8.10 Set 'Security Zones: Do not allow users to change policies' to 'Enabled'

Information

*Description*

If you enable this policy setting, you disable the Custom Level button and Security level for
this zone slider on the Security tab in the Internet Options dialog box. If this policy setting
is disabled or not configured, users will be able to change the settings for security zones. It
prevents users from changing security zone policy settings that are established by the
administrator. Note If you enable the Disable the Security page setting (located in \User
Configuration\ Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel) the Security tab is removed from Internet Explorer in
Control Panel and the Disable setting takes precedence over this Security Zones- setting.
The recommended state for this setting is- Enabled.

*Rationale*

Users who change their Internet Explorer security settings could enable the execution of
dangerous types of code from the Internet and Web sites that were listed in the Restricted
Sites zone in the browser.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Enabled.

Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Security Zones- Do not allow users to change policies

Impact-Configure the Security Zones- Do not allow users to change policies setting to Enabled.

See Also

https://workbench.cisecurity.org/files/1516

Item Details

Audit Name: CIS IE 9 v1.0.0

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-5, CSCv6|3.1

Plugin: Windows

Control ID: ef54a4543a4e88993cd01efdde2569e7d556c8e35f2805828ded7b2a3d188b54