| V-15500 | Medium | Allow third-party browser extensions are not disabled. | This policy setting allows you to manage whether Internet Explorer will launch COM add-ons known as browser helper objects, such as toolbars. Browser helper objects may contain flaws such as... |
| V-15503 | Medium | Check for signatures on downloaded programs is not enabled. | This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered... |
| V-15502 | Medium | Check for server certificate revocation is not enabled. | This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certificates are revoked when they have been compromised or are no longer... |
| V-15504 | Medium | Intranet Sites: Include all network paths (UNCs) are disabled. | This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. If you enable this policy setting, all network paths are mapped into the Intranet... |
| V-15507 | Medium | Allow script-initiated windows without size or position constraints for internet zone is not disabled. | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.
If you enable this policy setting, Windows Restrictions... |
| V-15509 | Medium | Allow Scriptlets are not disabled. | This policy setting allows you to manage whether scriptlets can be allowed.
If you enable this policy setting, users will be able to run scriptlets.
If you disable this policy setting, users will... |
| V-6262 | Medium | Logon options for internet zone are not enabled. | Care must be taken with user credentials and how automatic logons are performed and how default Windows credentials are passed to web sites. |
| V-6260 | Medium | Allow cut, copy or paste operations from the clipboard via script are not disabled for internet zone. | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
If you enable this policy setting, a script... |
| V-6267 | Medium | Java permissions for local intranet zone are not disabled. | Java must have level of protection based upon the site being browsed.
|
| V-15508 | Medium | Allow script-initiated windows without size or position constraints for restricted sites zone are not disabled. | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.
If you enable this policy setting, Windows Restrictions... |
| V-15518 | Medium | Java permissions for group policy for trusted sites zone are not disabled. | This policy setting allows you to manage permissions for Java applets.
If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings... |
| V-15519 | Medium | Java permissions for group policy for internet zone are not disabled. | This policy setting allows you to manage permissions for Java applets.
If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings... |
| V-15516 | Medium | Java permissions for my computer group policy are not disabled. | This policy setting allows you to manage permissions for Java applets.
If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings... |
| V-15517 | Medium | Java permissions for group policy for local intranet zone are not disabled. | This policy setting allows you to manage permissions for Java applets.
If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings... |
| V-15515 | Medium | Java permissions for my computer are not disabled. | This policy setting allows you to manage permissions for Java applets.
If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings... |
| V-15513 | Medium | Automatic prompting for file downloads is not enabled. | This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated... |
| V-6297 | Medium | Access data sources across domains restricted sites zones are not disabled. | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable... |
| V-6294 | Medium | Allow file downloads are not disabled. | Files should not be able to be downloaded from sites that are considered restricted. |
| V-6295 | Medium | Allow font downloads for restricted sites zone is not disabled. | Download of fonts can sometimes contain malicious code. Files should not be downloaded from restricted sites. |
| V-6292 | Medium | Run ActiveX controls and plugins are not disabled.. | ActiveX controls that are not marked safe for scripting should not be executed. Although this is not a
complete security measure for a control to be marked safe for scripting, if a control is... |
| V-6293 | Medium | Script ActiveX controls marked safe for scripting is not disabled. | ActiveX controls that are not marked safe for scripting should not be executed. Although this is not a
complete security measure for a control to be marked safe for scripting, if a control is... |
| V-6290 | Medium | Download unsigned ActiveX controls for restricted sites zone is not disabled. | ActiveX controls can contain potentially malicious code and must only be allowed to be downloaded from trusted sites and they must be digitally signed. |
| V-6291 | Medium | Initialize and script ActiveX controls not marked as safe for restricted sites zone is not disabled. | ActiveX controls that are not marked safe for scripting should not be executed. Although this is not a
complete security measure for a control to be marked safe for scripting, if a control is... |
| V-6298 | Medium | Allow META REFRESH is not disabled. | Allow META REFRESH must have level of protection based upon the site being browsed. |
| V-15581 | Medium | Turn on the auto-complete feature for user names and passwords on forms are not disabled. | This AutoComplete feature can remember and suggest User names and passwords on Forms. If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save... |
| V-15580 | Medium | Turn off page transitions is not enabled. | This policy setting specifies if, as you move from one Web page to another, Internet Explorer fades out of the page you are leaving and fades into the page to which you are going. If you enable... |
