accepted
FDCC: Guidance for Securing Microsoft Internet Explorer 7 for IT Professionals
This guide has been created to assist IT professionals in effectively securing systems with Microsoft Internet Explorer 7 installed.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. NIST would appreciate acknowledgement if the document and template are used.
todo - add text
Trademark InformationMicrosoft, Windows, Windows XP, Windows Vista, Internet Explorer, and Windows Firewall are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries.All other names are registered trademarks or trademarks of their respective companies.
National Institute of Standards and Technology
SP 800-68
v1.2.0.0
800-53 Low
This profile selects specific controls that are recommended by Special Publication 800-53 for information systems in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of low. Each control has an effect on other groups within this document as individual rule require certain controls to be selected.
800-53 Moderate
This profile selects specific controls that are recommended by Special Publication 800-53 for information systems in which at least one security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of moderate and no security objective is assigned a FIPS 199 potential impact value of high. Each control has an effect on other groups within this document as individual rule require certain controls to be selected.
800-53 High
This profile selects specific controls that are recommended by Special Publication 800-53 for information systems in which at least one security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of high. Each control has an effect on other groups within this document as individual rule require certain controls to be selected.
800-53 All
This profile selects all the security controls that are recommended by Special Publication 800-53 for information systems. Each control has an effect on other groups within this document as individual rule require certain controls to be selected.
Federal Desktop Core Configuration version 1.2.0.0
This profile represents guidance outlined by the Federal Core Configuration for a desktop system with Microsoft Internet Explorer 7 installed.
NIST SP 800-53 Controls
Applicable 800-53 Access Control Checks
Access Control Policy and Procedures
ISO/IEC 17799: 11.1.1, 11.4.1, 15.1.1
NIST 800-26: 15, 16
DOD 8500.2: ECAN-1, ECPA-1, PRAS-1, DCAR-1
DCID 6/3: 2.B.4.e(5), 4.B.1.a(1)(b)
Account Management
ISO/IEC 17799: 6.2.2, 6.2.3, 8.3.3, 11.2.1, 11.2.2, 11.2.4, 11.7.2
NIST 800-26: 6.1.8, 15.1.1, 15.1.4, 15.1.15, 15.1.8, 15.2.2, 16.1.3, 16.1.5, 16.2.12
GAO FISCAM: AC-2.1 AC-2.2, AC-3.2, SP-4.1
DOD 8500.2: IAAC-1
DCID 6/3: 4.B.2.a(3)
Access Enforcement
ISO/IEC 17799: 11.2.4, 11.4.5
NIST 800-26: 10.1.2, 15.1.1, 16.1.1, 16.1.2, 16.1.3, 16.1.7, 16.1.9, 16.2.1, 16.2.7, 16.2.10, 16.2.11, 16.2.15
GAO FISCAM: AC-2, AC-3.2
DOD 8500.2: DCFA-1, ECAN-1, EBRU-1, PRNK-1, ECCD-1, ECSD-2
DCID 6/3: Discretionary Access Control (DAC): 4.B.2.a(2), Mandatory Access Control (MAC): 4.B.4.a(3)
Information Flow Enforcement
ISO/IEC 17799: 10.6.2, 11.4.5, 11.4.6, 11.4.7
DOD 8500.2: EBBD-1, EBBD-2
DCID 6/3: 4.B.3.a(3), 7.B.3.g
Separation of Duties
ISO/IEC 17799: 10.1.3, 10.6.1, 10.10.1
NIST 800-26: 6.1.1, 6.1.2, 6.1.3, 15.2.1, 16.1.2, 17.1.5
GAO FISCAM: AC-3.2, SD-1.2
DOD 8500.2: ECLP-1
DCID 6/3: 2.A.1, 4.B.3.a(18)
Least Privilege
ISO/IEC 17799: 11.2.2
NIST 800-26: 16.1.2, 16.1.3, 17.1.5
GAO FISCAM: AC-3.2
DOD 8500.2: ECLP-1
DCID 6/3: 4.B.2.a(10)
Unsuccessful Login Attempts
ISO/IEC 17799: 11.5.1
NIST 800-26: 15.1.14
GAO FISCAM: AC-3.2
DOD 8500.2: ECLO-1
DCID 6/3: 4.B.2.a(17)(c)-(d)
System Use Notification
ISO/IEC 17799: 11.5.1, 15.1.5
NIST 800-26: 16.2.13, 16.3.1, 17.1.9
GAO FISCAM: AC-3.2
DOD 8500.2: ECWM-1
DCID 6/3: 4.B.1.a(6)
Previous Logon Notification
ISO/IEC 17799: 11.5.1
GAO FISCAM: AC-3.2
DOD 8500.2: ECLO-2
Concurrent Session Control
DOD 8500.2: ECLO-1
DCID 6/3: 4.B.2.a(17)(a)
Session Lock
ISO/IEC 17799: 11.3.2
NIST 800-26: 16.1.4
GAO FISCAM: AC-3.2
DOD 8500.2: PESL-1
DCID 6/3: 4.B.1.a(5)
Session Termination
ISO/IEC 17799: 11.3.2, 11.5.5
NIST 800-26: 16.1.4, 16.2.6
GAO FISCAM: AC-3.2
DCID 6/3: 4.B.2.a(17)(b)
Supervision and Review—Access Control
ISO/IEC 17799: 10.10.2, 11.2.4
NIST 800-26: 7.1.10, 11.2.2, 16.1.10, 16.2.5, 17.1.6, 17.1.7
GAO FISCAM: AC-4, AC-4.3, SS-2.2
DOD 8500.2: ECAT-1, ECAT-2, E3.3.9
DCID 6/3: 2.B.7.c, 4.B.3.a(8)(b)
Permitted Actions without Identification or Authentication
NIST 800-26: 16.2.12
DCID 6/3: 7.D.3.a
Automated Marking
ISO/IEC 17799: 7.2.2
NIST 800-26: 8.2.4, 16.1.6
GAO FISCAM: AC-3.2
DOD 8500.2: ECML-1
DCID 6/3: 4.B.2.a(11)
Automated Labeling
ISO/IEC 17799: 7.2.2
NIST 800-26: 16.1.6
GAO FISCAM: AC-3.2
DOD 8500.2: ECML-1
DCID 6/3: 4.B.1.a(3), 4.B.4.a(15), 4.B.4.a(16)
Remote Access
ISO/IEC 17799: 11.4.2, 11.4.3, 11.4.4
NIST 800-26: 16.2.4, 16.2.8
GAO FISCAM: AC-3.2
DOD 8500.2: EBRP-1, EBRU-1
DCID 6/3: 4.B.1.a(1)(b), 4.B.3.a(11), 7.D.2.e
Wireless Access Restrictions
ISO/IEC 17799: 11.4.2, 11.7.1, 11.7.2
DOD 8500.2: ECCT-1, ECWN-1
DCID 6/3: 4.B.1.a(8), 5.B.3.a(11)
Access Control for Portable and Mobile Systems
ISO/IEC 17799: 11.7.1
NIST 800-26: 7.3.1, 7.3.2
DOD 8500.2: ECWN-1
DCID 6/3: 8.B.6.c, 9.G.4
Use of External Information Systems
ISO/IEC 17799: 6.1.4, 9.2.5, 11.7.1
NIST 800-26: 10.2.13
DCID 6/3: 8.B.6.c
Applicable 800-53 Awareness and Training
Security Awareness and Training Policy and Procedures
ISO/IEC 17799: 5.1.1, 8.2.2, 15.1.1
NIST 800-26: 13
DOD 8500.2: PRTN-1, DCAR-1
DCID 6/3: DCID: B.3.c, Manual: 2.B.2.b(8); 2.B.4.e(6)
Security Awareness
ISO/IEC 17799: 6.2.3, 8.2.2, 10.4.1, 11.7.1, 13.1.1, 14.1.4, 15.1.4
NIST 800-26: 13.1.4, 13.1.5
DOD 8500.2: PRTN-1
DCID 6/3: 8.B.1
Security Training
ISO/IEC 17799: 8.2.2, 10.3.2, 11.7.1, 13.1.1, 14.1.4
NIST 800-26: 13.1, 13.1.3, 13.1.5
DOD 8500.2: PRTN-1
DCID 6/3: 8.B.1
Security Training Records
NIST 800-26: 13.1.2
DCID 6/3: 8.B.1
Contacts with Security Groups and Associations
ISO/IEC 17799: 6.1.7
Applicable 800-53 Audit and Accountability
Audit and Accountability Policy and Procedures
ISO/IEC 17799: 10.1, 15.1.1
NIST 800-26: 17
DOD 8500.2: ECAT-1, ECTB-1, DCAR-1
DCID 6/3: DCID: B.2.d, Manual: 2.B.4.e(5); 4.B.2.a(4)
Auditable Events
ISO/IEC 17799: 10.10.1
NIST 800-26: 17.1.1, 17.1.2, 17.1.4
DOD 8500.2: ECAR-3
DCID 6/3: 4.B.2.a(4)(d)
Content of Audit Records
ISO/IEC 17799: 10.10.1, 10.10.4
NIST 800-26: 17.1.1
DOD 8500.2: ECAR-1, ECAR-2, ECAR-3, ECLC-1
DCID 6/3: 4.B.2.a(4)(a), 4.B.2.a(5)(a)
Audit Storage Capacity
ISO/IEC 17799: 10.10.3
DCID 6/3: 5.B.2.a(5)(a)(1)
Response to Audit Processing Failures
ISO/IEC 17799: 10.10.3
DCID 6/3: 4.B.4.a(9)(d)
Audit Monitoring, Analysis, and Reporting
ISO/IEC 17799: 10.10.2, 10.10.4, 13.2.1
NIST 800-26: 16.2.5, 17.1.7, 17.1.8
GAO FISCAM: AC-4.3
DOD 8500.2: ECAT-1, E3.3.9
DCID 6/3: 4.B.4.a(10)
Audit Reduction and Report Generation
