Group Policy Settings for Creating a Steady

State
Microsoft Corporation
Published: September 2010

Abstract
This document is intended for IT pros who support shared-computer access in business
environments such as schools, libraries, and Internet cafes. This document describes Group
Policy settings that you can use to configure computer and user settings and prevent users from
changing those settings. It supports the resource, Creating a Steady State by Using Microsoft
Technologies.
Copyright information
This document is provided “as-is.” Information and views expressed in this document, including
URL and other Internet website references, may change without notice. You bear the risk of using
it.
Some examples depicted herein are provided for illustration only and are fictitious. No real
association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
Contents
Group Policy Settings for Creating a Steady State ......................................................................... 5

Windows SteadyState ..................................................................................................................... 5

Global Computer Settings ............................................................................................................ 6
User Settings ................................................................................................................................ 7
Block Programs....................................................................................................................... 13

Group Policy Settings .................................................................................................................... 13

Add Logoff to the Start Menu ..................................................................................................... 14
Always open All Control Panel Items when opening Control Panel ........................................... 14
Disable AutoComplete for forms ................................................................................................ 15
Disable changing home page settings ....................................................................................... 15
Disable Context menu ................................................................................................................ 16
Disable customizing browser toolbar buttons ............................................................................ 17
Disable customizing browser toolbars ....................................................................................... 17
Disable the Advanced page ....................................................................................................... 18
Disable the Connections page ................................................................................................... 19
Disable the Content page ........................................................................................................... 19
Disable the General page .......................................................................................................... 20
Disable the Privacy page ........................................................................................................... 21
Disable the Programs page ........................................................................................................ 21
Disable the Security page .......................................................................................................... 22
Do not keep history of recently opened documents ................................................................... 23
Do not move deleted files to the Recycle Bin ............................................................................ 24
Empty Temporary Internet Files folder when browser is closed ................................................ 25
File menu: Disable New menu option ........................................................................................ 25
Force classic Start menu ............................................................................................................ 26
Hide Favorites menu .................................................................................................................. 27
Hide Network Locations icon on desktop ................................................................................... 28
Hide the notification area ........................................................................................................... 29
Hide these specified drives in My Computer .............................................................................. 29
Interactive logon: Do not display last user name ....................................................................... 30
Lock the Taskbar ........................................................................................................................ 31
Network access: Do not allow storage of credentials or .NET Passports for network
authentication.......................................................................................................................... 32
Network security: Do not store LAN Manager hash value on next password change ............... 32
Prevent access to drives from My Computer ............................................................................. 33
Prevent access to registry editing tools ..................................................................................... 34
Prevent access to the command prompt ................................................................................... 34
Prevent adding, dragging, dropping and closing the Taskbar's toolbars ................................... 35
Prevent addition of printers ........................................................................................................ 36
Prevent changes to Taskbar and Start Menu Settings .............................................................. 37
Prevent deletion of printers ........................................................................................................ 37
Prohibit access to the Control Panel .......................................................................................... 38
Removable Disks: Deny write access ........................................................................................ 38
Remove "Map Network Drive" and "Disconnect Network Drive" ............................................... 39
Remove access to the context menus for the taskbar ............................................................... 40
Remove CD Burning features .................................................................................................... 40
Remove Change Password ....................................................................................................... 41
Remove common program groups from Start Menu .................................................................. 42
Remove Default Programs link from the Start menu ................................................................. 42
Remove Documents icon from Start Menu ................................................................................ 43
Remove drag-and-drop and context menus on the Start menu ................................................. 43
Remove Favorites menu from Start menu ................................................................................. 44
Remove frequent programs list from the Start menu ................................................................. 45
Remove Help menu from Start menu......................................................................................... 46
Remove links and access to Windows Update .......................................................................... 46
Remove Lock Computer ............................................................................................................ 47
Remove Music icon from Start menu ......................................................................................... 47
Remove My Documents icon on the desktop ............................................................................ 48
Remove Network Connections from Start menu ........................................................................ 48
Remove Network icon from Start menu ..................................................................................... 49
Remove Pictures icon from Start menu ..................................................................................... 49
Remove programs on Settings menu......................................................................................... 50
Remove Recent Items menu from Start menu ........................................................................... 50
Remove Recycle Bin icon from desktop .................................................................................... 51
Remove Run menu from Start menu ......................................................................................... 52
Remove Task Manager .............................................................................................................. 53
Remove Windows Explorer's default context menu ................................................................... 54
Removes the Folder Options menu item from the Tools menu ................................................. 54
Restrict users to the explicitly permitted list of snap-ins ............................................................ 55
Search: Disable Find Files via F3 within the browser ................................................................ 56
Shutdown: Allow system to be shut down without having to log on ........................................... 57
Tools menu: Disable Internet Options... menu option ................................................................ 58
Turn off AutoPlay........................................................................................................................ 58
Turn off displaying the Internet Explorer Help menu.................................................................. 59
Turn off feed and Web Slices discovery .................................................................................... 60
Turn off Print menu..................................................................................................................... 61
Section Heading ......................................................................................................................... 61
Turn off Windows+X hotkeys ..................................................................................................... 62
Turn on the auto-complete feature for user names and passwords on forms ........................... 62
View menu: Disable Full Screen menu option ........................................................................... 63
View menu: Disable Source menu option .................................................................................. 64
Group Policy Settings for Creating a Steady
State
This document is part of a set of documents that is intended primarily for IT pros who configure
shared-computer access in business environments. But partners who support shared-computer
access in schools, libraries, and Internet cafes will also find the information useful. The document
set includes:
 Creating a Steady State by Using Microsoft Technologies Describes the native Windows 7
features and free tools from Microsoft that you can use to create a steady state on computers
running Windows 7.
For a web version, see Creating a Steady State by Using Microsoft Technologies in the
Windows 7 Technical Library.
 Group Policy Settings for Creating a Steady State (this document) Describes Group Policy
settings that you can use to configure computer and user settings and prevent users from
changing those settings.
For a web version of this document, see Group Policy Settings for Creating a Steady State in
the Windows 7 Technical Library.
 The SteadyState Reference worksheet (a downloadable .xlsx file) Look up and filter settings
that the two previous documents describe. For example, you can quickly find information
about settings that are related to Start menu restrictions.
In this document:
 Windows SteadyState Cross references the settings in Windows SteadyState™ with
comparable Group Policy settings.
 Group Policy Settings Describes each of the Group Policy settings.

Note
To provide feedback or ask questions about the information that these documents
contain, please contact: Windows IT Pro Community.

Windows SteadyState
This section cross-references the settings in Windows SteadyState with comparable Group Policy
settings. In some cases, each Windows SteadyState setting corresponds to multiple Group Policy
settings. In other cases, no comparable Group Policy setting is available, and this section notes
that.

5
Global Computer Settings
The following tables cross-reference computer setup restrictions for privacy and security settings
in Windows SteadyState to Group Policy computer settings. For more information, see the
corresponding section in the Group Policy Settings section of this document.