| V-15582 | Medium | Turn on the Internet Connection Wizard Auto Detect is not disabled. | This policy setting determines if the Internet Connection Wizard was completed. If it was not completed, it launches the Internet Connection Wizard. If you enable this policy setting, the... |
| V-15569 | Medium | Internet Explorer Processes for Zone Elevation is not enabled. Explorer | Internet Explorer places restrictions on each Web page it opens that are dependent upon the location of the Web page (such as Internet zone, Intranet zone, or Local Machine zone). Web pages on a... |
| V-15568 | Medium | Internet Explorer Processes for MK protocol is not enabled. (Reserved) | The MK Protocol Security Restriction policy setting reduces attack surface area by blocking the seldom used MK protocol. Some older Web applications use the MK protocol to retrieve information... |
| V-15563 | Medium | Turn off changing the URL to be displayed for checking updates to Internet Explorer and Internet Tools is not disabled. | This policy setting allows checking for updates for Internet Explorer from the specified URL, included by default in Internet Explorer. If you enable this policy setting, users will not be able... |
| V-15562 | Medium | Scripting of Java applets is not disabled. | This policy setting allows you to manage whether applets are exposed to scripts within the zone. If you enable this policy setting, scripts can access applets automatically without user... |
| V-15561 | Medium | Run .NET Framework-reliant components signed with Authenticode are not disabled. | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls... |
| V-15560 | Medium | Run .NET Framework-reliant components not signed with Authenticode are not disabled. | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls... |
| V-15566 | Medium | Internet Explorer Processes for MIME handling is not enabled. IExplore | Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. The Consistent MIME Handling\Internet... |
| V-15565 | Medium | Internet Explorer Processes for MIME handling is not enabled. Explorer | Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. The Consistent MIME Handling\Internet... |
| V-15564 | Medium | Turn off configuring the update check interval is not disabled. | This setting specifies the update check interval. The default value is 30 days.
If you enable this policy setting, the user will not be able to configure the update check interval. You have to... |
| V-6281 | Medium | Java permissions for trusted sites zone are not disabled. | Java must have level of protection based upon the site being browsed. |
| V-6289 | Medium | Download signed ActiveX controls for restricted sites zone is not disabled. | ActiveX controls can contain potentially malicious code and must only be allowed to be downloaded from trusted sites. |
| V-15579 | Medium | Turn off Crash Detection is not enabled. | The Turn off Crash Detection policy setting allows you to manage the crash detection feature of add-on management in Internet Explorer. If you enable this policy setting, a crash in Internet... |
| V-15570 | Medium | Internet Explorer Processes for Zone Elevation is not enabled. IExplore | Internet Explorer places restrictions on each Web page it opens that are dependent upon the location of the Web page (such as Internet zone, Intranet zone, or Local Machine zone). Web pages on a... |
| V-15571 | Medium | Internet Explorer Processes for restricting pop-up windows is not enabled. Explorer | Internet Explorer allows scripts to programmatically open, resize, and reposition various types of windows. Often, disreputable Web sites will resize windows to either hide other windows or force... |
| V-15572 | Medium | Internet Explorer Processes for restricting pop-up windows is not enabled. IExplore | Internet Explorer allows scripts to programmatically open, resize, and reposition various types of windows. Often, disreputable Web sites will resize windows to either hide other windows or force... |
| V-15574 | Medium | Disable AutoComplete for forms is not enabled. | This AutoComplete feature suggests possible matches when users are filling up forms. If you enable this setting, the user is not suggested matches when filling forms. The user cannot change it. ... |
| V-15575 | Medium | Disable external branding of Internet Explorer is not enabled. | Prevents branding of Internet programs, such as customization of Internet Explorer and Outlook Express logos and title bars, by another party. If you enable this policy, it prevents customization... |
| V-6238 | Medium | The IE SSL/TLS parameter must be set correctly. | This parameter ensures only DoD approved ciphers and algorithms are enabled for use by the web browser. TLS and SSL are protocols for protecting communication between the browser and the target... |
| V-6239 | Medium | The IE warning about certificate address mismatch must be enforced. | This parameter warns users if the certificate being presented by the web site is invalid. Since server certificates are used to validate the identity of the web server it is critical to warn the... |
| V-15525 | Medium | Turn Off First-Run Opt-In for internet zone is not disabled. | This policy setting controls the First Run response that users see on a zone by zone basis. When a user encounters a new control that has not previously run in Internet Explorer, they may be... |
| V-6304 | Medium | Navigate sub-frames across different domains for restricted sites zone are not disabled. | Frames that navigate across different domains are a security concern because the user may think they are accessing pages on one site while they are actually accessing pages on another site.
