We are often asked about the centralized management of Internet Explorer configuration options for which there are no Group Policy settings included with the default IE GPO templates. One of the settings that we are asked about the most is the “Launching Applications and Unsafe Files” setting, since that setting is not defined in the IE Administrative Policy settings file (inetres.adm).
There are a number of different ways that you can manage this setting in an enterprise. The first is to use the Internet Explorer Maintenance Policies, which import from a source system’s registry. The problem with this approach is that there is no granularity in what settings you are importing – it’s an all or nothing solution, and you wind up deploying the entire collection of IE settings that are defined on the source system.
The second method to deploy this setting is to use a logon / startup script to deploy and modify the registry setting. This is perhaps the easiest method to deploy the setting. The registry key that controls this Internet Explorer security zone setting is stored under the following registry subkeys:
- User Policy: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
- Computer Policy: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
By default, security zones settings are stored in the HKEY_CURRENT_USER registry subtree. Because this subtree is dynamically loaded for each user, changing the settings for one user does not affect the settings for another user on the same machine. If computer policy is configured, only the local computer settings are used and all users have the same security settings. In that case the settings are retrieved from the HKEY_LOCAL_MACHINE tree as listed above.
The Zones key contains keys that represent each security zone defined for the computer. By default, the following five zones are defined:
Under each of these Zones, there are different values that represent the individual settings. The value 1806 represents the setting for “Launching Applications and Unsafe Files”. The value data for 1806 represents the corresponding settings on the Custom Security Tab. The permissible values are shown below:
|0||Sets a specific action as Permitted|
|1||Causes a prompt to appear|
Prohibits the specific action
- KB 323639: How to create custom administrative templates in Windows 2000
- KB 225087: Writing Custom ADM files for System Policy Editor
- KB 182569: Description of Internet Explorer Security Zones registry entries
- Technet: Using Administrative Template Files with Registry-Based Group Policy
Internet Explorer, IE, GPO, Troubleshooting, Knowledgebase, Article