ISO/IEC 17799: 10.10.3
NIST 800-26: 17.1.2, 17.1.7
DOD 8500.2: ECRG-1
DCID 6/3: 4.B.3.a(6)
Time Stamps
ISO/IEC 17799: 10.10.6
DOD 8500.2: ECAR-1
DCID 6/3: 4.B.2.a(4)(a)
Protection of Audit Information
ISO/IEC 17799: 10.10.3, 15.1.3, 15.3.2
NIST 800-26: 17.1.3, 17.1.4
DOD 8500.2: ECTP-1
DCID 6/3: 4.B.2.a(4)(b)
Non-repudiation
ISO/IEC 17799: 10.8.2, 10.9.1, 12.3.1
NIST 800-26: 15.1.2, 17.1.1
DOD 8500.2: DCNR-1
DCID 6/3: 5.B.3.a(8)
Audit Record Retention
ISO/IEC 17799: 10.10.1, 15.1.3
NIST 800-26: 17.1.4
DOD 8500.2: ECRR-1
DCID 6/3: 4.B.2.a(4)(c)
Applicable 800-53 Certification, Accreditation, and Security Assessment
Certification, Accreditation, and Security Assessment Policies and Procedures
ISO/IEC 17799: 6.1.4, 10.3.2, 15.1.1
NIST 800-26: 2, 4
DOD 8500.2: DCAR-1, DCII-1
DCID 6/3: DCID: B.3, Manual: 2.B.2.b(1)
Security Assessments
ISO/IEC 17799: 6.1.8, 15.2.1, 15.2.2
NIST 800-26: 2.1.1, 2.1.3, 2.1.4
GAO FISCAM: SP-5.1
DOD 8500.2: DCII-1, ECMT-1, PEPS-1, E3.3.10
DCID 6/3: DCID: B.2.b; B.3.a, Manual: 4.B.2.b(6); 5.B.1.b(1); 9.B.1; 9.B.4
Information System Connections
ISO/IEC 17799: 10.6.2, 10.9.1, 11.4.5, 11.4.6, 11.4.7
NIST 800-26: 1.1.1, 3.2.9, 4.1.8, 12.2.3
GAO FISCAM: CC-2.1
DOD 8500.2: DCID-1, EBCR-1 EBRU-1, EBPW-1, ECIC-1
DCID 6/3: 9.B.3, 9.D.3.c
Security Certification
ISO/IEC 17799: 10.3.2
NIST 800-26: 2.1.2, 3.2.3, 3.2.5, 3.2.6, 4.1.1, 4.1.6, 11.2.8. 12.2.5
GAO FISCAM: CC-2.1
DOD 8500.2: DCAR-1, 5.7.5
DCID 6/3: DCID: B.3, Manual: 4.B.3.b(8); 9.E.2.a(2); 9.E.2.a(3)
Plan of Action and Milestones
ISO/IEC 17799: 15.2.1
NIST 800-26: 1.1.5, 1.2.3, 2.2.1, 4.2.1
GAO FISCAM: SP-5.1 SP-5.2
DOD 8500.2: 5.7.5
DCID 6/3: 9.E.2.a(3)(a)
Security Accreditation
ISO/IEC 17799: 10.3.2
NIST 800-26: 3.2.7, 12.2.5
DOD 8500.2: 5.7.5
DCID 6/3: DCID: B.3, Manual: 9.D.3; 9.D.4
Continuous Monitoring
ISO/IEC 17799: 15.2.1, 15.2.2
NIST 800-26: 10.2.1
DOD 8500.2: DCCB-1, DCPR-1, E3.3.9
DCID 6/3: DCID: B.2.d; Manual: 2.B.4.e(7); 2.B.5.c(10); 5.B.2.b(2); 9.B.1; 9.D.7
Applicable 800-53 Configuration Management
Configuration Management Policy and Procedures
ISO/IEC 17799: 12.4.1, 12.5.1, 15.1.1
DOD 8500.2: DCCB-1, DCPR-1, DCAR-1, E3.3.8
DCID 6/3: DCID: B.2.a Manual: 2.B.4.e(5); 5.B.2.a(5)
Baseline Configuration and System Component Inventory
ISO/IEC 17799: 7.1.1, 15.1.2
NIST 800-26: 1.1.1, 3.1.9, 10.2.7, 10.2.9, 12.1.4
GAO FISCAM: CC-2.3, CC-3.1, SS-1.2
DOD 8500.2: DCHW-1, DCSW-1
DCID 6/3: 2.B.7.c(7), 4.B.1.c(3), 4.B.2.b(6)
Configuration Change Control
ISO/IEC 17799: 10.1.2, 10.2.3, 12.4.1, 12.5.1, 12.5.2, 12.5.3
NIST 800-26: 3.1.4, 10.2.2, 10.2.3, 10.2.8, 10.2.10, 10.2.11
GAO FISCAM: SS-3.2, CC-2.2
DOD 8500.2: DCPR-1
DCID 6/3: 2.B.7.c(7) 4.B.1.c(3), 4.B.2.b(6), 5.B.2.a(5)
Monitoring Configuration Changes
ISO/IEC 17799: 10.1.2
NIST 800-26: 10.2.1, 10.2.4
GAO FISCAM: SS-3.1, SS-3.2, CC-2.1
DOD 8500.2: DCPR-1, E3.3.8
DCID 6/3: 2.B.7.c(7), 4.B.1.c(3), 5.B.2.b(2), 8.B.8.c(7)
Access Restrictions for Change
ISO/IEC 17799: 11.6.1
NIST 800-26: 6.1.3, 6.1.4, 10.1.1, 10.1.4, 10.1.5
GAO FISCAM: SD-1.1, SS-1.2, SS-2.1
DOD 8500.2: DCPR-1, ECSD-2
DCID 6/3: 5.B.3.a(2)(b)
Configuration Settings
NIST 800-26: 10.2.6, 10.3.1, 16.2.2, 16.2.3, 16.2.11
DOD 8500.2: DCSS-1, ECSC-1, E3.3.8
DCID 6/3: 4.B.2.a(10)
Least Functionality
NIST 800-26: 10.3.1
DOD 8500.2: DCPP-1, ECIM-1, ECVI-1, E3.3.8
DCID 6/3: 4.B.2.a(10), 7.D.2.b
Applicable 800-53 Contingency Planning
Contingency Planning Policy and Procedures
ISO/IEC 17799: 5.1.1, 10.4.1, 14.1.1, 14.1.3, 15.1.1
NIST 800-26: 9
DOD 8500.2: COBR-1, DCAR-1
DCID 6/3: 2.B.4.e(5), 6.B.1.a(1)
Contingency Plan
ISO/IEC 17799: 10.3.2, 10.4.1, 10.8.5, 14.1.3, 14.1.4
NIST 800-26: 4.1.4, 9.1.1, 9.2, 9.2.1, 9.2.2, 9.2.3, 9.2.10, 12.1.8, 12.2.2
GAO FISCAM: SC-3.1, SC-1.1
DOD 8500.2: CODP-1, COEF-1
DCID 6/3: 6.B.2.b(1)
Contingency Training
ISO/IEC 17799: 14.1.3, 14.1.4
NIST 800-26: 9.3.2
GAO FISCAM: SC-2.3
DOD 8500.2: PRTN-1
DCID 6/3: 8.B.1
Contingency Plan Testing
ISO/IEC 17799: 10.5.1, 14.1.5
NIST 800-26: 4.1.4, 9.3.3
GAO FISCAM: SC-3.1
DOD 8500.2: COED-1
DCID 6/3: 6.B.3.b(2)(b)
Contingency Plan Update
ISO/IEC 17799: 14.1.3, 14.1.5
NIST 800-26: 9.3.1, 9.3.3, 10.2.12
GAO FISCAM: SC-2.1, SC-3.1
DOD 8500.2: DCAR-1
DCID 6/3: 6.B.3.b(2)
Alternate Storage Sites
ISO/IEC 17799: 10.5.1
NIST 800-26: 9.2.4, 9.2.5, 9.2.7, 9.2.9
GAO FISCAM: SC-2.1, SC-3.1
DOD 8500.2: CODB-2
DCID 6/3: 6.B.2.a(2), 6.B.3.a(2)(d)
Alternate Processing Sites
ISO/IEC 17799: 14.1.4
NIST 800-26: 9.1.3, 9.2.4, 9.2.5, 9.2.7, 9.2.9
GAO FISCAM: SC-2.1, SC-3.1
DOD 8500.2: COAS-1, COEB-1, COSP-1, COSP-2
DCID 6/3: 6.B.3.a(2)(d)
Telecommunications Services
ISO/IEC 17799: 14.1.4
DCID 6/3: 6.B.2.a(4)
Information System Backup
ISO/IEC 17799: 10.5.1, 11.7.1
NIST 800-26: 9.1.1, 9.2.6, 9.2.9, 9.3.1, 12.1.9
GAO FISCAM: SC-2.1
DOD 8500.2: CODB-1, CODB-2, COSW-1
DCID 6/3: 6.B.1.a(2)
Information System Recovery and Reconstitution
ISO/IEC 17799: 14.1.4
NIST 800-26: 9.2.8
GAO FISCAM: SC-2.1
DOD 8500.2: COTR-1, ECND-1
DCID 6/3: 4.B.1.a(4), 6.B.1.a(1), 6.B.2.a(3)(d)
Applicable 800-53 Identification and Authentication
Identification and Authentication Policy and Procedures
ISO/IEC 17799: 15.1.1
NIST 800-26: 11.2.3
DOD 8500.2: IAIA-1, DCAR-1
DCID 6/3: DCID: B.2.a Manual: 2.B.4.e(5)
User Identification and Authentication
ISO/IEC 17799: 11.2.3, 11.4.2, 11.5.2
NIST 800-26: 15.1
DOD 8500.2: IAIA-1
DCID 6/3: 4.B.2.a(7)
Device Identification and Authentication
ISO/IEC 17799: 11.4.2, 11.4.3, 11.7.1
NIST 800-26: 16.2.7
DCID 6/3: 4.B.5.a(14)
Identifier Management
ISO/IEC 17799: 11.2.3, 11.5.2
NIST 800-26: 15.1.1, 15.2.2, 15.1.8
GAO FISCAM: AC-2.1, AC-3.2, SP-4.1
DOD 8500.2: IAGA-1, IAIA-1
DCID 6/3: 4.B.1.a(2)
Authenticator Management
ISO/IEC 17799: 11.5.2, 11.5.3
NIST 800-26: 15.1.6, 15.1.7, 15.1.9, 15.1.10, 15.1.11, 15.1.12, 15.1.13, 16.1.3, 16.2.3
GAO FISCAM: AC-3.2
DOD 8500.2: IAKM-1, IATS-1
DCID 6/3: 4.B.2.a(7), 4.B.3.a(11)
Authenticator Feedback
ISO/IEC 17799: 11.5.1
DCID 6/3: 4.B.2.a(7)(g)
Cryptographic Module Authentication
NIST 800-26: 16.1.7
DCID 6/3: 1.G
Applicable 800-53 Incident Response
Incident Response Policy and Procedures
ISO/IEC 17799: 10.4.1, 13.1, 13.2.1, 15.1.1
NIST 800-26: 14
DOD 8500.2: VIIR-1, DCAR-1
DCID 6/3: DCID: B.2.c; C.4 Manual: 2.B.4.e(5); 2.B.2.b(6); 2.B.6.c(10); 8.B.7
Incident Response Training
ISO/IEC 17799: 13.1.1
NIST 800-26: 14.1.4
GAO FISCAM: SP-3.4
DOD 8500.2: VIIR-1
DCID 6/3: 8.B.1.b(1)(f), 8.B.1.c(1)(e), 8.B.1.c(2)©
Incident Response Testing
ISO/IEC 17799: 14.1.5
DOD 8500.2: VIIR-1
DCID 6/3: 8.B.7
Incident Handling
ISO/IEC 17799: 6.1.6, 13.2.1, 13.2.2
NIST 800-26: 2.1.5, 14.1.1, 14.1.2, 14.1.6
GAO FISCAM: SP-3.4
DOD 8500.2: VIIR-1, E3.3.9
DCID 6/3: 8.B.7, 9.B.2.e
Incident Monitoring
NIST 800-26: 14.1.3
DOD 8500.2: VIIR-1
DCID 6/3: 8.B.7.a
Incident Reporting
ISO/IEC 17799: 6.1.6, 6.2.2, 6.2.3, 13.1.1, 13.1.2
NIST 800-26: 14.1.2, 14.1.3, 14.2.1, 14.2.2, 14.2.3
DOD 8500.2: VIIR-1, E3.3.9
DCID 6/3: 8.B.7