|
| V-6305 | Medium | Software channel permissions for restricted sites zone are not disabled. | Software channel permissions must have level of protection based upon the site being accessed. |
| V-6307 | Medium | Userdata persistence for restricted sites zone is not disabled. | No perseistant data should exist and be used in the Restricted sites zone. |
| V-6301 | Medium | Allow drag and drop or copy and paste files for restricted sites zone are not disabled. | Drag and Drop of files must have level of protection based upon the site being accessed. |
| V-6302 | Medium | Allow installation of desktop items for restricted sites zone is not disabled. | Installation of items must have level of protection based upon the site being accessed. |
| V-6303 | Medium | Launching applications and files in an IFRAME is not disabled. | Launching of programs in IFRAME must have level of protection based upon the site being accessed. |
| V-16879 | Medium | The Download signed ActiveX controls property is not set properly for the Lockdown Zone. | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. If you enable this policy, users can download signed controls without user... |
| V-6308 | Medium | Allow active scripting is not disabled. | Active Scripting must have level of protection based upon the site being accessed. |
| V-6309 | Medium | Allow cut, copy or paste operations from the clipboard via script are not disabled for restricted sites zone. | The Allow paste operations via script must have level of protection based upon the site being browsed. |
| V-15522 | Medium | Loose or un-compiled XAML files for restricted sites zone are not disabled. | These are eXtensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that leverage the... |
| V-3428 | Medium | Internet Explorer is configured to Allow Users to Change Policies. | This setting prevents users from changing the Internet Explorer policies on the machine. Policy changes should be made by Administrators only, so this setting should be Enabled. |
| V-3429 | Medium | Internet Explorer is configured to Allow Users to Add/Delete Sites. | This setting prevents users from adding sites to various security zones. Users should not be able to add sites to different zones, as this could allow them to bypass security controls of the system. |
| V-3427 | Medium | Internet Explorer is not configured to require consistent security zone settings to all users. | This setting enforces consistent security zone settings to all users of the computer. Security Zones control browser behavior at various web sites and it is desirable to maintain a consistent... |
| V-15604 | Medium | Internet Explorer Processes for MIME sniffing is not enabled. IExplore | MIME sniffing is the process of examining the content of a MIME file to determine its context — whether it is a data file, an executable file, or some other type of file. This policy setting... |
| V-6253 | Medium | The Allow drag and drop or copy and paste files for internet zone are not disabled. | Drag and Drop of files must have level of protection based upon the site being accessed. |
| V-6250 | Medium | Access data sources across domains are not disabled. | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable... |
| V-6256 | Medium | Navigate sub-frames across different domains for internet zone are not disabled. | Frames that navigate across different domains are a security concern because the user may think they are accessing pages on one site while they are actually accessing pages on another site. |
| V-6257 | Medium | Software channel permissions for internet zone are not disabled. | Software Channel permissions must have level of protection based upon the site being accessed. |
| V-6254 | Medium | Allow installation of desktop items for internet zone is not disabled. | Installation of items must have level of protection based upon the site being accessed. |
| V-6255 | Medium | Launching applications and files in an IFRAME for internet zone is not disabled. | Launching of programs in IFRAME must have level of protection based upon the site being accessed. |
| V-6259 | Medium | Userdata persistence for internet zone is not disabled. | Userdata persistence must have level of protection based upon the site being accessed. |
| V-7007 | Medium | Java permissions for restricted sites zone are not disabled. | Java must have level of protection based upon the site being browsed. |
| V-6311 | Medium | Logon options for restricted sites zones are not enabled. | Care must be taken with user credentials and how automatic logons are performed and how default Windows credentials are passed to web sites.