Computer Setup Restrictions: Privacy Settings

In Windows SteadyState In Group Policy

Do not display user names in the “Log On to Interactive logon: Do not display last user name
Windows” dialog box

Prevent locked or roaming user profiles that A comparable Group Policy setting is not
cannot be found on the computer from logging available; however, numerous policies for
on managing roaming user profiles are in
Administrative Templates\System\User Profiles
under the Computer Configuration and User
Configuration nodes

Do not cache copies of locked or roaming user A comparable Group Policy setting is not
profiles for users who have previously logged available; however, numerous policies for
on to this computer managing roaming user profiles are in
Administrative Templates\System\User Profiles
under the Computer Configuration and User
Configuration nodes

Computer Setup Restrictions: Security Settings

In Windows SteadyState In Group Policy

Remove the Administrator user name from the A comparable Group Policy setting is not
Welcome screen available because the Welcome screen is
specific to Windows Vista®

Remove the Shut Down and Turn Off options Shutdown: Allow system to be shut down
from the “Log On to Windows” dialog box and without having to log on
the Welcome screen

Do not allow Windows to compute and store Network security: Do not store LAN Manager
passwords using LAN Manager Hash values hash value on next password change

Do not store user names or passwords used to Network access: Do not allow storage of
log on to Windows Live™ ID or the domain credentials or .NET Passports for network
authentication

Prevent users from creating folders and files on A comparable Group Policy setting is not
6
In Windows SteadyState In Group Policy
drive C available; however, you can configure
permissions to prevent users from creating
folders and files on drive C

Prevent users from opening Microsoft Office A comparable Group Policy setting is not
documents from within Internet Explorer® available

Prevent write access to USB storage devices Removable Disks: Deny write access

User Settings
The following tables cross-reference user restrictions (for general user settings, Windows
settings, and feature settings) in Windows SteadyState to Group Policy user settings. For more
information, see the corresponding section in the Group Policy Settings section of this document.
General User Settings: General Settings

In Windows SteadyState In Group Policy

Lock profile to prevent the user from making A comparable Group Policy setting is not
permanent changes available; however, using mandatory user
profiles provides similar functionality (see
Creating a Steady State by Using Microsoft
Technologies)

General User Settings: Session Timers

In Windows SteadyState In Group Policy

Log off after _ minutes of use A comparable Group Policy setting is not
available; however, you can simulate this
functionality by using a logon script

Log off after _ minutes idle A comparable Group Policy setting is not
available; however, Task Scheduler provides
similar functionality

Always display the session countdown A comparable Group Policy setting is not
available

Restart computer after logoff A comparable Group Policy setting is not

available; however, you can simulate this
functionality by using Task Scheduler to run
Shutdown.exe after detecting a logoff event

7
Windows Restrictions: Start Menu Restrictions

In Windows SteadyState In Group Policy

Prevent right-click in the Start menu Remove drag-and-drop and context menus on
the Start Menu

Allow only the Classic Start menu  Force classic Start Menu
 Remove links and access to Windows
Update
 Add Logoff to the Start Menu

Remove the Control Panel, Printer, and Remove programs on Settings menu
Network Settings from the Classic Start menu

Remove the My Documents icon  Remove My Documents icon on the

desktop
 Remove Documents icon from Start Menu

Remove the My Recent Documents icon  Remove Recent Items menu from Start
Menu
 Do not keep history of recently opened
documents

Remove the My Pictures icon Remove Pictures icon from Start Menu

Remove the My Music icon Remove Music icon from Start Menu

Remove the Favorites icon Remove Favorites menu from Start Menu

Remove the My Network Places icon  Remove Network icon from Start Menu
 Hide Network Locations icon on desktop
 Remove "Map Network Drive" and
"Disconnect Network Drive"

Remove the Frequently Used Programs list Remove frequent programs list from the Start
Menu

Prevent programs in the All Users folder from Remove common program groups from Start
appearing Menu

Remove the Control Panel icon Prohibit access to the Control Panel

Remove the Set Program Access and Defaults Remove Default Programs link from the Start
icon menu

Remove the Network Connections (Connect Remove Network Connections from Start Menu
To) icon

8
In Windows SteadyState In Group Policy

Remove the Printers and Faxes icon A comparable Group Policy setting is not
available

Remove the Run icon Remove Run menu from Start Menu

Remove the Shut Down button Prevent adding, dragging, dropping and closing
the Taskbar's toolbars

Remove the Help and Support icon Remove Help menu from Start Menu

Windows Restrictions: General Restrictions

In Windows SteadyState In Group Policy

Prevent right-click in Windows Explorer  Remove Windows Explorer's default

context menu
 Remove access to the context menus for
the taskbar

Prevent AutoPlay on CD, DVD, and USB drives Turn off Autoplay

Prevent access to Windows Explorer feature:  Remove the Folder Options menu item
Folder Options, Customize Toolbar, and the from the Tools menu
Notification Area  Disable customizing browser toolbar
buttons
 Disable customizing browser toolbars
 Hide the notification area

Prevent changes to Windows Explorer‟s A comparable Group Policy setting is not

advanced registry settings available; however, many policies for managing
Windows Explorer are available in User
Configuration\Administrative
Templates\Windows Components\Windows
Explorer

Use Control Panel Classic View Always open All Control Panel Items when
opening Control Panel

Prevent access to the taskbar  Prevent changes to Taskbar and Start

menu settings
 Lock the Taskbar

Prevent access to the command prompt Prevent access to the command prompt

Prevent access to the registry editor Prevent access to registry editing tools

Prevent access to Task Manager Remove Task Manager

9
In Windows SteadyState In Group Policy

Prevent access to Microsoft Management Restrict users to the explicitly permitted list of
Console utilities snap-ins

Prevent users from adding or removing printers  Prevent addition of printers

 Prevent deletion of printers

Prevent users from locking the computer Remove Lock Computer

Prevent password changes (also requires that Remove Change Password

the Control Panel icon is removed)

Remove CD and DVD burning features Remove CD Burning features

Disable keyboard shortcuts that use the Turn off Windows+X hotkeys
Windows Logo key

Allow only programs in the Program Files and See the section titled “Blocking Applications” in
Windows folders to run Creating a Steady State by Using Microsoft
Technologies

Disable System Tools and other management See the section titled “Blocking Applications” in
programs Creating a Steady State by Using Microsoft
Technologies

Disable Notepad and WordPad See the section titled “Blocking Applications” in
Creating a Steady State by Using Microsoft
Technologies

Remove the Recycle Bin icon  Do not move deleted files to the Recycle
Bin
 Remove Recycle Bin icon from desktop

Prevent users from saving files to the desktop A comparable Group Policy setting is not
available; however, you can configure
permissions to prevent users from creating
folders and files on the desktop

Windows Restrictions: Hide Drives

In Windows SteadyState In Group Policy

Select the drives you want to hide from the user  Hide these specified drives in My Computer
 Prevent access to drives from My
Computer

10
Feature Restrictions: Internet Explorer Restrictions

In Windows SteadyState In Group Policy

Prevent Internet access (except Web sites A comparable Group Policy setting is not
below) available; however, you can restrict access to
websites by configuring the firewall

Prevent changes to Internet Explorer registry A comparable Group Policy setting is not
settings available; however, numerous policies for
managing Internet Explorer settings are in
Administrative Templates\Windows
Components\Internet Explorer under the
Computer Configuration and User
Configuration nodes

Prevent right-click in Internet Explorer Disable Context menu

Prevent printing Turn off Print Menu

Do not allow access to Favorites Hide Favorites menu

Disable AutoComplete  Disable AutoComplete for forms

 Turn on the auto-complete feature for user
names and passwords on forms

Empty the Temporary Internet Files folder when Empty Temporary Internet Files folder when
Internet Explorer is closed browser is closed

Disable RSS Feeds (Internet Explorer 7 only)  Turn off the feed list
 Turn off feed and Web Slices discovery