Incident Response Assistance
ISO/IEC 17799: 14.1.3
NIST 800-26: 8.1.1, 14.1.1
GAO FISCAM: SP-3.4
DCID 6/3: 8.B.7.c
Applicable 800-53 Maintenance
System Maintenance Policy and Procedures
ISO/IEC 17799: 10.1.1, 15.1.1
NIST 800-26: 10
DOD 8500.2: PRMP-1, DCAR-1
DCID 6/3: DCID: B.2.a Manual: 2.B.4.e(5); 6.B.2.a(5)
Periodic Maintenance
ISO/IEC 17799: 9.2.4
NIST 800-26: 10.1.1, 10.1.3, 10.2.1
GAO FISCAM: SS-3.1
DCID 6/3: 6.B.2.a(5), 8.B.8.c
Maintenance Tools
NIST 800-26: 10.1.3, 11.2.4
DCID 6/3: 6.B.3.a(5), 8.B.8.c(4), 8.B.8.c(5)
Remote Maintenance
ISO/IEC 17799: 11.4.4
NIST 800-26: 10.1.1, 17.1.1
GAO FISCAM: SS-3.1
DOD 8500.2: EBRP-1
DCID 6/3: 8.B.8.d
Maintenance Personnel
ISO/IEC 17799: 6.2.3, 9.2.4
NIST 800-26: 10.1.1, 10.1.3
GAO FISCAM: SS-3.1
DOD 8500.2: PRMP-1
DCID 6/3: 8.B.8.a
Timely Maintenance
NIST 800-26: 9.1.2
GAO FISCAM: SC-1.2
DOD 8500.2: COMS-1, COSP-1
DCID 6/3: 6.B.2.a(5)
Applicable 800-53 Media Protection
Media Protection Policy and Procedures
ISO/IEC 17799: 10.1.1, 10.7, 15.1.1, 15.1.3
NIST 800-26: 8.2
DOD 8500.2: PESP-1, DCAR-1
DCID 6/3: DCID: B.2.a Manual: 2.B.6.c(7); 8.B.2
Media Access
ISO/IEC 17799: 10.7.3
NIST 800-26: 8.2.1, 8.2.2, 8.2.3, 8.2.6, 8.2.7
DOD 8500.2: PEDI-1, PEPF-1
DCID 6/3: 2.B.9.b(4), 4.B.1.a(1), 4.B.1.a(7)
Media Labeling
ISO/IEC 17799: 7.2.2, 10.7.3, 10.8.2, 15.1.3
NIST 800-26: 8.2.5, 8.2.6, 10.2.9
DOD 8500.2: ECML-1
DCID 6/3: 2.B.9.b(4), 8.B.2.a, 8.B.2.c
Media Storage
ISO/IEC 17799: 10.7.1, 10.7.2, 10.7.3, 10.7.4, 15.1.3
NIST 800-26: 7.1.4, 8.2.1, 8.2.2, 8.2.9, 10.1.2
GAO FISCAM: AC-3.1
DOD 8500.2: PESS-1
DCID 6/3: 2.B.9.b(4), 4.B.1.a(7)
Media Transport
ISO/IEC 17799: 10.8.3
NIST 800-26: 8.2.2, 8.2.4
DCID 6/3: 2.B.9.b(4)
Media Sanitization
ISO/IEC 17799: 9.2.6, 10.7.1, 10.7.2
NIST 800-26: 3.2.11, 3.2.12, 3.2.13, 8.2.8, 8.2.9, 8.2.10
GAO FISCAM: AC-3.4
DOD 8500.2: PECS-1, PEDD-1
DCID 6/3: 8.B.5, 2.B.9.b(4), 8.B.5.a(4), 8.B.5.d, 8.B.5.e
Media Destruction and Disposal
ISO/IEC 17799:
NIST 800-26:
GAO FISCAM:
DOD 8500.2:
DCID 6/3:
Applicable 800-53 Physical and Environmental Protection
Physical and Environmental Protection Policy and Procedures
ISO/IEC 17799: 15.1.1
NIST 800-26: 7
DOD 8500.2: PETN-1, DCAR-1
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5); 8.D
Physical Access Authorizations
ISO/IEC 17799: 9.1.2, 9.1.6
NIST 800-26: 7.1.1, 7.1.2
GAO FISCAM: AC-3.1
DOD 8500.2: PECF-1
DCID 6/3: 4.B.1.a(1), 8.E
Physical Access Control
ISO/IEC 17799: 9.1.1, 9.1.2, 9.1.5, 9.1.6, 10.5.1
NIST 800-26: 7.1.1, 7.1.2, 7.1.5, 7.1.6, 7.1.8
GAO FISCAM: AC-3.1
DOD 8500.2: PEPF-1
DCID 6/3: 4.B.1.a(1), 8.D.2, 8.E
Access Control for Transmission Medium
ISO/IEC 17799: 9.2.3
NIST 800-26: 7.2.2, 16.2.9
DCID 6/3: 8.D.2, 4.B.1.a(8)
Access Control for Display Medium
ISO/IEC 17799: 9.1.2, 11.3.3
NIST 800-26: 7.2.1
DOD 8500.2: PEDI-1, PEPF-1
DCID 6/3: 8.C.2.a, 8.D.2
Monitoring Physical Access
ISO/IEC 17799: 9.1.2
NIST 800-26: 7.1.9
GAO FISCAM: AC-4
DOD 8500.2: PEPF-2
DCID 6/3: 4.B.1.a(1), 8.C.2.a, 8.D.2
Visitor Control
ISO/IEC 17799: 9.1.2
NIST 800-26: 7.1.7, 7.1.11
GAO FISCAM: AC-3.1
DOD 8500.2: PEVC-1
DCID 6/3: 8.C.2.a, 8.D.2, 8.E
Access Records
ISO/IEC 17799: 9.1.2
NIST 800-26: 7.1.9
GAO FISCAM: AC-4
DOD 8500.2: PEPF-2, PEVC-1
DCID 6/3: 8.C.2.a, 8.D.2, 8.E
Power Equipment and Power Cabling
ISO/IEC 17799: 9.2.2, 9.2.3
NIST 800-26: 7.1.16
GAO FISCAM: SC-2.2
DCID 6/3: 8.D.2
Emergency Shutoff
ISO/IEC 17799: 9.2.2
DOD 8500.2: PEMS-1
DCID 6/3: 8.D.2
Emergency Power
ISO/IEC 17799: 9.2.2
NIST 800-26: 7.1.18
GAO FISCAM: SC-2.2
DOD 8500.2: COPS-1, COPS-2, COPS-3
DCID 6/3: 6.B.2.a(6), 6.B.2.a(7)
Emergency Lighting
ISO/IEC 17799: 9.2.2
DOD 8500.2: PEEL-1
DCID 6/3: 8.D.2
Fire Protection
ISO/IEC 17799: 9.1.4, 9.2.1
NIST 800-26: 7.1.12
GAO FISCAM: SC-2.2
DOD 8500.2: PEFD-1, PEFS-1
DCID 6/3: 8.C.2.a, 8.D.2
Temperature and Humidity Controls
ISO/IEC 17799: 9.2.1, 10.5.1, 10.7.1
NIST 800-26: 7.1.14, 7.1.15
GAO FISCAM: SC-2.2
DOD 8500.2: PEHC-1, PETC-1
DCID 6/3: 8.D.2
Water Damage Protection
ISO/IEC 17799: 9.1.4, 9.2.1
NIST 800-26: 7.1.17
GAO FISCAM: SC-2.2
DCID 6/3: 8.C.2.a, 8.D.2
Delivery and Removal
ISO/IEC 17799: 9.1.6, 9.2.7, 10.7.1
NIST 800-26: 7.1.3
GAO FISCAM: AC-3.1
DCID 6/3: 8.B.5.e
Alternate Work Site
ISO/IEC 17799: 11.7.2
DOD 8500.2: EBRU-1
Location of Information System Components
ISO/IEC 17799: 9.2.1
Information Leakage
Applicable 800-53 Planning
Security Planning Policy and Procedures
ISO/IEC 17799: 6.1, 15.1.1
NIST 800-26: 5
DOD 8500.2: DCAR-1, E3.4.6
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5)
System Security Plan
ISO/IEC 17799: 6.1
NIST 800-26: 4.1.5, 5.1.1, 5.1.2, 12.2.1
GAO FISCAM: SP-2.1
DOD 8500.2: DCSD-1
DCID 6/3: 1.F.6, 2.B.6.c(3), 2.B.7.c(5), 9.E.2.a(1)(d), 9.F.2.a, Appendix C
System Security Plan Update
ISO/IEC 17799: 6.1
NIST 800-26: 3.2.10, 5.2.1
GAO FISCAM: SP-2.1
DOD 8500.2: 5.7.5
DCID 6/3: 2.B.7.c(5)
Rules of Behavior
ISO/IEC 17799: 7.1.3, 8.1.3, 15.1.5
NIST 800-26: 4.1.3, 13.1.1
DOD 8500.2: PRRB-1
DCID 6/3: 2.B.9.b
Privacy Impact Assessment
ISO/IEC 17799: 15.1.4
DCID 6/3: DCID: B.3.a; Manual: 8.B.9
Security-Related Activity Planning
ISO/IEC 17799: 15.3.1
Applicable 800-53 Personnel Security
Personnel Security Policy and Procedures
ISO/IEC 17799: 8.1.1, 15.1.1
NIST 800-26: 6
DOD 8500.2: PRRB-1, DCAR-1
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5); 8.E
Position Categorization
ISO/IEC 17799: 8.1.2
NIST 800-26: 6.1.1, 6.1.2
GAO FISCAM: SD-1.2
DCID 6/3: 8.E
Personnel Screening
ISO/IEC 17799: 8.1.2
NIST 800-26: 6.2.1, 6.2.3
GAO FISCAM: SP-4.1
DOD 8500.2: PRAS-1
DCID 6/3: 2.B.7.c(2), 2.B.8.b(5), 8.E
Personnel Termination
ISO/IEC 17799: 8.1.3, 8.3, 11.2.1
NIST 800-26: 6.1.7
GAO FISCAM: SP-4.1
DOD 8500.2: 5.12.7
DCID 6/3: 2.B.9.b(6), 4.B.2.a(3)(e), 8.E
Personnel Transfer
ISO/IEC 17799: 8.3.1, 8.3.3, 11.2.1
NIST 800-26: 6.1.7
GAO FISCAM: SP-4.1
DOD 8500.2: 5.12.7
DCID 6/3: 2.B.9.b(6)
Access Agreements
ISO/IEC 17799: 6.1.5, 8.1.3
NIST 800-26: 6.1.5, 6.2.2
GAO FISCAM: SP-4.1
DOD 8500.2: PRRB-1
DCID 6/3: 1.E.2, 8.E
Third-Party Personnel Security
ISO/IEC 17799: 6.2.1, 6.2.3, 8.1.1, 8.1.2, 8.1.3, 8.2.1, 8.2.2, 11.2.1
GAO FISCAM: SP-4.1
DOD 8500.2: 5.7.10
DCID 6/3: 1.A.1, 8.D, 8.E
Personnel Sanctions
ISO/IEC 17799: 8.2.3, 11.2.1
NIST 800-26: 6.1.5
DOD 8500.2: PRRB-1
DCID 6/3: 4.B.2.a(3)(e), 8.E
Applicable 800-53 Risk Assessment
Risk Assessment Policy and Procedures
ISO/IEC 17799: 4.1, 15.1.1
NIST 800-26: 1
DOD 8500.2: DCAR-1
DCID 6/3: DCID: B.3.a, Manual: 2.B.4.e(5)
Security Categorization
ISO/IEC 17799: 7.2.1
NIST 800-26: 1.1.3, 3.1.1
GAO FISCAM: SP-1, AC-1.1, AC-1.2
DOD 8500.2: E3.4.2
DCID 6/3: 3.C, 3.D, 9.E.2.a(1)(a), 9.E.2.a(1)(d)
Risk Assessment
ISO/IEC 17799: 4, 4.1, 4.2, 6.2.1, 10.10.2, 10.10.5, 12.5.1, 12.6.1, 14.1.1, 14.1.2
NIST 800-26: 1.1.2, 1.1.4, 1.1.5, 1.1.6, 1.2.1, 1.2.2, 1.2.3, 3.1.7, 3.1.8, 4.1.7, 7.1.13, 7.1.19, 12.2.4
GAO FISCAM: SP-1
DOD 8500.2: DCDS-1, DCII-1, E3.3.10
DCID 6/3: 9.B
Risk Assessment Update