|
| V-15603 | Medium | Internet Explorer Processes for MIME sniffing is not enabled. Explorer | MIME sniffing is the process of examining the content of a MIME file to determine its context — whether it is a data file, an executable file, or some other type of file. This policy setting... |
| V-15528 | Medium | Turn on Protected Mode for restricted sites zone is not enabled. | VISTA Only
Protected mode protects Internet Explorer from exploited vulnerabilities by reducing the locations Internet Explorer can write to in the registry and the file system. If you enable... |
| V-15545 | Medium | Allow binary and script behaviors are not disabled. | This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. If you enable this... |
| V-15546 | Medium | Automatic prompting for file downloads is not disabled. | This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated... |
| V-6245 | Medium | Initialize and script ActiveX controls not marked as safe for internet zone is not disabled. | This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting... |
| V-15548 | Medium | Internet Explorer Processes for MIME handling is not enabled. (Reserved) | Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. The Consistent MIME Handling\Internet... |
| V-15527 | Medium | Turn on Protected Mode internet zone is not enabled. | Protected mode protects Internet Explorer from exploited vulnerabilities by reducing the locations Internet Explorer can write to in the registry and the file system. If you enable this policy... |
| V-15526 | Medium | Turn Off First-Run Opt-In for restricted sites zone are not disabled. | This policy setting controls the First Run response that users see on a zone by zone basis. When a user encounters a new control that has not previously run in Internet Explorer, they may be... |
| V-6243 | Medium | Download signed ActiveX controls for internet zone is not disabled. | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. If you enable this policy, users can download signed controls without user... |
| V-15524 | Medium | Open files based on content, not file extension for restricted sites zone are not disabled. | This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type... |
| V-15523 | Medium | Open files based on content, not file extension for internet zone are not disabled. | This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type... |
| V-6244 | Medium | Download unsigned ActiveX controls for internet zone is not disabled. | Active X controls can contain potentially malicious code and must only be allowed to be downloaded from trusted sites and they must be digitally signed.
|
| V-15521 | Medium | Loose or un-compiled XAML files for internet zone are not disabled. | These are eXtensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that leverage the... |
| V-15520 | Medium | Java permissions for group policy for restricted sites zone are not disabled. | This policy setting allows you to manage permissions for Java applets.
If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings... |
| V-6249 | Medium | Java permissions for internet zone are not disabled. | Java must have level of protections based upon the site being browsed. |
| V-6248 | Medium | Allow font downloads for internet zone is not disabled. | Download of fonts can sometimes contain malicious code. |
| V-15529 | Medium | Use Pop-up Blocker for internet zone is not enabled. | This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting,... |
| V-32808 | Medium | Check for publishers certificate revocation must be enforced. | Check for publisher's certificate revocation options should be enforced to ensure all PKI signed objects are validated. |
| V-15492 | Medium | Prevent participation in the Customer Experience Improvement Program is not disabled. | This setting controls whether users can participate in the Microsoft Customer Experience Improvement Program to help improve Microsoft applications.