Feature Restrictions: Internet Explorer Restrictions, Menu Options

In Windows SteadyState In Group Policy

Remove View Source View menu: Disable Source menu option

Remove Find Files Search: Disable Find Files by clicking F3 within

the browser window

Remove Theater Mode View menu: Disable Full Screen menu option

Remove Help menu Turn off displaying the Internet Explorer Help
Menu

Remove Internet Options Tools menu: Disable Internet Options... menu

option

11
In Windows SteadyState In Group Policy

Remove expanded New menu A comparable Group Policy setting is not

available

Remove General tab in Internet Options Disable the General page

Remove Security tab in Internet Options Disable the Security page

Remove Privacy tab in Internet Options Disable the Privacy page

Remove Content tab in Internet Options Disable the Content page

Remove Connections tab in Internet Options Disable the Connections page

Remove Programs tab in Internet Options Disable the Programs page

Remove Advanced tab in Internet Options Disable the Advanced page

Remove New Windows menu option File menu: Disable New menu option

Feature Restrictions: Internet Explorer Restrictions, Toolbar Options

In Windows SteadyState In Group Policy

Search A comparable Group Policy setting is not

available for Internet Explorer 7

Folders A comparable Group Policy setting is not

available for Internet Explorer 7

Edit A comparable Group Policy setting is not

available for Internet Explorer 7

Discussions A comparable Group Policy setting is not

available for Internet Explorer 7

Encoding A comparable Group Policy setting is not

available for Internet Explorer 7

Size A comparable Group Policy setting is not

available for Internet Explorer 7

Full Screen A comparable Group Policy setting is not

available for Internet Explorer 7

Media A comparable Group Policy setting is not

available for Internet Explorer 7

Print A comparable Group Policy setting is not

available for Internet Explorer 7

12
In Windows SteadyState In Group Policy

History A comparable Group Policy setting is not

available for Internet Explorer 7

Tools A comparable Group Policy setting is not

available for Internet Explorer 7

Non-Microsoft extension buttons A comparable Group Policy setting is not

available for Internet Explorer 7

Command Bar A comparable Group Policy setting is not

available for Internet Explorer 7

Feature Restrictions: Home Page

In Windows SteadyState In Group Policy

Home Page Disable changing home page settings

Web Addresses Allowed

Block Programs
The following table references information about blocking programs in Windows SteadyState and
with Group Policy settings.

In Windows SteadyState In Group Policy

Block Programs See Blocking Applications in Creating a

Steady State by Using Microsoft Technologies

Group Policy Settings

This section describes each of the Group Policy settings that are listed in the section Windows
SteadyState. For each Group Policy setting, this section lists the location within the Group Policy
Editor, the recommended values, and a description of the policy.
Windows SteadyState defines three security levels—High, Medium, and Low. These security
levels provide a shortcut for configuring the many settings that it exposed. For example, clicking
the High security level might enable a setting, whereas clicking the Medium or Low security level
would disable the setting. The recommendations for most of the Group Policy settings
represented in this section are based on Windows SteadyState security levels.

13
Add Logoff to the Start Menu
Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This policy setting applies only to the classic

version of the Start Menu, and it does not affect
the new style Start Menu.
This setting adds the Log Off <username> item
to the Start Menu. This setting also removes
the Display Logoff item from Start Menu
Options. As a result, users cannot remove the
Log Off <username> item from the Start Menu.
If you disable this setting or do not configure it,
users can use the Display Logoff item to add
and remove the Log Off item.
This setting affects the Start Menu only. It does
not affect the Log Off item on the Windows
Security dialog box that appears when you
press Ctrl+Alt+Del. Ctrl+Alt+Del.

Note
To add or remove the Log Off item on a
computer, click Start, click Settings,
click Taskbar and Start Menu, click
the Start Menu Options tab, and then,
in the Start Menu Settings box, click
Display Logoff.

Always open All Control Panel Items when

opening Control Panel
Location User Configuration\Administrative
Templates\Control Panel

Recommended High: Disabled

14
 Medium: Disabled
Low: Disabled

Description This policy sets All Control Panel Items as the

default Control Panel view.
If the policy is disabled, Control Panel Home is
the default view.

Disable AutoComplete for forms

Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer

Recommended High: Enabled

Medium: Enabled
Low: Disabled

Description The AutoComplete feature suggests possible

matches when users are filling in forms.
If you enable this setting, the user does not
receive suggested matches when filling in
forms. The user cannot change this setting.
If you disable this setting, the user receives
suggested matches when filling in forms.
If you do not configure this setting, the user has
the freedom to turn on the AutoComplete
feature for forms.
To display this option, users can open the
Internet Options dialog box, click the
Contents tab, and then click Settings.

Disable changing home page settings

Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer

Recommended http://www.bing.com/

15
Description The home page that is specified on the General
tab of the Internet Options dialog box is the
default webpage that Internet Explorer® loads
whenever it is run.
If you enable this policy setting, a user cannot
set a custom default home page. You must
specify which default home page should load
on the users‟ computers. For computers that
are Internet Explorer 7 or Internet Explorer 8,
the home page can be set within this policy to
override other home page policies.
If you disable or do not configure this policy
setting, the home page box is enabled and
users can choose their own home page.

Disable Context menu

Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer\Browser menus

Recommended High: Disabled

Medium: Disabled
Low: Disabled

Description This setting prevents the shortcut menu from

appearing when users click the right mouse
button while using the browser.
If you enable this policy, the shortcut menu will
not appear when users point to a webpage, and
then click the right mouse button.
If you disable this policy or do not configure it,
users can use the shortcut menu.
You can use this policy to ensure that users do
not use the shortcut menu as an alternate
method of running commands that have been
removed from other parts of the interface.

16
Disable customizing browser toolbar buttons
Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer\Toolbars

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This policy prevents users from determining

which buttons appear on the Internet Explorer
and Windows Explorer standard toolbars. The
buttons that appear on the toolbar can be
customized with the Customize option. This is
present on the Toolbars submenu of the View
menu in Internet Explorer 6 and under the
Toolbars submenu on the Tools menu in the
Command bar in Internet Explorer 7 and
Internet Explorer 8.
If you enable this policy, the Customize option
will be removed from the menu.
If you disable this policy or do not configure it,
users can customize which buttons appear on
the Internet Explorer and Windows Explorer
toolbars.
This policy can be used in coordination with the
"Disable customizing browser toolbars" policy,
which prevents users from determining which
toolbars are displayed in Internet Explorer and
Windows Explorer.

Disable customizing browser toolbars

Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer\Toolbars

Recommended High: Enabled

Medium: Disabled

17
 Low: Disabled

Description This setting prevents users from determining

which toolbars are displayed in Internet
Explorer and Windows Explorer.
If you enable this policy, the list of toolbars,
which users can display by clicking the View
menu and pointing to Toolbars, will appear
unavailable.
If you disable this policy or do not configure it,
users can determine which toolbars are
displayed in Internet Explorer and Windows
Explorer.
This policy can be used in coordination with the
"Disable customizing browser toolbar buttons"
policy, which prevents users from adding or
removing toolbars from Internet Explorer.

Disable the Advanced page

Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer\Internet Control Panel

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting removes the Advanced tab from

the interface in the Internet Options dialog box.
If you enable this policy, users are prevented
from seeing and changing advanced Internet
settings, such as security, multimedia, and
printing.
If you disable this policy or do not configure it,
users can see and change these settings.
When you set this policy, you do not need to
set the "Disable changing Advanced page
settings" policy (located in \User
Configuration\Administrative
Templates\Administrative Templates\Windows

18
 Components\Internet Explorer), because this
policy removes the Advanced tab from the
interface.

Disable the Connections page

Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer\Internet Control Panel

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This policy setting removes the Connections

tab from the interface in the Internet Options
dialog box.
If you enable this policy, users are prevented
from seeing and changing connection and
proxy settings.
If you disable this policy or do not configure it,
users can see and change these settings.
When you set this policy, you do not need to
set the following policies for the Connections
tab, because this policy removes the
Connections tab from the interface:
 "Disable Internet Connection Wizard"
 "Disable changing connection settings"
 "Disable changing proxy settings"
 "Disable changing Automatic Configuration
settings"

Disable the Content page

Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer\Internet Control Panel

Recommended High: Enabled

19
 Medium: Disabled
Low: Disabled

Description If you enable this policy setting, users are

prevented from seeing and changing ratings,
certificates, AutoComplete, Wallet, and Profile
Assistant settings.
If you disable this policy or do not configure it,
users can see and change these settings.