ISO/IEC 17799: 4.1
NIST 800-26: 1.1.2, 4.1.2
GAO FISCAM: SP-1
DOD 8500.2: DCAR-1, DCII-1
DCID 6/3: 9.B.4.f, 9.D.1.d
Vulnerability Scanning
ISO/IEC 17799: 12.6.1
NIST 800-26: 10.3.2, 14.2.1
DOD 8500.2: ECMT-1, VIVM-1
DCID 6/3: 4.B.3.a(8)(b), 4.B.3.b(6)(b), 9.B.4.e
Applicable 800-53 System and Services Acquisition
System and Services Acquisition Policy and Procedures
ISO/IEC 17799: 12.1, 15.1.1
NIST 800-26: 3
DOD 8500.2: DCAR-1
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5)
Allocation of Resources
ISO/IEC 17799: 10.3.1
NIST 800-26: 3.1.2, 3.1.3, 3.1.5, 5.1.3
DOD 8500.2: DCPB-1, E3.3.4
DCID 6/3: DCID: C.2.a, Manual: 2.B.4.e(8)
Life Cycle Support
NIST 800-26: 3.1
DOD 8500.2: 5.8.1
DCID 6/3: DCID: B.2.a, Manual: 9.E.2
Acquisitions
ISO/IEC 17799: 12.1.1
NIST 800-26: 3.1.6, 3.1.7, 3.1.10, 3.1.11, 3.1.12
DOD 8500.2: DCAS-1, DCDS-1, DCIT-1, DCMC-1
DCID 6/3: DCID: B.2.a; C.2.a, Manual: 9.B.4
Information System Documentation
ISO/IEC 17799: 10.7.4
NIST 800-26: 3.2.3, 3.2.4, 3.2.8, 12.1.1, 12.1.2, 12.1.3, 12.1.6, 12.1.7
GAO FISCAM: CC-2.1
DOD 8500.2: DCCS-1, DCHW-1, DCID-1, DCSD-1, DCSW-1, ECND-1, DCFA-1
DCID 6/3: 4.B.2.b(2), 4.B.2.b(3), 4.B.4.b(4), 9.C.3
Software Usage Restrictions
ISO/IEC 17799: 15.1.2
NIST 800-26: 10.2.10, 10.2.13
GAO FISCAM: SS-3.2, SP-2.1
DOD 8500.2: DCPD-1
DCID 6/3: 2.B.9.b(11)
User Installed Software
ISO/IEC 17799: 15.1.2
NIST 800-26: 10.2.10
GAO FISCAM: SS-3.2
DCID 6/3: 2.B.9.b(11)
Security Engineering Principles
ISO/IEC 17799: 12.1
NIST 800-26: 3.2.1
DOD 8500.2: DCBP-1, DCCS-1, E3.4.4
DCID 6/3: 1.H.1
Outsourced Information System Services
ISO/IEC 17799: 6.2.1, 6.2.3, 10.2.1, 10.2.2, 10.6.2
NIST 800-26: 12.2.3
DOD 8500.2: DCDS-1, DCID-1 DCIT-1, DCPP-1
DCID 6/3: 1.B.1, 8.C.2, 8.E
Developer Configuration Management
ISO/IEC 17799: 12.5.1, 12.5.2
GAO FISCAM: SS-3.1, CC-3
DCID 6/3: 4.B.4.b(4), 8.C.2.a
Developer Security Testing
ISO/IEC 17799: 12.5.1, 12.5.2
NIST 800-26: 3.2.1, 3.2.2, 10.2.5, 12.1.5
GAO FISCAM: SS-3.1, CC-2.1
DOD 8500.2: E3.4.4
DCID 6/3: 4.B.4.b(4)
Applicable 800-53 System and Communication Protection
System and Communications Protection Policy and Procedures
ISO/IEC 17799: 10.8.1, 15.1.1
DOD 8500.2: DCAR-1
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5)
Application Partitioning
ISO/IEC 17799: 11.4.5
DOD 8500.2: DCPA-1
DCID 6/3: 4.B.3.b(6)(a), 4.B.4.b(8), 5.B.3.b(2)
Security Function Isolation
ISO/IEC 17799: 11.4.5
DOD 8500.2: DCSP-1
DCID 6/3: 4.B.3.b(6)(a), 4.B.4.b(8), 5.B.3.b(1), 5.B.3.b(2)
Information Remnants
ISO/IEC 17799: 10.8.1
GAO FISCAM: AC-3.4
DOD 8500.2: ECRC-1
DCID 6/3: 4.B.2.a(14)
Denial of Service Protection
ISO/IEC 17799: 10.8.4, 13.2.1
DCID 6/3: 6.B.3.a(6)
Resource Priority
DCID 6/3: 6.B.3.a(11)
Boundary Protection
ISO/IEC 17799: 11.4.6
NIST 800-26: 16.2.2, 16.2.7, 16.2.9, 16.2.10, 16.2.11, 16.2.14
GAO FISCAM: AC-3.2
DOD 8500.2: COEB-1, EBBD-1, ECIM-1, ECVI-1
DCID 6/3: 4.B.4.a(27), 5.B.3.a(11)(b), 7.A.3, 7.B, 7.C, 7.D
Transmission Integrity
ISO/IEC 17799: 10.6.1, 10.8.1, 10.9.1
NIST 800-26: 11.2.1, 11.2.4, 11.2.9, 16.2.14
GAO FISCAM: AC-3.2
DOD 8500.2: ECTM-1
DCID 6/3: 5.B.3.a(11)
Transmission Confidentiality
ISO/IEC 17799: 10.6.1, 10.8.1, 10.9.1
DOD 8500.2: ECCT-1
DCID 6/3: 4.B.1.a(8)(a)
Network Disconnect
ISO/IEC 17799: 11.5.6
NIST 800-26: 16.2.6
GAO FISCAM: AC-3.2
DCID 6/3: 4.B.2.a(17)
Trusted Path
ISO/IEC 17799: 10.9.2
NIST 800-26: 16.2.7
DCID 6/3: 4.B.4.a(14)
Cryptographic Key Establishment and Mgmt.
ISO/IEC 17799: 12.3.1, 12.3.2
NIST 800-26: 16.1.7, 16.1.8
DOD 8500.2: IAKM-1
DCID 6/3: 1.G
Use of Validated Cryptography
NIST 800-26: 16.1.7, 16.1.8
DOD 8500.2: IAKM-1, IATS-1
DCID 6/3: 1.G.1
Public Access Protections
ISO/IEC 17799: 10.7.4, 10.9.3
DOD 8500.2: EBPW-1
Collaborative Computing
DOD 8500.2: ECVI-1
DCID 6/3: 7.G
Transmission of Security Parameters
ISO/IEC 17799: 7.2.2, 10.8.2, 10.9.2
NIST 800-26: 16.1.6
GAO FISCAM: AC-3.2
DOD 8500.2: ECTM-2
DCID 6/3: 4.B.1.a(3)
Public Key Infrastructure Certificates
ISO/IEC 17799: 12.3.2
DOD 8500.2: IAKM-1
DCID 6/3: 2.B.4.e(5), 4.B.3.a(11)
Mobile Code
ISO/IEC 17799: 10.4.1, 10.4.2
DOD 8500.2: DCMC-1
DCID 6/3: 2.B.4.e(5), 7.E
Voice Over Internet Protocol
DOD 8500.2: ECVI-1
DCID 6/3: DCID 6/3 2.B.4.d, 9.D.1.a
Secure Name Address Resolution Service (Authoritative Source)
Secure Name Address Resolution Service (Resolution)
Architecture and Provisioning for Name/Address Resolution Service
Session Authenticity
Applicable 800-53 System and Information Integrity
System and Information Integrity Policy and Procedures
ISO/IEC 17799: 15.1.1
NIST 800-26: 11
DOD 8500.2: DCAR-1
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5), 5.B.1.b(1), 5.B.2.a(5)(a)(1)
Flaw Remediation
ISO/IEC 17799: 10.10.5, 12.4.1, 12.5.1, 12.5.2, 12.6.1
NIST 800-26: 10.3.2, 11.1.1, 11.1.2, 11.2.2, 11.2.7
GAO FISCAM: SS-2.2
DOD 8500.2: DCSQ-1, DCCT-1, VIVM-1
DCID 6/3: 5.B.2.a(5)(a)(3), 6.B.2.a(5)
Malicious Code Protection
ISO/IEC 17799: 10.4.1
NIST 800-26: 11.1.1, 11.1.2
DOD 8500.2: ECVP-1, VIVM-1
DCID 6/3: 5.B.1.a(4), 7.B.4.b(1)
Information System Monitoring Tools and Techniques
ISO/IEC 17799: 10.6.2, 10.10.1, 10.10.2, 10.10.4
NIST 800-26: 11.2.5, 11.2.6
DOD 8500.2: EBBD-1, EBVC-1, ECID-1
DCID 6/3: 4.B.2.a(5)(b), 4.B.3.a(8)(b), 6.B.3.a(8)
Security Alerts and Advisories
ISO/IEC 17799: 6.1.7, 10.4.1
NIST 800-26: 14.1.1, 14.1.2, 14.1.5
GAO FISCAM: SP-3.4
DOD 8500.2: VIVM-1
DCID 6/3: 8.B.7
Security Functionality Verification
NIST 800-26: 11.2.1, 11.2.2
GAO FISCAM: SS-2.2
DOD 8500.2: DCSS-1
DCID 6/3: 4.B.1.c(2), 5.B.2.b(2)
Software and Information Integrity
ISO/IEC 17799: 12.2.1, 12.2.2, 12.2.4
NIST 800-26: 11.2.1, 11.2.4
DOD 8500.2: ECSD-2
DCID 6/3: 4.B.1.c(2), 5.B.1.a(3), 5.B.2.a(6)
Spam Protection
DCID 6/3: 5.B.1.a(4)
Information Input Restrictions
ISO/IEC 17799: 12.2.1, 12.2.2
GAO FISCAM: SD-1
DCID 6/3: 2.B.9.b(11)
Information Accuracy, Completeness, Validity, and Authenticity
ISO/IEC 17799: 10.7.3, 12.2.1, 12.2.2
DCID 6/3: 7.B.2.h, 2.B.4.d
Error Handling
ISO/IEC 17799: 12.2.1, 12.2.2, 12.2.3, 12.2.4
DCID 6/3: 2.B.4.d
Information Output Handling and Retention
ISO/IEC 17799: 10.7.3, 12.2.4
DOD 8500.2: PESP-1
DCID 6/3: 2.B.4.d, 8.B.9, 8.G
Introduction
This guide has been created to assist federal agencies in effectively securing systems with Microsoft Windows Internet Explorer 7 based on OMB Federal Desktop Core Configuration recommendations.Under the direction of OMB and in collaboration with DHS, DISA, NSA, USAF, and Microsoft, NIST has provided the following baseline to help agencies test, implement, and deploy the Microsoft Windows Internet Explorer 7 Federal Desktop Core Configuration (FDCC) baseline. The Federal Desktop Core Configuration (FDCC) is an OMB-mandated security configuration.Please refer to the FDCC home page for additional information. http://fdcc.nist.gov
FDCC Other Settings
FDCC has identified the following additional controls that must be checked in order to verify compliance.
