8.11 Set 'Security Zones: Do not allow users to change policies' to 'Enabled'


If you enable this policy setting, you disable the Custom Level button and Security level for
this zone slider on the Security tab in the Internet Options dialog box. If this policy setting
is disabled or not configured, users will be able to change the settings for security zones. It
prevents users from changing security zone policy settings that are established by the

Note- If you enable the Disable the Security page setting (located in \User
Administrative Templates\Windows Components\Internet Explorer\Internet
Control Panel) the Security tab is removed from Internet Explorer in Control Panel and
the Disable setting takes precedence over this Security Zones- setting. The recommended
state for this setting is- Enabled.


Users who change their Internet Explorer security settings could enable the execution of
dangerous types of code from the Internet and Web sites that were listed in the Restricted
Sites zone in the browser.


To establish the recommended configuration via Group Policy, set the following UI path to

Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Security Zones- Do not allow users to change policies

Default Value-Disabled

See Also


Item Details

Audit Name: CIS IE 11 v1.0.0


References: 800-53|CM-5, CSCv6|3.1

Plugin: Windows

Control ID: 7601427e0a911cf3d1ac9bf67058dca4adfcc986418c87cc22dc9469fe1a2430