Disable the General page

Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer\Internet Control Panel

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This setting removes the General tab from the

interface in the Internet Options dialog box.
If you enable this policy, users are unable to
see and change settings for the home page, the
cache, history, webpage appearance, and
accessibility.
If you disable this policy or do not configure it,
users can see and change these settings.
When you set this policy, you do not need to
set the following Internet Explorer policies
(located in \User Configuration\Administrative
Templates\Administrative Templates\Windows
Components\Internet Explorer), because this
policy removes the General tab from the
interface:
 "Disable changing home page settings"
 "Disable changing Temporary Internet files
settings"
 "Disable changing history settings"
 "Disable changing color settings"

20
  "Disable changing link color settings"
 "Disable changing font settings"
 "Disable changing language settings"
 "Disable changing accessibility settings"

Disable the Privacy page

Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer\Internet Control Panel

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting removes the Privacy tab from the

interface in the Internet Options dialog box.
If you enable this policy, users are prevented
from seeing and changing default settings for
privacy.
If you disable this policy or do not configure it,
users can see and change these settings.

Disable the Programs page

Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer\Internet Control Panel

Recommended High: Enabled

Medium: Enabled
Low: Disabled

Description This setting removes the Programs tab from the

interface in the Internet Options dialog box.
If you enable this policy, users are prevented
from seeing and changing default settings for
Internet programs.
If you disable this policy or do not configure it,

21
 users can see and change these settings.
When you set this policy, you do not need to
set the following policies for the Programs tab,
because this policy removes the Programs tab
from the interface:
 "Disable changing Messaging settings"
 "Disable changing Calendar and Contact
settings"
 "Disable the Reset Web Settings feature"
 "Disable changing default browser check"

Disable the Security page

Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer\Internet Control Panel

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting removes the Security tab from the

interface in the Internet Options dialog box.
If you enable this policy, users are prevented
from seeing and changing settings for security
zones such as scripting, downloads, and user
authentication.
If you disable this policy or do not configure it,
users can see and change these settings.
When you set this policy, you do not need to
set the following Internet Explorer policies,
because this policy removes the Security tab
from the interface:
 "Security zones: Do not allow users to
change policies"
 "Security zones: Do not allow users to
add/delete sites"

22
Do not keep history of recently opened
documents
Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Note
Also see the "Remove Recent Items
menu from Start menu" and "Clear
history of recently opened documents
on exit" policies.

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting prevents the operating system and

installed programs from creating and displaying
shortcuts to recently opened documents.
If you enable this setting, the operating system
and Windows programs do not create shortcuts
to documents that are opened while the setting
is in effect. Also, they retain but do not display
existing document shortcuts. The operating
system empties the Recent Items menu on the
Start menu, and Windows programs do not
display shortcuts at the bottom of the File
menu. In addition, the submenus for programs
in the Start menu and Taskbar do not show lists
of recently or frequently used files, folders, or
websites.
If you disable or do not configure this setting,
the system will store and display shortcuts to
recently and frequently used files, folders, and
websites.

Note
The system saves document shortcuts
in the user profile in the \Users\User-
name\Recent folder.
If you enable this setting, but you do not enable
the "Remove Recent Items menu from Start
menu" setting, the Recent Items menu appears
23
 on the Start menu, but it is empty.
If you enable this setting, but then you later
disable it or set it to Not Configured, the
document shortcuts that saved before the
setting was enabled appear in the Recent Items
menu, program File menus, and submenus.
This setting does not hide or prevent the user
from pinning files, folders, or websites to the
Jump Lists. See the "Do not allow pinning items
in Jump Lists" setting. This policy also does not
hide tasks that the application has provided for
their Jump List. This setting does not hide
document shortcuts displayed in the Open
dialog box. See the "Hide the dropdown list of
recent files" setting.

Note
Non-Microsoft applications that are
certified with the Windows 2000,
Windows XP, Windows Vista or
Windows 7 operating systems must
adhere to this setting.

Do not move deleted files to the Recycle Bin

Location User Configuration\Administrative
Templates\Windows Explorer

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description When a file or folder is deleted in Windows

Explorer, a copy of the file or folder is placed in
the Recycle Bin. You can use this setting to
change that behavior.
If you enable this setting, files and folders that
are deleted by using Windows Explorer will not
be placed in the Recycle Bin and therefore will
be permanently deleted.
If you disable or do not configure this setting,

24
 files and folders that are deleted by using
Windows Explorer will be placed in the Recycle
Bin.

Empty Temporary Internet Files folder when

browser is closed
Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer\Internet Control Panel\Advanced Page

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This policy setting allows you to manage

whether Internet Explorer deletes the contents
of the Temporary Internet Files folder after all
browser windows are closed. This protects
against storing dangerous files on the computer
or storing sensitive files that other users could
see, in addition to managing total disk space
usage.
If you enable this policy setting, Internet
Explorer will delete the contents of the user's
Temporary Internet Files folder when all
browser windows are closed.
If you disable this policy setting, Internet
Explorer will not delete the contents of the
user's Temporary Internet Files folder when
browser windows are closed.
If you do not configure this policy, Internet
Explorer will not delete the contents of the
Temporary Internet Files folder when browser
windows are closed.

File menu: Disable New menu option

Location User Configuration\Administrative

25
 Templates\Windows Components\Internet
Explorer\Browser menus

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This setting prevents users from opening a new

browser window from the File menu.
If this policy is enabled, users cannot open a
new browser window by clicking the File menu,
pointing to the New menu, and clicking
Window. The user interface is not changed, but
a new window will not open, and the users will
be informed that the command is not available.
If you disable this policy or do not configure it,
users can open a new browser window from the
File menu.

Caution
This policy does not prevent users from
opening a new browser window by
right-clicking a link, and then clicking
the Open in New Window command.
To prevent users from using the
shortcut menu to open new browser
windows, you should also set the
"Disable Open in New Window menu
option" policy, which disables this
command on the shortcut menu, or set
the "Disable context menu" policy,
which disables the entire shortcut
menu.

Note
The user can still open new tabs.

Force classic Start menu

Location User Configuration\Administrative
Templates\Start Menu and Taskbar

26
Recommended High: Enabled
Medium: Enabled
Low: Enabled

Description This setting affects the presentation of the Start

menu.
The classic Start menu in Windows 2000
Professional allows users to begin common
tasks, whereas the new Start menu
consolidates common items onto one menu.
When the classic Start Menu is used, the
following icons are placed on the desktop:
Documents, Pictures, Music, Computer, and
Network. The new Start menu starts them
directly.
If you enable this setting, the Start menu
displays the classic Start menu in the Windows
2000 style and displays the standard desktop
icons.
If you disable this setting, the Start menu opens
in the new style, and the desktop icons appear
on the Start page.
If you do not configure this setting, the default is
the new style, and the user can change the
view.

Hide Favorites menu

Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer\Browser menus

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This policy setting prevents users from adding,

removing, editing, or viewing the list of Favorite
links.
The Favorites list is a way to store popular links

27
 for future use.
If you enable this policy, the Favorites menu is
removed from the interface, and the Favorites
button on the browser toolbar appears
unavailable. The Add to Favorites command on
the shortcut menu is disabled, and when users
click it, they are informed that the command is
unavailable.
If you disable this policy or do not configure it,
users can manage their Favorites list.

Note
If you enable this policy, users also
cannot click Synchronize on the Tools
menu (in Internet Explorer 6) to
manage their favorite links that are set
up for offline viewing.

Hide Network Locations icon on desktop

Location User Configuration\Administrative
Templates\Desktop

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This policy setting removes the Network

Locations icon from the desktop.
This setting affects only the desktop icon. It
does not prevent users from connecting to the
network or browsing for shared computers on
the network.

Note
In operating systems earlier than
Windows Vista, this policy applies to
the My Network Places icon.