Local Computer Policy
todo - description needed
Core Policy
The following are some additional settings for Microsoft Internet Explorer 7
DisableConfiguringHistory_LocalComputer_1_var
DisableConfiguringHistory_LocalComputer_1_var
1
1
DisableConfiguringHistory_LocalComputer_2_var
DisableConfiguringHistory_LocalComputer_2_var
40
40
DisableAutomaticInstallOfIEComponents_LocalComputer_var
DisableAutomaticInstallOfIEComponents_LocalComputer_var
1
1
DisableChangingAutomaticConfigurationSettings_LocalComputer_var
DisableChangingAutomaticConfigurationSettings_LocalComputer_var
1
1
DisablePeriodicCheckForIESoftwareUpdates_LocalComputer_var
DisablePeriodicCheckForIESoftwareUpdates_LocalComputer_var
1
1
DisableShowingSplashScreen_LocalComputer_var
DisableShowingSplashScreen_LocalComputer_var
1
1
DisableSoftwareUpdateShellNotifications_LocalComputer_var
DisableSoftwareUpdateShellNotifications_LocalComputer_var
1
1
DoNotAllowUsersEnableDisableAddOns_LocalComputer_var
DoNotAllowUsersEnableDisableAddOns_LocalComputer_var
0
0
MakeProxySettingsPerMachine_LocalComputer_var
MakeProxySettingsPerMachine_LocalComputer_var
1
1
0
PreventParticipationInCustomerExperienceImprovementPrograms_LocalComputer_var
PreventParticipationInCustomerExperienceImprovementPrograms_LocalComputer_var
0
1
0
PreventPerformanceOfFirstRunCustomizeSettings_LocalComputer_var
PreventPerformanceOfFirstRunCustomizeSettings_LocalComputer_var
1
1
2
DoNotAllowUsersAddDeleteSites_LocalComputer_var
DoNotAllowUsersAddDeleteSites_LocalComputer_var
1
1
DoNotAllowUsersChangePolicies_LocalComputer_var
DoNotAllowUsersChangePolicies_LocalComputer_var
1
1
use_only_machine_settings_local_computer_var
use_only_machine_settings_local_computer_var
1
1
TurnOffDeleteBrowsingHistoryFunctionality_LocalComputer_var
TurnOffDeleteBrowsingHistoryFunctionality_LocalComputer_var
1
0
1
TurnOffCrashDetection_LocalComputer_var
TurnOffCrashDetection_LocalComputer_var
1
1
TurnOffManagingPhishingFilter_LocalComputer_var
TurnOffManagingPhishingFilter_LocalComputer_var
0
0
1
2
TurnOffSecuritySettingsCheckFeature_LocalComputer_var
TurnOffSecuritySettingsCheckFeature_LocalComputer_var
0
0
1
Disable "Configuring History" - Local Computer
This setting specifies the number of days that Internet Explorer keeps track of the pages viewed in the History List. The delete Browsing History option can be accessed using Tools, Internet Options and General tab.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-4001-4
CCE-66
Disable Automatic Install of Internet Explorer Components - Local Computer
This Disable Automatic Install of Internet Explorer components setting prevents Internet Explorer from automatically installing components.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-3518-8
CCE-684
Disable Changing Automatic Configuration Settings - Local Computer
This Disable Automatic Install of Internet Explorer components setting prevents Internet Explorer from automatically installing components.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-4147-5
CCE-471
Disable Periodic Check For Internet Explorer Software Updates - Local Computer
The Disable Periodic Check for Internet Explorer software updates setting prevents Internet Explorer from more frequently checking whether a new browser update is available.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-3576-6
CCE-212
Disable Showing the Splash Screen - Local Computer
The Disable showing the splash screen setting prevents the Internet Explorer splash screen from appearing when users start the browser. Enabling this policy causes the splash screen, which normally displays the program name, licensing, and copyright information
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-3706-9
CCE-556
Disable Software Update Shell Notifications on Program Launch - Local Computer
The Disable software update shell notifications on program launch setting specifies that programs using the Microsoft Software Distribution Channel will not notify users when they install new components.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-4118-6
CCE-622
Do Not Allow Users to enable or Disable Add-Ons - Local Computer
The Do not allow users to enable or disable add-ons policy setting allows you to manage whether users have the ability to allow or deny add-ons through Manage Add-ons. If you configure this policy setting to Enabled, users cannot enable or disable add-ons. This item is disabled.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-3744-0
CCE-708
Make proxy settings per-machine (rather than per-user) - Local Computer
The Make proxy settings per – machine (rather than per-user) setting ensures proxy settings for all users of the same computer are the same.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-3201-1
CCE-693
Prevent participation in the Customer Experience Improvement Programs - Local Computer
This policy setting prevents users from participating in the Customer Experience Improvement Program (CEIP).
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-3993-3
CCE-495
Prevent performance of First Run Customize settings - Local Computer
This policy setting prevents performance of the First Run Customize settings ability and controls what the user will see when they launch Internet Explorer for the first time after installation of Internet Explorer.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-3207-8
CCE-1006
Security Zones: Do Not Allow Users to Add/Delete Sites - Local Computer
The Security Zones: Do not allow users to add/delete sites setting prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-3929-7
CCE-146
Security Zones: Do Not Allow Users to Change Policies - Local Computer
The Security Zones: Do not allow users to change policies setting prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-3933-9
CCE-833
Security Zones: Use Only Machine Settings - Local Computer
Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level. If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-4017-0
CCE-5
Turn Off "Delete Browsing History" functionality - Local Computer
This policy setting prevents users from performing the "Delete Browsing History" action in Internet Explorer. If you enable this policy setting, users cannot perform the "Delete Browsing History" action in Internet Options for Internet Explorer 7.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-3615-2
CCE-1010
Turn Off Crash Detection - Local Computer
The Turn off Crash Detection policy setting allows you to manage the crash detection feature of add-on management in Internet Explorer.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-3894-3
CCE-753
Turn Off Managing Phishing Filter - Local Computer
This policy setting allows the user to enable a phishing filter that will warn if the Web site being visited is known for fraudulent attempts to gather personal information through "phishing."
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-3866-1
CCE-1032
Turn Off the Security Settings Check Feature - Local Computer
This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-3875-2
CCE-1054
Internet Control Panel - Local Computer
todo - description needed
prevent_ignoring_certificate_errors_local_computer_var
prevent_ignoring_certificate_errors_local_computer_var
1
0
1
Prevent ignoring certificate errors - Local Computer
Internet Explorer treats as fatal any Secure Socket Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt navigation (such as "expired," "revoked," or "name mismatch" errors).
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel
CCE-4199-6
CCE-938
Advanced Page - Local Computer
Advanced Page - Local Computer
Allow active content from CDs to run on user machines - Local Computer - variable
Allow Active Content from CD's to Run on User Machine - Local Computer - variable
0
0
1
Allow Install OnDemand (Internet Explorer) - Local Computer - variable
todo - description needed
0
0
1
Allow Software to Run or Install Even if the Signature is Invalid - Local Computer - variable
Allow Software to Run or Install Even if the Signature is Invalid - Local Computer - variable
0
0
1
Allow Software to Run or Install Even if the Signature is Invalid - Local Computer - variable
Allow Software to Run or Install Even if the Signature is Invalid - Local Computer - variable
no
no
yes
Allow Third-Party Browser Extensions - Local Computer - variable
Allow Third-Party Browser Extensions - Local Computer - variable
1
1
0
Check for Server Certificate Revocation - Local Computer - variable
Check for Server Certificate Revocation - Local Computer - variable
1
0
1
Check for signatures on downloaded programs - Local Computer - variable
Check for Signature on Downloaded Programs - Local Computer - variable
yes
no
yes
Do Not Allow Resetting Internet Explorer Settings - Local Computer - variable
Do Not Allow Resetting Internet Explorer Settings - Local Computer - variable
1
0
1
Allow Active Content from CDs to Run on User Machine - Local Computer
This policy setting allows you to manage whether users receive a dialog requesting permission for active content on a CD to run. If you enable this policy setting, active content on a CD will run without a prompt.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
CCE-4174-9
CCE-964
Allow Install On Demand (Internet Explorer)
The "Allow Install On Demand (Internet Explorer)" setting should be configured correctly.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
CCE-3677-2
CCE-69
Allow Software to Run or Install Even if the Signature is Invalid - Local Computer
Microsoft ActiveX controls and file downloads often have digital signatures attached that vouch for both the file's integrity and the identity of the signer (creator) of the software. Such signatures help ensure that unmodified.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
CCE-3941-2
CCE-449
Allow Third-Party Browser Extensions - Local Computer
This policy setting allows you to manage whether Internet Explorer will launch COM add-ons known as browser helper objects, such as toolbars.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
CCE-4192-1
CCE-598
Automatically Check for Internet Explorer Updates - Local Computer
This policy setting allows you to manage whether Internet Explorer checks the Internet for newer versions.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
CCE-3584-0
CCE-1008
Check for Server Certificate Revocation - Local Computer
This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
CCE-3976-8
CCE-690
Check for signatures on downloaded programs - Local Computer - variable
This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
CCE-4026-1
CCE-1025
Do Not Allow Resetting Internet Explorer Settings - Local Computer
This policy setting prevents users from using the Reset Internet Explorer Settings feature. Reset Internet Explorer Settings will allow the users to reset all settings changed since install, delete browsing history and disable add-ons that are not preapproved.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
CCE-4171-5
CCE-42
Security Page Policy
Security Page - Local Computer
include_all_network_paths_local_computer_var
include_all_network_paths_local_computer_var
0
0
1
Intranet Sites: Include all network paths (UNCs) - Local Computer
This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. If you enable this policy setting, all network paths are mapped into the Intranet Zone.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page
CCE-4175-6
CCE-876
Site to Zone Assignment List
Computer-wide, rather than per-user, assignment of sites to zones for Internet Explorer should be enabled or disabled as appropriate.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page
CCE-4763-9
CCE-1005
Internet Zone - Local Computer
Internet Zone - Local Computer
access_data_sources_across_domains_internet_zone_local_computer_var
access_data_sources_across_domains_internet_zone_local_computer_var
3
0
1
3
allow_cut_copy_paste_operations_from_clipboard_via_script_internet_zone_local_computer_var
allow_cut_copy_paste_operations_from_clipboard_via_script_internet_zone_local_computer_var
3
0
1
3
AllowDragDropOrCopyPasteFiles_InternetZone_LocalComputer_var
AllowDragDropOrCopyPasteFiles_InternetZone_LocalComputer_var
3
0
1
3
AllowFontDownloads_InternetZone_LocalComputer_var
AllowFontDownloads_InternetZone_LocalComputer_var
3
0
1
3
AllowInstallationOfDesktopItems_InternetZone_LocalComputer_var
AllowInstallationOfDesktopItems_InternetZone_LocalComputer_var
3
0
1
3
AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints_InternetZone_LocalComputer_var
AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints_InternetZone_LocalComputer_var
3
0
3
allow_scriptlets_internet_zone_local_computer_var
allow_scriptlets_internet_zone_local_computer_var
3
0
3
allow_status_bar_updates_via_script_internet_zone_local_computer_var
