer Configuration and User Configuration both lists of behaviors will be allowed as appropriate.

Internet Explorer contains dynamic binary behaviors: components that encapsulate specific functionality for the HTML elements to which they are attached. This policy setting controls whether the Binary Behavior Security Restriction setting is prevented or allowed. If you enable this policy setting binary behaviors are prevented for all processes. Any use of binary behaviors for HTML rendering is blocked. If you disable or do not configure this policy setting binary behaviors are allowed for all processes.

This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls Toolbars and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages. This list can be used with the ‘Deny all add-ons unless specifically allowed in the Add-on List’ policy setting which defines whether add-ons not listed here are assumed to be denied. If you enable this policy setting you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list enter the following information:Name of the Value – the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example ‘{000000000-0000-0000-0000-0000000000000}’. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced. Value – A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager enter a 2 (two) into this field. If you disable this policy setting the list is deleted. The ‘Deny all add-ons unless specifically allowed in the Add-on List’ policy setting will still determine whether add-ons not in this list are assumed to be denied.

This policy setting allows you to manage whether software such as ActiveX controls and file downloads can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. If you enable this policy setting users will be prompted to install or run files with an invalid signature. If you disable this policy setting users cannot run or install files with an invalid signature. If you do not configure this policy users can choose to run or install files with an invalid signature.