28
Hide the notification area
Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This setting affects the notification area

(previously called the "system tray") on the
taskbar.
The notification area is located on the far right
side of the task bar, and it includes the icons for
current notifications and the clock.
If this setting is enabled, the user‟s entire
notification area, including the notification icons,
is hidden. The taskbar displays only the Start
button, taskbar buttons, custom toolbars (if
any), and the clock.
If this setting is disabled or is not configured,
the notification area is shown in the user's
taskbar.

Note
Enabling this setting overrides the
"Turn off notification area cleanup"
setting because if the notification area
is hidden, there is no need to clean up
the icons.

Hide these specified drives in My Computer

Location User Configuration\Administrative
Templates\Windows Explorer

Note
Also see the "Prevent access to drives
from My Computer" setting.

Recommended High: Restrict all drives

29
 Medium: Disabled
Low: Disabled

Description This setting removes the icons that represent

selected hard disk drives from My Computer
and Windows Explorer. Also, the letters that
represent the selected drives do not appear in
the standard Open dialog box.
To use this setting, select a drive or
combination of drives in the drop-down list. To
display all drives, disable this setting or select
the "Do not restrict drives" option in the drop-
down list.

Note
This setting removes the hard disk
drive icons. Users can still gain access
to drive contents by using other
methods, such as by typing the path to
a directory on the drive in the Map
Network Drive dialog box, in the Run
dialog box, or in a Command Prompt
window.
This setting does not prevent users from using
programs to access these drives or their
contents. It does not prevent users from using
the Disk Management snap-in to view and
change drive characteristics.

Note
Non-Microsoft applications that are
certified with the Windows 2000,
Windows XP, Windows Vista or
Windows 7 operating systems must
adhere to this setting.

Interactive logon: Do not display last user name

Location Computer Configuration\Windows
Settings\Local Policies\Security Options

Recommended Enabled

30
 Default: Disabled

Description This security setting determines whether the

name of the last user to log on to the computer
is displayed in the Windows logon screen.
If this policy is enabled, the name of the last
user to successfully log on is not displayed in
the logon screen.
If this policy is disabled, the name of the last
user to log on is displayed.

Lock the Taskbar

Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This setting affects the taskbar, which is used

to switch between running applications.
The taskbar includes the Start button, the list of
currently running tasks, and the notification
area. By default, the taskbar is located at the
bottom of the screen, but it can be dragged to
any side of the screen. When it is locked, it
cannot be moved or resized.
If you enable this setting, users cannot move or
resize the taskbar. When the taskbar is locked,
auto-hide and other taskbar options are still
available in the taskbar‟s properties.
If you disable this setting or do not configure it,
users can configure the taskbar position.

Note
Enabling this setting also locks the
QuickLaunch bar and any other
toolbars that users have on their
taskbar. The toolbar's position is
locked, and users cannot show and

31
 hide various toolbars by using the
taskbar‟s context menu.

Network access: Do not allow storage of

credentials or .NET Passports for network
authentication
Location Computer Configuration\Windows
Settings\Local Policies\Security Options

Recommended Enabled
Default: Disabled

Description This security setting determines whether Stored

User Names and Passwords saves passwords,
credentials, or .NET Passports for later use
when it gains domain authentication.
If it is enabled, this setting prevents the Stored
User Names and Passwords from storing
passwords and credentials.

Note
When you configure this security
setting, changes will not take effect
until you restart Windows.

Network security: Do not store LAN Manager hash

value on next password change
Location Computer Configuration\Windows
Settings\Local Policies\Security Options

Recommended Enabled
Default on Windows Vista: Enabled
Default on Windows XP: Disabled.

Description This security setting determines if, at the next

password change, the LAN Manager hash
value for the new password is stored. The LAN

32
 Manager hash value is relatively weak and
prone to attack, as compared with the
cryptographically stronger Windows NT® hash
value. Because the LAN Manager hash value is
stored on the local computer in the security
database, passwords can be compromised if
the security database is attacked.

Note
Windows 2000 Service Pack 2 (SP2)
and above offer compatibility with
authentication to previous versions of
Windows, such as Microsoft Windows
NT 4.0.
This setting can affect the ability of computers
running Windows 2000 Server, Windows 2000
Professional, Windows XP, and Windows
Server 2003 to communicate with computers
running Windows 95 and Windows 98.

Prevent access to drives from My Computer

Location User Configuration\Administrative
Templates\Windows Explorer

Note
Also see the "Hide these specified
drives in My Computer" setting.

Recommended High: Restrict all drives

Medium: Disabled
Low: Disabled

Description This setting prevents users from using My

Computer to gain access to the content of
selected hard disk drives.
If you enable this setting, users can browse the
directory structure of the selected drives in My
Computer or Windows Explorer, but they
cannot open folders and access the contents.
Also, they cannot use the Run dialog box or the
Map Network Drive dialog box to view the

33
 directories on these drives.
To use this setting, select a drive or
combination of drives from the drop-down list.
To allow access to all drive directories, disable
this setting or select the "Do not restrict drives"
option from the drop-down list.

Note
The icons that represent the specified
drives still appear in My Computer, but
if users double-click the icons, a
message appears to explain that a
setting prevents the action.
This setting does not prevent users from using
programs to access local and network drives. It
does not prevent them from using the Disk
Management snap-in to view and change drive
characteristics.

Prevent access to registry editing tools

Location User Configuration\Administrative
Templates\System

Recommended High: Enabled

Medium: Enabled
Low: Disabled

Description This setting disables the Windows registry

editor Regedit.exe.
If this setting is enabled and the user tries to
start a registry editor, a message appears to
explain that a setting prevents the action.
To prevent users from using other
administrative tools, use the "Run only
specified Windows applications" setting.

Prevent access to the command prompt

34
Location User Configuration\Administrative
Templates\System

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting prevents users from running the

interactive command prompt, Cmd.exe. This
setting also determines whether batch files
(.cmd and .bat) can run on the computer.
If you enable this setting and the user tries to
open a Command Prompt window, the system
displays a message to explain that a setting
prevents the action.

Note
Do not prevent the computer from
running batch files if the computer uses
logon, logoff, startup, or shutdown
batch file scripts, or for users that use
Remote Desktop Services.

Prevent adding, dragging, dropping and closing

the Taskbar's toolbars
Location User Configuration\Administrative
Templates\Desktop

Note
Also see the "Prohibit adjusting desktop
toolbars" setting.

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This setting prevents users from manipulating

desktop toolbars.
If you enable this setting, users cannot add or
remove toolbars from the desktop. Also, users
cannot drag toolbars on to or off of docked

35
 toolbars.

Note
If users have added or removed
toolbars, this setting prevents them
from restoring the default configuration.

Tip
To view the toolbars that can be added
to the desktop, right-click a docked
toolbar (such as the taskbar), and point
to Toolbars.

Prevent addition of printers

Location User Configuration\Administrative
Templates\Control Panel\Printers

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This setting removes the Add Printer option

from the Start menu. (To find the Add Printer
option, click Start, click Printers, and then click
Add Printer.) This setting also removes Add
Printer from the Printers folder in Control Panel.
Users cannot add printers by dragging a printer
icon into the Printers folder. If they try, a
message appears to explain that the setting
prevents the action.
However, this setting does not prevent users
from using the Add Hardware Wizard to add a
printer. Nor does it prevent users from running
other programs to add printers.
This setting does not delete printers that users
have already added. However, if users have not
added a printer when this setting is applied,
they cannot print.

Note
You can use printer permissions to

36
 restrict the use of printers without
specifying a setting. In the Printers
folder, right-click a printer, click
Properties, and click the Security tab.
If this policy is disabled or not configured, users
can add printers by using the methods
described.

Prevent changes to Taskbar and Start Menu

Settings
Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This setting removes the Taskbar and Start

Menu item from Settings on the Start Menu.
This setting also prevents the user from
opening the taskbar‟s Properties dialog box.
If the user right-clicks the taskbar and clicks
Properties, a message appears to explain that
a setting prevents the action.