allow_status_bar_updates_via_script_internet_zone_local_computer_var
0
0
0
1
3
AutomaticPromptingFileDownloads_InternetZone_LocalComputer_var
AutomaticPromptingFileDownloads_InternetZone_LocalComputer_var
0
0
3
download_signed_activex_controls_InternetZone_LocalComputer_var
download_signed_activex_controls_InternetZone_LocalComputer_var
3
0
1
3
DownloadUnsignedActiveXControls_InternetZone_LocalComputer_var
DownloadUnsignedActiveXControls_InternetZone_LocalComputer_var
3
0
1
3
InitializeScriptActiveXControlsNotMarkedAsSafe_InternetZone_LocalComputer_var
InitializeScriptActiveXControlsNotMarkedAsSafe_InternetZone_LocalComputer_var
3
0
1
3
java_permissions_internet_zone_local_computer_var
java_permissions_internet_zone_local_computer_var
0
0
65536
131072
196608
8388608
LaunchingApplicationsAndFilesInIFRAME_InternetZone_LocalComputer_var
LaunchingApplicationsAndFilesInIFRAME_InternetZone_LocalComputer_var
3
0
1
3
LogonOptions_InternetZone_LocalComputer_var
LogonOptions_InternetZone_LocalComputer_var
65536
0
65536
131072
196608
LooseXAMLFiles_InternetZone_LocalComputer_var
LooseXAMLFiles_InternetZone_LocalComputer_var
3
0
1
3
navigate_sub_frames_across_different_domains_Internet_zone_local_computer_var
navigate_sub_frames_across_different_domains_Internet_zone_local_computer_var
0
0
0
1
3
OpenFilesBasedOnContent_InternetZone_LocalComputer_var
OpenFilesBasedOnContent_InternetZone_LocalComputer_var
3
0
3
SoftwareChannelPermissions_InternetZone_LocalComputer_var
SoftwareChannelPermissions_InternetZone_LocalComputer_var
65536
65536
131072
196608
TurnOffFirstRunOptIn_InternetZone_LocalComputer_var
todo - description needed
0
0
3
TurnOnProtectedMode_InternetZone_LocalComputer_var
todo - description needed
0
0
3
UsePop-upBlocker_InternetZone_LocalComputer_var
UsePop-upBlocker_InternetZone_LocalComputer_var
0
0
1
3
UserdataPersistence_InternetZone_LocalComputer_var
UserdataPersistence_InternetZone_LocalComputer_var
3
0
3
WebBrowserApplications_InternetZone_LocalComputer_var
WebBrowserApplications_InternetZone_LocalComputer_var
0
0
0
1
3
WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone_InternetZone_LocalComputer_var
WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone_InternetZone_LocalComputer_var
3
0
1
3
Access Data Sources Across Domains - Internet Zone - Local Computer
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-3853-9
CCE-47
Allow cut, copy or paste operations from the clipboard via script - Internet Zone - Local Computer
This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. If you enable this policy setting, a script can perform a clipboard operation.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-4109-5
CCE-49
Allow drag and drop or copy and paste files - Internet Zone - Local Computer
This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. If you enable this policy setting, users can drag files or copy and paste files from this zone automatically.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-3998-2
CCE-685
Allow Font Downloads - Internet Zone - Local Computer
This policy setting allows you to manage whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-3888-5
CCE-491
Allow installation of desktop items - Internet Zone - Local Computer
This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this option are: If you enable this policy setting, users can install desktop items from this zone automatically.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-3906-5
CCE-355
Allow script-initiated windows without size or position constraints - Internet Zone - Local Computer
This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. If you enable this policy setting, Windows Restrictions security will not apply in this zone.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-4099-8
CCE-280
Allow Scriptlets - Internet Zone - Local Computer
This policy setting allows you to manage whether scriptlets can be allowed. If you enable this policy setting, users will be able to run scriptlets. If you disable this policy setting, users will not be able to run scriptlets.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-3601-2
CCE-439
Allow status bar updates via script - Internet Zone - Local Computer
This policy setting allows you to manage whether script is allowed to update the status bar within the zone. If you enable this policy setting, script is allowed to update the status bar.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-3249-0
CCE-914
Automatic prompting for file downloads - Internet Zone - Local Computer
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-4139-2
CCE-16
Download signed ActiveX controls - Internet Zone - Local Computer
This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. If you enable this policy, users can download signed controls without user intervention.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-3927-1
CCE-1013
Download unsigned ActiveX controls - Internet Zone - Local Computer
This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-3945-3
CCE-176
Initialize and script ActiveX controls not marked as safe - Internet Zone - Local Computer
This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-4068-3
CCE-586
Java permissions - Internet Zone - Local Computer
This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-3963-6
CCE-132
Launching applications and files in an IFRAME - Internet Zone - Local Computer
This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-4104-6
CCE-689
Logon Options - Internet Zone - Local Computer
This policy setting allows you to manage settings for logon options. If you enable this policy setting, you can choose from the following logon options.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-3623-6
CCE-720
Loose or un-compiled XAML files - Internet Zone - Local Computer
These are eXtensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that leverage the Windows Presentation Foundation.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-3751-5
CCE-126
Navigate sub-frames across different domains - Internet Zone - Local Computer
This policy setting allows you to manage the opening of sub-frames and access of applications across different domains. If you enable this policy setting, users can open sub-frames from other domains and access applications from other domains.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-4143-4
CCE-245
Open files based on content, not file extension - Internet Zone - Local Computer
This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-4161-6
CCE-910
Software channel permissions - Internet Zone - Local Computer
This policy setting allows you to manage software channel permissions. If you enable this policy setting, you can choose the following options from the drop-down box.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-3553-5
CCE-359
Turn Off First-Run Opt-In - Internet Zone - Local Computer
Turn Off First-Run Opt-In
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-3378-7
CCE-863
Turn On Protected Mode - Internet Zone - Local Computer
The "Turn on Protected Mode" setting should be configured correctly for the Internet Zone.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-4643-3
CCE-281
Use Pop-up Blocker - Internet Zone - Local Computer
This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-3619-4
CCE-1002
Userdata Persistence - Internet Zone - Local Computer
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-3914-9
CCE-425
Web Browser Applications - Internet Zone - Local Computer
These are browser-hosted, ClickOnce-deployed applications built using WinFX. These applications execute in a security sandbox and harness the power of the Windows Presentation Foundation platform for the Web.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-4131-9
CCE-286
Web sites in less privileged Web content zones can navigate into this zone - Internet Zone - Local Computer
This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
CCE-3570-9
CCE-724
Intranet Zone - Local Computer
Intranet Zone - Local Computer
display_mixed_content_intranet_zone_local_computer_var
display_mixed_content_intranet_zone_local_computer_var
0
0
1
3
java_permissions_intranet_zone_local_computer_var
java_permissions_intranet_zone_local_computer_var
0
0
65536
131072
196608
8388608
Display Mixed Content - Intranet Zone - Local Computer
This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security information message to display pages containing both secure and nonsecure items.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
CCE-3989-1
CCE-288
Java permissions - Intranet Zone - Local Computer
This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
CCE-4652-4
CCE-218
Local Machine Zone - Local Computer
Local Machine Zone - Local Computer
display_mixed_content-local_machine_zone_local_computer_var
display_mixed_content-local_machine_zone_local_computer_var
0
0
1
3
java_permissions_local_machine_zone_local_computer_var
java_permissions_local_machine_zone_local_computer_var
0
0
0
65536
131072
196608
8388608
Display Mixed Content - Local Machine Zone - Local Compute
This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security information message to display pages containing both secure and nonsecure items.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
CCE-4138-4
CCE-473
Java permissions - Local Machine Zone - Local Computer
This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
CCE-3891-9
CCE-138
Locked Down Internet Zone - Local Computer
Locked Down Internet Zone - Local Computer
display_mixed_content_locked_down_internet_zone_local_computer_var
todo - description needed
0
0
1
3
download_signed_activex_controls_locked_down_internet_zone_local_computer_var
todo - description needed
0
0
1
3
java_permissions_locked_down_internet_zone_local_computer_var
todo - description needed
0
0
65536
131072
196608
8388608
Display Mixed Content - Locked Down Internet Zone - Local Computer
This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security information message to display pages containing both secure and nonsecure items.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
CCE-3984-2
CCE-878
Download Signed ActiveX Controls - Locked Down Internet Zone - Local Computer
The "Download signed ActiveX controls" setting should be configured correctly for the Locked-Down Internet Zone.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
CCE-4793-6
CCE-308
Java permissions - Locked Down Internet Zone - Local Computer
This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
CCE-4692-0
CCE-781
Locked Down Intranet Zone - Local Computer
LockedDown Intranet Zone - Local Computer
display_mixed_content-LockedDownintranet_zone_local_computer_var
display_mixed_content-LockedDownintranet_zone_local_computer_var
0
0
1
3
java_permissions_LockedDownintranet_zone_local_computer_var
java_permissions_LockedDownintranet_zone_local_computer_var
0
0
65536
131072
196608
8388608
Display Mixed Content - Locked Down Intranet Zone - Local Compute
This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security information message to display pages containing both secure and nonsecure items.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
CCE-4121-0
CCE-552
Java permissions - Locked Down Intranet Zone - Local Computer
This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
CCE-3754-9
CCE-320
Locked Down Local Machine Zone - Local Computer
Locked Down Local Machine Zone - Local Computer
display_mixed_content-LockedDownlocal_machine_zone_local_computer_var
display_mixed_content-LockedDownlocal_machine_zone_local_computer_var
0
0
1
3
java_permissions_LockedDownlocal_machine_zone_local_computer_var
java_permissions_LockedDownlocal_machine_zone_local_computer_var
0
0
65536
131072
196608
8388608
Display Mixed Content - Locked Down Local Machine Zone - Local Compute
This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security information message to display pages containing both secure and nonsecure items.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
CCE-4028-7
CCE-239
Java permissions - Locked Down Local Machine - Local Computer
This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
CCE-4160-8
CCE-1045
Locked Down Restricted Sites Zone - Local Compute - Local Computer
Locked Down Restricted Sites Zone - Local Computer
display_mixed_content-LockedDownRestrictedSitesZone_LocalComputer_var
display_mixed_content-LockedDownRestrictedSitesZone_LocalComputer_var
0
0
1
3
java_permissions_LockedDownRestrictedSitesZone_LocalComputer_var
java_permissions_LockedDownRestrictedSitesZone_LocalComputer_var
0
0
65536
131072
196608
8388608
Display Mixed Content - Locked Down Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security information message to display pages containing both secure and nonsecure items.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
CCE-3264-9
CCE-30