When users choose to participate in the... |
| V-15490 | Medium | Automatic configuration of Internet Explorer is not disabled. | This setting specifies to automatically detect the proxy server settings used to connect to the Internet and customize Internet Explorer. This setting specifies that Internet explorer use the... |
| V-15497 | Medium | Allow active content from CDs to run on user machines is not disabled. | This policy setting allows you to manage whether users receive a dialog requesting permission for active content on a CD to run. If you enable this policy setting, active content on a CD will run... |
| V-15495 | Medium | Turn off Managing Phishing filter is not disabled. | This policy setting allows the user to enable a phishing filter that will warn if the Web site being visited is known for fraudulent attempts to gather personal information through "phishing." If... |
| V-15494 | Medium | Turn off the Security Settings Check feature is not disabled. | This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk. If you enable... |
| V-15499 | Medium | Allow software to run or install even if the signature is invalid is not disabled. | Microsoft ActiveX controls and file downloads often have digital signatures attached that vouch for both the file's integrity and the identity of the signer (creator) of the software. Such... |
| V-15552 | Medium | Internet Explorer Processes for Zone Elevation is not enabled. (Reserved) | Internet Explorer places restrictions on each Web page it opens that are dependent upon the location of the Web page (such as Internet zone, Intranet zone, or Local Machine zone). Web pages on a... |
| V-15550 | Medium | Internet Explorer Processes for MK protocol is not enabled. (Explorer) | The MK Protocol Security Restriction policy setting reduces attack surface area by blocking the seldom used MK protocol. Some older Web applications use the MK protocol to retrieve information... |
| V-15551 | Medium | Internet Explorer Processes for MK protocol is not enabled. (IExplore) | The MK Protocol Security Restriction policy setting reduces attack surface area by blocking the seldom used MK protocol. Some older Web applications use the MK protocol to retrieve information... |
| V-15556 | Medium | Internet Explorer Processes for Download prompt is not enabled. (Reserved) | In certain circumstances, Web sites can initiate file download prompts without interaction from users. This technique can allow Web sites to put unauthorized files on users' hard drives if they... |
| V-15557 | Medium | Internet Explorer Processes for Download prompt is not enabled. Explorer | In certain circumstances, Web sites can initiate file download prompts without interaction from users. This technique can allow Web sites to put unauthorized files on users' hard drives if they... |
| V-15558 | Medium | Internet Explorer Processes for Download prompt is not enabled. IExplore | In certain circumstances, Web sites can initiate file download prompts without interaction from users. This technique can allow Web sites to put unauthorized files on users' hard drives if they... |
| V-15559 | Medium | Internet Explorer Processes for restricting pop-up windows is not enabled. (Reserved) | Internet Explorer allows scripts to programmatically open, resize, and reposition various types of windows. Often, disreputable Web sites will resize windows to either hide other windows or force... |
| V-15534 | Medium | Web sites in less privileged Web content zones can navigate into restricted sites zone is not disabled. | This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
If you enable this policy setting, Web sites from less... |
| V-15530 | Medium | Use Pop-up Blocker for restricted sites zone is not enabled. | This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting,... |
| V-15533 | Medium | Web sites in less privileged Web content zones can navigate into internet zone is not disabled. | This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
If you enable this policy setting, Web sites from less... |
| V-17296 | Medium | Prevent performance of First Run Customize settings is not enabled. | This policy setting prevents performance of the First Run Customize settings ability and controls what the user will see when they launch Internet Explorer for the first time after installation of... |
| V-21887 | Medium | Disable Configuring History - Histroy setting is not set to 40 days. | This setting specifies the number of days that Internet Explorer keeps track of the pages viewed in the History List. The delete Browsing History option can be accessed using Tools, Internet... |
| V-3430 | Low | Internet Explorer is not configured to disable making Proxy Settings Per Machine. | This setting controls whether or not the Internet Explorer proxy settings are configured on a per-user or per-machine basis. |
| V-14245 | Low | Internet Explorer - Do not allow users to enable or disable add-ons. | This check verifies that the system is configured to allow users to enable or disable add-ons through Add-On Manager in Internet Explorer. |
| V-15549 | Low | Internet Explorer Processes for MIME sniffing is not enabled. (Reserved) | MIME sniffing is the process of examining the content of a MIME file to determine its context — whether it is a data file, an executable file, or some other type of file. This policy setting... |