Prevent deletion of printers

Location User Configuration\Administrative
Templates\Control Panel\Printers

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This setting prevents users from deleting local

and network printers.
If a user tries to delete a printer, such as by
using the Delete option in Printers in Control

37
 Panel, a message appears to explain that a
setting prevents the action.
This setting does not prevent users from
running other programs to delete a printer.
If this policy is disabled or not configured, users
can delete printers by using the methods
described.

Prohibit access to the Control Panel

Location User Configuration\Administrative
Templates\Control Panel

Recommended High: Enabled

Medium: Enabled
Low: Disabled

Description This setting disables all Control Panel

programs.
This setting prevents Control.exe (the program
file for Control Panel) from starting. As a result,
users cannot start Control Panel or adjust any
Control Panel settings.
This setting also removes Control Panel from
the Start Menu and removes the Control Panel
folder from Windows Explorer.
If users try to select a Control Panel item from
the Properties item on a context menu, a
message appears to explain that a setting
prevents the action.

Removable Disks: Deny write access

Location Computer Configuration\Administrative
Templates\System\Removable Storage Access

Recommended High: Enabled

Medium: Disabled
Low: Disabled

38
Description This policy setting denies write access to
removable storage devices.
If you enable this policy setting, write access
will be denied to removable storage devices.
If you disable or do not configure this policy
setting, write access will be allowed to
removable storage devices.

Note
To require that users write data to
storage that is protected with
BitLocker™, enable the policy setting
"Deny write access to drives not
protected by BitLocker," which is
located in Computer
Configuration\Administrative
Templates\Windows
Components\BitLocker Drive
Encryption\Removable Data Drives.

Remove "Map Network Drive" and "Disconnect

Network Drive"
Location User Configuration\Administrative
Templates\Windows Explorer

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting prevents users from using

Windows Explorer or Network Locations to map
or disconnect network drives.
If you enable this setting, the system removes
the Map Network Drive and Disconnect
Network Drive commands from the toolbar and
Tools menus in Windows Explorer and Network
Locations and from menus that appear when
you right-click the Windows Explorer or
Network Locations icons.

39
 This setting does not prevent users from
connecting to another computer by typing the
name of a shared folder in the Run dialog box.

Note
This setting was documented
incorrectly on the Explain tab in Group
Policy for Windows 2000. The Explain
tab states incorrectly that this setting
prevents users from connecting and
disconnecting drives.

Note
Non-Microsoft applications that are
certified with the Windows 2000,
Windows XP, Windows Vista or
Windows 7 operating systems must
adhere to this setting.

Remove access to the context menus for the

taskbar
Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This setting hides the menus that appear when

you right-click the taskbar and items on the
taskbar, such as the Start button, the clock, and
the taskbar buttons.
This setting does not prevent users from using
other methods to issue the commands that
appear in these menus.

Remove CD Burning features

Location User Configuration\Administrative

40
 Templates\Windows Explorer

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description Windows Explorer allows you to create and

modify writable CDs if you have a CD writer
connected to your computer.
If you enable this setting, all features in
Windows Explorer that allow you to use your
CD writer are removed.
If you disable or do not configure this setting,
users are able to use the Windows Explorer CD
burning features.

Note
This setting does not prevent users
from using non-Microsoft applications
to create or modify CDs by using a CD
writer.

Remove Change Password

Location User Configuration\Administrative
Templates\System\Ctrl+Alt+Del Options

Recommended High: Enabled

Medium: Enabled
Low: Disabled

Description This setting prevents users from changing their

Windows password on demand.
This setting disables the Change Password
button on the Windows Security dialog box
(which appears when you press Ctrl+Alt+Del).
However, users are still able to change their
password when prompted by the operating
system. The system prompts users for a new
password when an administrator requires a
new password or when their password is
expiring.

41
Remove common program groups from Start
Menu
Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting removes items in the All Users

profile from the Programs menu on the Start
Menu.
By default, the Programs menu contains items
from the All Users profile and items from the
user's profile. If you enable this setting, only
items in the user's profile appear in the
Programs menu.

Tip
To see the Program menu items in the
All Users profile, on the hard disk drive
that hosts the operating system, go to
ProgramData\Microsoft\Windows\Start
Menu\Programs.

Remove Default Programs link from the Start

menu
Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting removes the Default Programs link

from the Start Menu.
Clicking the Default Programs link from the

42
 Start Menu opens the Default Programs control
panel and allows you to specify default
programs for certain activities, such as Web
browsing or sending email. It also allows you to
determine which programs are accessible from
the Start Menu, desktop, and other locations.

Note
This setting does not prevent the Set
Default Programs for the This
Computer option from appearing in the
Default Programs control panel.

Remove Documents icon from Start Menu

Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting removes the Documents icon from

the Start Menu and its submenus.
This setting removes only the icon. It does not
prevent the user from using other methods to
gain access to the contents of the Documents
folder.

Note
To make the changes to this setting
effective, you must log off and then log
on.

Remove drag-and-drop and context menus on the

Start menu
Location User Configuration\Administrative
Templates\Start Menu and Taskbar

43
 Note
Also see the "Prevent changes to
Taskbar and Start menu Settings" and
the "Remove access to the context
menus for taskbar" settings.

Recommended High: Enabled

Medium: Enabled
Low: Disabled

Description This setting prevents users from using the drag-

and-drop method to reorder or remove items on
the Start menu. Also, it removes context menus
from the Start menu.
If you disable this setting or do not configure it,
users can remove or reorder Start menu items
by dragging and dropping the item. Users can
display context menus by right-clicking a Start
menu item.
This setting does not prevent users from using
other methods to customize the Start menu or
perform the tasks that are available from the
context menus.

Remove Favorites menu from Start menu

Location User Configuration\Administrative
Templates\Start menu and Taskbar

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting prevents users from adding the

Favorites menu to the Start menu or classic
Start menu.
If you enable this setting, the Display Favorites
item does not appear in the Advanced Start
Menu options box.
If you disable or do not configure this setting,
the Display Favorites item is available.

44
 Notes
The Favorites menu does not appear
on the Start menu by default. To
display the Favorites menu, right-click
Start, click Properties, and click
Customize.
If you are using the Start menu, click
the Advanced tab, and then under
Start Menu Items, click Favorites.
If you are using the classic Start menu,
under Advanced Start Menu Options,
click Display Favorites.

Note
The items that appear in the Favorites
menu when you install Windows are
preconfigured by the operating system
to appeal to most users. However,
users can add and remove items from
this menu, and system administrators
can create a customized Favorites
menu for a user group.

Note
This setting affects only the Start menu.
The Favorites menu still appears in
Windows Explorer and in Internet
Explorer.

Remove frequent programs list from the Start

menu
Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description If you enable this setting, the frequently used

programs list is removed from the Start menu.

45
 If you disable this setting or do not configure it,
the frequently used programs list remains on
the simple Start menu.

Remove Help menu from Start menu

Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This setting removes the Help and Support

option from the Start menu.
This setting affects only the Start menu. It does
not remove Help and Support from Windows
Explorer, and it does not prevent users from
running Help and Support.

Remove links and access to Windows Update

Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Note
Also see the "Hide the „Add programs
from Microsoft‟ option" setting.

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting prevents users from connecting to

the Windows Update website.
This setting blocks user access to the Windows
Update website at
http://windowsupdate.microsoft.com. Also, the
setting removes the Windows Update hyperlink
from the Start menu and from the Tools menu

46
 in Internet Explorer.
Windows Update, the online extension of
Windows, offers software updates to keep a
user‟s system up-to-date. The Windows Update
Product Catalog determines operating system
files, security fixes, and Microsoft updates that
users need to update, and it shows the newest
versions that are available to download.

Remove Lock Computer

Location User Configuration\Administrative
Templates\System\Ctrl+Alt+Del Options

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting prevents users from locking the

computer.
When the computer is locked, the desktop is
hidden and the system cannot be used. Only
the user who locked the computer or the
system administrator can unlock it.