Java permissions - Locked Down Restricted Sites Zone - Local Computer
This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
CCE-3902-4
CCE-1088
Locked Down Trusted Sites Zone - Local Computer - Local Compute
Locked Down Trusted Sites Zone - Local Computer
AllowStatusBarUpdatesViaScript_LockedDowntrusted_sites_zone_local_computer_var
todo - description needed
3
0
1
3
display_mixed_content_LockedDowntrusted_sites_zone_local_computer_var
display_mixed_content_LockedDowntrusted_sites_zone_local_computer_var
0
0
1
3
java_permissions_LockedDowntrusted_sites_zone_local_computer_var
java_permissions_LockedDowntrusted_sites_zone_local_computer_var
0
0
65536
131072
196608
8388608
Allow Status Bar Updates Via Script - Locked Down Trusted Sites Zone - Local Computer
The "Allow status bar updates via script" setting should be configured correctly for the Locked-Down Trusted Sites Zone.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
CCE-4546-8
CCE-1147
Display Mixed Content - Locked Down Trusted Sites Zone - LocalComputer
This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security information message to display pages containing both secure and nonsecure items.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
CCE-4232-5
CCE-666
Java permissions - Locked Down Trusted Sites Zone - Local Computer
This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
CCE-4564-1
CCE-140
Restricted Sites Zone - Local Computer
Restricted Sites Zone - Local Computer
AccessDataSourcesAcrossDomains_RestrictedSitesZone_LocalComputer_var
AccessDataSourcesAcrossDomains_RestrictedSitesZone_LocalComputer_var
3
0
1
3
AllowActiveScripting_RestrictedSitesZone_LocalComputer_var
AllowActiveScripting_RestrictedSitesZone_LocalComputer_var
3
0
1
3
AllowBinaryAndScriptBehaviors_RestrictedSitesZone_LocalComputer_var
AllowBinaryAndScriptBehaviors_RestrictedSitesZone_LocalComputer_var
3
0
1
3
AllowCutCopyPasteOperationsFromClipboardViaScript_RestrictedSitesZone_LocalComputer_var
AllowCutCopyPasteOperationsFromClipboardViaScript_RestrictedSitesZone_LocalComputer_var
3
0
1
3
AllowDragDropOrCopyPasteFiles_RestrictedSitesZone_LocalComputer_var
AllowDragDropOrCopyPasteFiles_RestrictedSitesZone_LocalComputer_var
3
0
1
3
AllowFileDownloads_RestrictedSitesZone_LocalComputer_var
AllowFileDownloads_RestrictedSitesZone_LocalComputer_var
3
0
1
3
AllowFontDownloads_RestrictedSitesZone_LocalComputer_var
AllowFontDownloads_RestrictedSitesZone_LocalComputer_var
3
0
1
3
AllowInstallationOfDesktopItems_RestrictedSitesZone_LocalComputer_var
AllowInstallationOfDesktopItems_RestrictedSitesZone_LocalComputer_var
3
0
1
3
AllowMETAREFRESH_RestrictedSitesZone_LocalComputer_var
AllowMETAREFRESH_RestrictedSitesZone_LocalComputer_var
3
0
1
3
AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints_RestrictedSitesZone_LocalComputer_var
AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints_RestrictedSitesZone_LocalComputer_var
3
0
3
AllowStatusBarUpdatesViaScript_RestrictedSitesZone_LocalComputer_var
AllowStatusBarUpdatesViaScript_RestrictedSitesZone_LocalComputer_var
0
0
0
1
3
AutomaticPromptingFileDownloads_RestrictedSitesZone_LocalComputer_var
AutomaticPromptingFileDownloads_RestrictedSitesZone_LocalComputer_var
0
0
3
download_signed_activex_controls_RestrictedSitesZone_LocalComputer_var
download_signed_activex_controls_RestrictedSitesZone_LocalComputer_var
3
0
1
3
DownloadUnsignedActiveXControls_RestrictedSitesZone_LocalComputer_var
DownloadUnsignedActiveXControls_RestrictedSitesZone_LocalComputer_var
3
0
1
3
InitializeScriptActiveXControlsNotMarkedAsSafe_RestrictedSitesZone_LocalComputer_var
InitializeScriptActiveXControlsNotMarkedAsSafe_RestrictedSitesZone_LocalComputer_var
3
0
1
3
java_permissions_RestrictedSitesZone_LocalComputer_var
java_permissions_RestrictedSitesZone_LocalComputer_var
0
0
65536
131072
196608
8388608
LaunchingApplicationsAndFilesInIFRAME_RestrictedSitesZone_LocalComputer_var
LaunchingApplicationsAndFilesInIFRAME_RestrictedSitesZone_LocalComputer_var
3
0
1
3
LogonOptions_RestrictedSitesZone_LocalComputer_var
LogonOptions_RestrictedSitesZone_LocalComputer_var
196608
0
65536
131072
196608
LooseXAMLFiles_RestrictedSitesZone_LocalComputer_var
LooseXAMLFiles_RestrictedSitesZone_LocalComputer_var
3
0
1
3
NavigateSub-framesAcrossDifferentDomains_RestrictedSitesZone_LocalComputer_var
NavigateSub-framesAcrossDifferentDomains_RestrictedSitesZone_LocalComputer_var
3
0
1
3
OpenFilesBasedOnContent_RestrictedSitesZone_LocalComputer_var
OpenFilesBasedOnContent_RestrictedSitesZone_LocalComputer_var
3
0
3
RunNETFrameworkReliantComponentsNotSignedWithAuthenticode_RestrictedSitesZone_LocalComputer_var
RunNETFrameworkReliantComponentsNotSignedWithAuthenticode_RestrictedSitesZone_LocalComputer_var
3
0
1
3
RunNETFrameworkReliantComponentsSignedWithAuthenticode_RestrictedSitesZone_LocalComputer_var
RunNETFrameworkReliantComponentsSignedWithAuthenticode_RestrictedSitesZone_LocalComputer_var
3
0
1
3
RunActiveXControlsAndPlugins_RestrictedSitesZone_LocalComputer_var
RunActiveXControlsAndPlugins_RestrictedSitesZone_LocalComputer_var
3
0
1
3
ScriptActiveXControlsMarkedSafeForScripting_RestrictedSitesZone_LocalComputer_var
ScriptActiveXControlsMarkedSafeForScripting_RestrictedSitesZone_LocalComputer_var
3
0
1
3
ScriptingOfJavaApplets_RestrictedSitesZone_LocalComputer_var
ScriptingOfJavaApplets_RestrictedSitesZone_LocalComputer_var
3
0
1
3
SoftwareChannelPermissions_RestrictedSitesZone_LocalComputer_var
SoftwareChannelPermissions_RestrictedSitesZone_LocalComputer_var
65536
65536
131072
196608
TurnOffFirstRunOptIn_RestrictedSitesZone_LocalComputer_var
TurnOffFirstRunOptIn_RestrictedSitesZone_LocalComputer_var
0
0
3
TurnOnProtectedMode_RestrictedSitesZone_LocalComputer_var
todo - description needed
0
0
3
UsePop-upBlocker_RestrictedSitesZone_LocalComputer_var
UsePop-upBlocker_RestrictedSitesZone_LocalComputer_var
0
0
1
3
UserdataPersistence_RestrictedSitesZone_LocalComputer_var
UserdataPersistence_RestrictedSitesZone_LocalComputer_var
3
0
3
WebBrowserApplications_RestrictedSitesZone_LocalComputer_var
WebBrowserApplications_RestrictedSitesZone_LocalComputer_var
0
0
0
1
3
WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone_RestrictedSitesZone_LocalComputer_var
WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone_RestrictedSitesZone_LocalComputer_var
3
0
1
3
Access Data Sources Across Domains - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-3905-7
CCE-636
Allow Active Scripting - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether script code on pages in the zone is run. If you enable this policy setting, script code on pages in the zone can run automatically.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4050-1
CCE-292
Allow Binary and Script Behaviors - Restricted Sites Zone - Local Computer
This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. If you enable this policy setting, binary and script behaviors are available.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4196-2
CCE-178
Allow cut, copy or paste operations from the clipboard via script - Restricted SitesZone - Local Computer
This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. If you enable this policy setting, a script can perform a clipboard operation.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4013-9
CCE-1031
Allow drag and drop or copy and paste files - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. If you enable this policy setting, users can drag files or copy and paste files from this zone automatically.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-3337-3
CCE-41
Allow File Downloads - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4150-9
CCE-970
Allow Font Downloads - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4062-6
CCE-882
Allow installation of desktop items - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this option are: If you enable this policy setting, users can install desktop items from this zone automatically.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4079-0
CCE-763
Allow META REFRESH - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4084-0
CCE-680
Allow script-initiated windows without size or position constraints - Restricted Sites Zone - Local Computer
This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. If you enable this policy setting, Windows Restrictions security will not apply in this zone.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4119-4
CCE-208
Allow status bar updates via script - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether script is allowed to update the status bar within the zone. If you enable this policy setting, script is allowed to update the status bar.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4031-1
CCE-129
Automatic prompting for file downloads - Restricted Sites Zone - Local Computer
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4053-5
CCE-175
Download signed ActiveX controls - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. If you enable this policy, users can download signed controls without user intervention.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4057-6
CCE-52
Download unsigned ActiveX controls - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-3564-2
CCE-1012
Initialize and script ActiveX controls not marked as safe - Restricted Sites Zone - Local Computer
This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4101-2
CCE-26
Java permissions - Restricted Sites Zone - Local Computer
This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-3996-6
CCE-925
Launching applications and files in an IFRAME - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4066-7
CCE-339
Logon Options - Restricted Sites Zone - Local Computer
This policy setting allows you to manage settings for logon options. If you enable this policy setting, you can choose from the following logon options.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-3696-2
CCE-128
Loose or un-compiled XAML files - Restricted Sites Zone - Local Computer
These are eXtensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that leverage the Windows Presentation Foundation.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-3590-7
CCE-639
Navigate sub-frames across different domains - Restricted Sites Zone - Local Computer
This policy setting allows you to manage the opening of sub-frames and access of applications across different domains. If you enable this policy setting, users can open sub-frames from other domains and access applications from other domains.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4110-3
CCE-995
Open files based on content, not file extension - Restricted Sites Zone - Local Computer
This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4132-7
CCE-409
Run .NET Framework-reliant components not signed with Authenticode - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-3400-9
CCE-678
Run .NET Framework-reliant components signed with Authenticode - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4158-2
CCE-563
Run ActiveX controls and plugins - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone. If you enable this policy setting, controls and plug-ins can run without user intervention.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4163-2
CCE-841
Script ActiveX controls marked safe for scripting - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script. If you enable this policy setting, script interaction can occur automatically without user intervention.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4202-8
CCE-973
Scripting of Java Applets - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether applets are exposed to scripts within the zone. If you enable this policy setting, scripts can access applets automatically without user intervention.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-3216-9
CCE-1000
Software channel permissions - Restricted Sites Zone - Local Computer
This policy setting allows you to manage software channel permissions. If you enable this policy setting, you can choose the following options from the drop-down box.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-3855-4
CCE-520
Turn Off First-Run Opt-In - Restricted Sites Zone - Local Computer
Turn Off First-Run Opt-In
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4153-3
CCE-200
Turn On Protected Mode - Restricted Sites Zone - Local Computer
The "Turn on Protected Mode" setting should be configured correctly for the Restricted Sites Zone.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-3909-9
CCE-1211
Use Pop-up Blocker - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4018-8
CCE-660
Userdata Persistence - Restricted Sites Zone - Local Computer
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4040-2
CCE-28
Web Browser Applications - Restricted Sites Zone - Local Computer