Tip
To lock a computer without configuring
a setting, press Ctrl+Alt+Delete, and
click Lock Computer.

Remove Music icon from Start menu

Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting removes the Music icon from the

47
 Start menu.

Remove My Documents icon on the desktop

Location User Configuration\Administrative
Templates\Desktop

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting removes the My Documents icon

from the desktop, from Windows Explorer, from
programs that use the Windows Explorer
windows, and from the standard Open dialog
box.
This setting does not prevent the user from
using other methods to gain access to the
contents of the My Documents folder.
This setting does not remove the My
Documents icon from the Start menu. To do so,
use the "Remove Documents icon from Start
Menu" setting.

Note
To make changes to this setting
effective, you must log off and then log
on.

Remove Network Connections from Start menu

Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Note
Also see the "Disable programs on
Settings menu" and "Disable Control
Panel" settings and the settings in the
Network Connections folder (Computer
Configuration and User

48
 Configuration\Administrative
Templates\Administrative
Templates\Network\Network
Connections).

Recommended High: Enabled

Medium: Enabled
Low: Disabled

Description This setting prevents users from running

Network Connections.This setting prevents the
Network Connections folder from opening. This
setting also removes Network Connections
from Settings on the Start menu.
Network Connections still appears in Control
Panel and in Windows Explorer, but if users try
to start it, a message appears to explain that a
setting prevents the action.

Remove Network icon from Start menu

Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting removes the Network icon from the

Start menu.

Remove Pictures icon from Start menu

Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting removes the Pictures icon from the

49
 Start menu.

Remove programs on Settings menu

Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Note
Also see the "Disable Control Panel,"
"Disable Display in Control Panel," and
"Remove Network Connections from
Start menu" settings.

Recommended High: Enabled

Medium: Enabled
Low: Disabled

Description This setting prevents Control Panel, Printers,

and Network Connections from running.
This setting removes the Control Panel,
Printers, and Network and Connection folders
from Start menu, Computer, and Windows
Explorer settings. It also prevents the programs
represented by these folders (such as
Control.exe) from running.
However, users can still start Control Panel
items by using other methods, such as right-
clicking the desktop to start Display or right-
clicking Computer to start System.

Remove Recent Items menu from Start menu

Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting removes the Recent Items menu

50
 from the Start menu, and it removes the
Documents menu from the classic Start menu.
The Recent Items menu contains links to the
non-program files that users have most recently
opened. It appears so that users can easily
reopen their documents.
If you enable this setting, the operating system
saves document shortcuts, but it does not
display the Recent Items menu in the Start
menu, and users cannot turn on the menu.
If you later disable the setting so that the
Recent Items menu appears in the Start menu,
the document shortcuts that were saved before
the setting was enabled and while it was in
effect appear in the Recent Items menu.When
the setting is disabled, the Recent Items menu
appears in the Start menu, and users cannot
remove it.
If the setting is not configured, users can turn
the Recent Items menu on and off.

Notes
This setting does not prevent Windows
programs from displaying shortcuts to
recently opened documents. See the
"Do not keep history of recently opened
documents" setting.
This setting also does not hide
document shortcuts that are displayed
in the Open dialog box. See the "Hide
the drop-down list of recent files"
setting.

Remove Recycle Bin icon from desktop

Location User Configuration\Administrative
Templates\Desktop

Recommended High: Enabled

Medium: Enabled

51
 Low: Enabled

Description This setting removes the Recycle Bin icon from

the desktop, from Windows Explorer, from
programs that use the Windows Explorer
windows, and from the standard Open dialog
box.
This setting does not prevent the user from
using other methods to gain access to the
contents of the Recycle Bin folder.

Note
To make changes to this setting
effective, you must log off and then log
on.

Remove Run menu from Start menu

Location User Configuration\Administrative
Templates\Start Menu and Taskbar

Recommended High: Enabled

Medium: Enabled
Low: Disabled

Description This setting allows you to remove the Run

command from the Start menu, Internet
Explorer, and Task Manager.
If you enable this setting, the following changes
occur:
 The Run command is removed from the
Start menu.
 The New Task (Run) command is removed
from Task Manager.
 The user will be blocked from performing
the following tasks in the Internet Explorer
address bar:
 Entering a UNC path:
\\<server>\<share>
 Accessing local drives for example,
drive C)

52
  Accessing local folders ( for example,
\temp>)
Also, users with extended keyboards can no
longer display the Run dialog box by pressing
the Application key (the key with the Windows
logo) + R.
If you disable or do not configure this setting,
users will be able to access the Run command
in the Start menu and in Task Manager and use
the Internet Explorer address bar.

Note
This setting affects the specified
interface only. It does not prevent users
from using other methods to run
programs.

Note
Non-Microsoft applications that are
certified with the Windows 2000,
Windows XP, Windows Vista or
Windows 7 operating systems must
adhere to this setting.

Remove Task Manager

Location User Configuration\Administrative
Templates\System\Ctrl+Alt+Del Options

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting prevents users from starting Task

Manager (Taskmgr.exe).
If this setting is enabled and users try to start
Task Manager, a message appears to explain
that a setting prevents the action.
Task Manager lets users start and stop
programs; monitor the performance of their
computers; view and monitor all programs
running on their computers, including system

53
 services; find the executable names of
programs; and change the priority of the
process in which programs run.

Remove Windows Explorer's default context

menu
Location User Configuration\Administrative
Templates\Windows Explorer

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This setting removes shortcut menus from the

desktop and Windows Explorer. Shortcut
menus appear when you right-click an item in
Windows Explorer.
If you enable this setting, menus do not appear
when you right-click the desktop or when you
right-click the items in Windows Explorer. This
setting does not prevent users from using other
methods to issue commands that are available
on the shortcut menus.

Removes the Folder Options menu item from the

Tools menu
Location User Configuration\Administrative Templates\Windows
Explorer

Note
Also see the "Enable Active Desktop" setting in
User Configuration\Administrative
Templates\AdministrativeTemplates\Desktop\Active
Desktop and the "Prohibit user configuration of
Offline Files" setting in User
Configuration\Administrative
Templates\Administrative

54
 Templates\Network\Offline Files.

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This setting removes the Folder Options item from all
Windows Explorer menus and removes the Folder Options
item from Control Panel. As a result, users cannot use the
Folder Options dialog box.

Note
The Folder Options dialog box lets users set many
properties of Windows Explorer, such as Active
Desktop, Web view, Offline Files, hidden system
files, and file types.

Restrict users to the explicitly permitted list of

snap-ins
Location User Configuration\Administrative
Templates\Windows Components\Microsoft
Management Console

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting lets you selectively permit or

prohibit the use of Microsoft Management
Console (MMC) snap-ins.
If you enable this setting, all snap-ins are
prohibited, except those that you explicitly
permit. Use this setting if you plan to prohibit
the use of most snap-ins.
To explicitly permit a snap-in, open the
Restricted/Permitted snap-ins folder and enable
the settings that represent the snap-in you want
to permit. If a snap-in setting in the folder is
disabled or not configured, the snap-in is
prohibited.
If you disable this setting or do not configure it,
55
 all snap-ins are permitted, except those that
you explicitly prohibit. Use this setting if you
plan to permit the use of most snap-ins.
To explicitly prohibit a snap-in, open the
Restricted/Permitted snap-ins folder and
disable the settings that represent the snap-ins
you want to prohibit. If a snap-in setting in the
folder is enabled or not configured, the snap-in
is permitted.
When a snap-in is prohibited, it does not
appear in the Add/Remove Snap-in window in
the MMC. Also, when a user opens a console
file that includes a prohibited snap-in, the
console file opens, but the prohibited snap-in
does not appear.

Note
If you enable this setting, and you do
not enable any settings in the
Restricted/Permitted snap-ins folder,
users cannot use any MMC snap-ins.

Search: Disable Find Files via F3 within the

browser
Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer

Recommended High: Enabled

Medium: Enabled
Low: Disabled

Description This setting disables using the F3 key to search

in Internet Explorer and Windows Explorer.
If you enable this policy, the search functionality
of the F3 key is disabled. Users cannot press
F3 to search the Internet (from Internet
Explorer) or to search the hard disk drive (from
Windows Explorer). If the user presses F3, a
message appears to explain that this feature

56
 has been disabled.
If you disable this policy or do not configure it,
users can press F3 to search the Internet (from
Internet Explorer) or the hard disk drive (from
Windows Explorer).
This policy is intended for situations in which
administrators do not want users to explore the
Internet or the hard disk drive.
This policy can be used in coordination with the
"File Menu: Disable Open menu option" policy
(located in \User Configuration\Administrative
Templates\Administrative Templates\Windows
Components\Internet Explorer\Browser Menus),
which prevents users from opening files by
using the browser.

Shutdown: Allow system to be shut down without

having to log on
Location Computer Configuration\Windows
Settings\Local Policies\Security Options

Recommended Disabled
Default on workstations: Enabled.
Default on servers: Disabled.

Description This security setting determines whether a

computer can be shut down without having to
log on to Windows.
When this policy is enabled, the Shut Down
command is available on the Windows logon
screen.
When this policy is disabled, the option to shut
down the computer does not appear on the
Windows logon screen. In this case, users must
be able to log on to the computer successfully
and have the “Shut down the system” user right
before they can perform a system shutdown.

57
Tools menu: Disable Internet Options... menu
option
Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer\Browser menus

Note
Also, see policies for Internet options in
the \Administrative Templates\Windows
Components\Internet Explorer and in
\Administrative Templates\Windows
Components\Internet Explorer\Internet
Control Panel folders.

Recommended High: Enabled

Medium: Enabled
Low: Enabled

Description This setting prevents users from opening the

Internet Options dialog box from the Tools
menu in Internet Explorer.
If you enable this policy, users cannot change
their Internet options, such as the default home
page, cache size, and connection and proxy
settings, from the Tools menu in the browser.
When users click the Internet Options
command on the Tools menu, an error
message appears to explain that a setting
prevents the action.
If you disable this policy or do not configure it,
users can change their Internet settings from
the browser‟s Tools menu.

Caution
This policy does not prevent users from
viewing and changing Internet settings
by clicking the Internet Options icon in
Control Panel.

Turn off AutoPlay

58
Location User Configuration\Administrative
Templates\Windows Components\AutoPlay
Policies

Recommended High: All Drives

Medium: Disabled
Low: Disabled

Description This setting turns off the AutoPlay feature.

AutoPlay begins reading from a drive as soon
as you insert media in the drive. As a result, the
setup files of programs and the music on audio
media start immediately.
Prior to Windows XP SP2, AutoPlay is disabled
by default on removable storage devices, such
as the floppy disk drive (but not the CD-ROM
drive), and on network drives.
Starting with Windows XP SP2, AutoPlay is
enabled for removable storage devices,
including ZIP drives and some USB mass
storage devices.
If you enable this setting, you can disable
AutoPlay on CD-ROM and removable media
drives, or disable AutoPlay on all drives.
This setting disables AutoPlay on additional
types of drives. You cannot use this setting to
enable AutoPlay on drives on which it is
disabled by default.

Note
This setting appears in both the
Computer Configuration and User
Configuration folders. If the settings
conflict, the setting in Computer
Configuration takes precedence over
the setting in User Configuration.

Turn off displaying the Internet Explorer Help

menu

59
Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This policy setting allows you to turn off the

Help menu in Internet Explorer.
If you enable this policy setting, users will not
be able to use the Internet Explorer Help.
The Help icon will be removed from the
command bar, and the Help menu in the menu
bar will not be functional. The use of the
shortcut key F1 for Help will be restricted.
If you disable or do not configure this policy
setting, the Help menu in Internet Explorer will
be available to users and they can also use F1
to access Help.

Turn off feed and Web Slices discovery

Location User Configuration\Administrative
Templates\Windows Components\RSS Feeds

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This policy setting prevents users from having

Internet Explorer automatically detect whether a
feed or Web Slice is available for an associated
webpage.
If you enable this policy setting, users will not
receive a notification on the toolbar that a feed
or Web Slice is available.
If you disable or do not configure this policy
setting, users can see when a feed or Web
Slice is available, and click the Feed Discovery
button.

60
Turn off Print menu
Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer\Browser menus

Recommended High: Enabled

Medium: Enabled
Low: Disabled

Description This policy setting allows you to manage

whether users can access the Print menu.
If you enable this policy setting, the Print menu
in Internet Explorer will not be available.
If you disable or do not configure this policy
setting, the Print menu in Internet Explorer will
be available.

Section Heading
Location User Configuration\Administrative
Templates\Windows Components\RSS Feeds

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This policy setting prevents users from using

Internet Explorer as a feed reader. This setting
has no impact on the Windows RSS Platform.
If you enable this policy setting, the user cannot
access the Feeds list located in the Favorites
center.
If you disable or do not configure this policy
setting, users can access the Feeds list in the
Favorites center.

61
Turn off Windows+X hotkeys
Location User Configuration\Administrative
Templates\Windows Explorer

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This setting disables the Windows+X hotkeys.

Keyboards with a Windows key provide users
with shortcuts to common features. For
example, pressing the keyboard sequence
Windows+R opens the Run dialog box;
pressing Windows+E starts Windows Explorer.
If you enable this setting, the Windows+X
shortcut keys are unavailable.
If you disable or do not configure this setting,
the Windows+X shortcut keys are available.

Turn on the auto-complete feature for user names

and passwords on forms
Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer

Recommended High: Enabled

Medium: Enabled
Low: Disabled

Description This AutoComplete feature can remember and

suggest user names and passwords on forms.
If you enable this setting, users cannot change
text in "User name and passwords on forms" or
"Prompt me to save passwords." The
AutoComplete feature for “User names and
passwords on forms” will be turned on. You
have to decide whether to select "Prompt me to
save passwords."

62
 If you disable this setting, the user cannot
change text in "User name and passwords on
forms" or "Prompt me to save passwords." The
AutoComplete feature for “User names and
passwords on forms” is turned off. The user
also cannot opt to be prompted to save
passwords.
If you do not configure this setting, the user has
the freedom of turning on AutoComplete for
“User names and passwords on forms” and the
option of prompting to save passwords. To
display this option, users can open Internet
Options, click the Contents tab, and then click
Settings.

View menu: Disable Full Screen menu option

Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer\Browser menus

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This setting prevents users from displaying the

browser in full-screen (kiosk) mode, without the
standard toolbar.
If you enable this policy, the Full Screen
command on the View menu will appear
unavailable, and pressing F11 will not display
the browser in a full screen.
If you disable this policy or do not configure it,
users can display the browser in full-screen
mode.
This policy is intended to prevent users from
displaying the browser without toolbars, which
might be confusing for some beginner users.

63
View menu: Disable Source menu option
Location User Configuration\Administrative
Templates\Windows Components\Internet
Explorer\Browser menus

Recommended High: Enabled

Medium: Disabled
Low: Disabled

Description This setting prevents users from viewing the

HTML source of webpages by clicking the
Source command on the View menu.
If you enable this policy, the Source command
on the View menu will appear unavailable.
If you disable this policy or do not configure it,
users can view the HTML source of webpages
from the View menu in a browser.

Caution
This policy does not prevent users from
viewing the HTML source of a webpage
by right-clicking a webpage to open the
shortcut menu, and then clicking View
Source. To prevent users from viewing
the HTML source of a webpage from
the shortcut menu, set the "Disable
context menu" policy, which disables
the entire shortcut menu.

64