These are browser-hosted, ClickOnce-deployed applications built using WinFX. These applications execute in a security sandbox and harness the power of the Windows Presentation Foundation platform for the Web.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4052-7
CCE-51
Web sites in less privileged Web content zones can navigate into this zone - Restricted Sites Zone - Local Computer
This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
CCE-4215-0
CCE-698
Trusted Sites Zone - Local Computer - Local Compute
Trusted Sites Zone - Local Computer
display_mixed_content_trusted_sites_zone_local_computer_var
display_mixed_content_trusted_sites_zone_local_computer_var
0
0
1
3
java_permissions_trusted_sites_zone_local_computer_var
java_permissions_trusted_sites_zone_local_computer_var
0
0
65536
131072
196608
8388608
Display Mixed Content - Trusted Sites Zone - Local Computer
This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security information message to display pages containing both secure and nonsecure items.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
CCE-4087-3
CCE-31
Java permissions - Trusted Sites Zone - Local Computer
This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
CCE-4845-4
CCE-675
Periodic Check for Updates - Local Computer
Periodic Check for Updates to Internet Explorer and Internet Tools - Local Computer
TurnOffChangingURLDisplay_LocalComputer_var
TurnOffChangingURLDisplay_LocalComputer_var
TurnOffConfiguringUpdateCheckInterval_LocalComputer_var
TurnOffConfiguringUpdateCheckInterval_LocalComputer_var
30
30
Turn Off changing the URL to be displayed for checking updates to Internet Explorer and Internet Tools - Local Computer
This policy setting allows checking for updates for Internet Explorer from the specified URL, included by default in Internet Explorer.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Component Updates\Periodic check for updates to Internet Explorer and Internet Tools
CCE-3204-5
CCE-946
Turn Off Configuring the Update Check Interval (In Days) - Local Computer
This setting specifies the update check interval. The default value is 30 days. If you enable this policy setting, the user will not be able to configure the update check interval. You have to specify the update check interval.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Component Updates\Periodic check for updates to Internet Explorer and Internet Tools
CCE-4098-0
CCE-237
Security Features Policy
todo - description needed
EnableNativeXMLHttpSupport_LocalComputer_var
EnableNativeXMLHttpSupport_LocalComputer_var
0
0
1
Enable Native XMLHttp Support - Local Computer
Enable Native XMLHttp Support - Local Computer
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features
CCE-4259-8
CCE-528
Consistent Mime Handling - Local Computer
Consistent Mime Handling - Local Computer
IEProcesses_ConsistentMimeHandling_LocalComputer_1_var
IEProcesses_ConsistentMimeHandling_LocalComputer_1_var
1
0
1
IEProcesses_ConsistentMimeHandling_LocalComputer_2_var
IEProcesses_ConsistentMimeHandling_LocalComputer_2_var
1
0
1
IEProcesses_ConsistentMimeHandling_LocalComputer_3_var
IEProcesses_ConsistentMimeHandling_LocalComputer_3_var
1
0
1
Internet Explorer Processes - Consistent Mime Handling - Local Computer
Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Consistent Mime Handling
CCE-4047-7
CCE-382
Mime Sniffing Safety Feature - Local Computer
Mime Sniffing Safety Feature - Local Computer
IEProcesses_MimeSniffingSafetyFeature_LocalComputer_1_var
IEProcesses_MimeSniffingSafetyFeature_LocalComputer_1_var
1
0
1
IEProcesses_MimeSniffingSafetyFeature_LocalComputer_2_var
IEProcesses_MimeSniffingSafetyFeature_LocalComputer_2_var
1
0
1
IEProcesses_MimeSniffingSafetyFeature_LocalComputer_3_var
IEProcesses_MimeSniffingSafetyFeature_LocalComputer_3_var
1
0
1
Internet Explorer Processes - Mime Sniffing Safety Feature - Local Computer
MIME sniffing is the process of examining the content of a MIME file to determine its context — whether it is a data file, an executable file, or some other type of file.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Mime Sniffing Safety Feature
CCE-4149-1
CCE-985
MK Protocol Security Restriction - Local Computer
MK Protocol Security Restriction - Local Computer
IEProcesses_MKProtocolSecurityRestriction_LocalComputer_1_var
IEProcesses_MKProtocolSecurityRestriction_LocalComputer_1_var
1
0
1
IEProcesses_MKProtocolSecurityRestriction_LocalComputer_2_var
IEProcesses_MKProtocolSecurityRestriction_LocalComputer_2_var
1
0
1
IEProcesses_MKProtocolSecurityRestriction_LocalComputer_3_var
IEProcesses_MKProtocolSecurityRestriction_LocalComputer_3_var
1
0
1
Internet Explorer Processes - MK Protocol Security Restriction - Local Computer
The MK Protocol Security Restriction policy setting reduces attack surface area by blocking the seldom used MK protocol. Some older Web applications use the MK protocol to retrieve information from compressed files.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\MK Protocol Security Restriction
CCE-3338-1
CCE-591
Protection From Zone Elevation - Local Computer
Protection From Zone Elevation - Local Computer
IEProcesses_ProtectionFromZoneElevation_LocalComputer_1_var
IEProcesses_ProtectionFromZoneElevation_LocalComputer_1_var
1
0
1
IEProcesses_ProtectionFromZoneElevation_LocalComputer_2_var
IEProcesses_ProtectionFromZoneElevation_LocalComputer_2_var
1
0
1
IEProcesses_ProtectionFromZoneElevation_LocalComputer_3_var
IEProcesses_ProtectionFromZoneElevation_LocalComputer_3_var
1
0
1
Internet Explorer Processes - Protection From Zone Elevation - Local Computer
Internet Explorer places restrictions on each Web page it opens that are dependent upon the location of the Web page (such as Internet zone, Intranet zone, or Local Machine zone).
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation
CCE-4043-6
CCE-347
Restrict ActiveX Install - Local Computer
Restrict ActiveX Install - Local Computer
IEProcesses_RestrictActiveXInstall_LocalComputer_1_var
IEProcesses_RestrictActiveXInstall_LocalComputer_1_var
1
0
1
IEProcesses_RestrictActiveXInstall_LocalComputer_2_var
IEProcesses_RestrictActiveXInstall_LocalComputer_2_var
1
0
1
IEProcesses_RestrictActiveXInstall_LocalComputer_3_var
IEProcesses_RestrictActiveXInstall_LocalComputer_3_var
1
0
1
Internet Explorer Processes - Restrict ActiveX Install - Local Computer
The Restrict ActiveX Install\Internet Explorer Processes policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install
CCE-3924-8
CCE-119
Restrict File Download - Local Computer
Restrict File Download - Local Computer
IEProcesses_RestrictFileDownload_LocalComputer_1_var
IEProcesses_RestrictFileDownload_LocalComputer_1_var
1
0
1
IEProcesses_RestrictFileDownload_LocalComputer_2_var
IEProcesses_RestrictFileDownload_LocalComputer_2_var
1
0
1
IEProcesses_RestrictFileDownload_LocalComputer_3_var
IEProcesses_RestrictFileDownload_LocalComputer_3_var
1
0
1
Internet Explorer Processes - Restrict File Download - Local Computer
In certain circumstances, Web sites can initiate file download prompts without interaction from users. This technique can allow Web sites to put unauthorized files on users' hard drives if they click the wrong button and accept the download.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict File Download
CCE-4122-8
CCE-668
Scripted Window Security Restrictions - Local Computer
Scripted Window Security Restrictions - Local Computer
IEProcesses_ScriptedWindowSecurityRestrictions_LocalComputer_1_var
IEProcesses_ScriptedWindowSecurityRestrictions_LocalComputer_1_var
1
0
1
IEProcesses_ScriptedWindowSecurityRestrictions_LocalComputer_2_var
IEProcesses_ScriptedWindowSecurityRestrictions_LocalComputer_2_var
1
0
1
IEProcesses_ScriptedWindowSecurityRestrictions_LocalComputer_3_var
IEProcesses_ScriptedWindowSecurityRestrictions_LocalComputer_3_var
1
0
1
Internet Explorer Processes - Scripted Window Security Restrictions - Local Computer
Internet Explorer allows scripts to programmatically open, resize, and reposition various types of windows. Often, disreputable Web sites will resize windows to either hide other windows or force you to interact with a window that contains malicious code.
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions
CCE-4162-4
CCE-827
Local User Policy
todo - description needed
configure_outlook_express_local_user_var
configure_outlook_express_local_user_var
0
0
1
DisableAutoCompleteForForms_LocalUser_1_var
DisableAutoCompleteForForms_LocalUser_1_var
no
no
yes
DisableAutoCompleteForForms_LocalUser_2_var
DisableAutoCompleteForForms_LocalUser_2_var
1
1
DisableExternalBrandingOfIE_LocalUser_var
DisableExternalBrandingOfIE_LocalUser_var
1
1
DisableInternetConnectionWizard_LocalUser_var
DisableInternetConnectionWizard_LocalUser_var
1
1
DisableResetWebSettingsFeature_LocalUser_var
DisableResetWebSettingsFeature_LocalUser_var
1
1
TurnOnAutoCompleteFeatureForUserNamesAndPasswords_LocalUser_1_var
TurnOnAutoCompleteFeatureForUserNamesAndPasswords_LocalUser_1_var
no
no
yes
TurnOnAutoCompleteFeatureForUserNamesAndPasswords_LocalUser_2_var
TurnOnAutoCompleteFeatureForUserNamesAndPasswords_LocalUser_2_var
1
1
TurnOffPageTransitions_LocalUser_var
TurnOffPageTransitions_LocalUser_var
0
0
1
TurnOnInternetConnectionWizardAutoDetect_LocalUser_var
TurnOnInternetConnectionWizardAutoDetect_LocalUser_var
1
0
1
Configure Outlook Express - Local User
The Configure Outlook Express setting allows administrators to enable and disable the ability for Microsoft Outlook Express users to save or open attachments that can potentially contain a virus.
GPO
User Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-3275-5
CCE-963
Disable AutoComplete for forms - Local User
This AutoComplete feature suggests possible matches when users are filling up forms. If you enable this setting, the user is not suggested matches when filling forms. The user cannot change it.
GPO
User Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-4246-5
CCE-478
Disable external branding of Internet Explorer - Local User
Prevents branding of Internet programs, such as customization of Internet Explorer and Outlook Express logos and title bars, by another party.
GPO
User Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-4237-4
CCE-1051
Disable Internet Connection wizard - Local User
Prevents users from running the Internet Connection Wizard.
GPO
User Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-3825-7
CCE-769
Disable the Reset Web Settings feature - Local User
Prevents users from restoring default settings for home and search pages. If you enable this policy, the Reset Web Settings button on the Programs tab in the Internet Options dialog box appears dimmed.
GPO
User Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-4226-7
CCE-625
Turn on the auto-complete feature for user names and passwords on forms - Local User
This AutoComplete feature can remember and suggest User names and passwords on Forms. If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords".
GPO
User Configuration\Administrative Templates\Windows Components\Internet Explorer
CCE-3647-5
CCE-721
Turn off page transitions - Local User
This policy setting specifies if, as you move from one Web page to another, Internet Explorer fades out of the page you are leaving and fades into the page to which you are going. If you enable this policy setting, page transitions will be turned off.
GPO
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced Settings\Browsing
CCE-4056-8
CCE-71
Turn on the Internet Connection Wizard Auto Detect - Local User
This policy setting determines if the Internet Connection Wizard was completed. If it was not completed, it launches the Internet Connection Wizard.
GPO
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced Settings\Internet Connection Wizard Settings
CCE-4036-0
CCE-258
Security Patches
Securing a given computer has become increasingly important. As such, it is essential to keep a host up to current patch levels to eliminate known vulnerabilities and weaknesses. In conjunction with antivirus software and a personal firewall, patching goes a long way to securing a host against outside attacks and exploitation. Microsoft provides two mechanisms for distributing security updates: Automatic Updates and Microsoft Update. In smaller environments, either method may be sufficient for keeping systems current with patches. Other environments typically have a software change management control process or a patch management program that tests patches before deploying them; distribution may then occur through local Windows Update Services (WUS) or Windows Server Update Services (WSUS) servers, which provide approved security patches for use by the Automatic Updates feature.
Security Patches Up-To-Date
Keep systems up to current patch levels to eliminate known vulnerabilities and weaknesses.