A.1 Administrative Templates

User Configuration\Administrative Templates

A.1.1 Windows Components

User Configuration\Administrative Templates\Windows Components

A.1.1.1 NetMeeting

User Configuration\Administrative Templates\Windows Components\NetMeeting

Enable Automatic Configuration: This policy configures NetMeeting to download settings from the URL listed in the Configuration URL text box each time it starts.
Disable Directory Services: Controls the directory feature of NetMeeting. If you enable this policy, users can't log on to a directory (ILS) server when NetMeeting starts and users can't view or place calls via a NetMeeting directory.
Prevent adding Directory servers: If you enable this policy, users can't add directory (ILS) servers to the list of those they can use to place calls.
Prevent viewing Web directory: If you enable this policy, users can't view directories as web pages in a browser.
Set the intranet support Web page: Controls the URL NetMeeting displays when users choose the Help Online Support command.
Set the NetMeeting home page: Controls the URL NetMeeting displays when users choose the Microsoft Home Page command under Help Microsoft on the Web.
Set Call Security options: Controls security levels for incoming/outgoing NetMeeting calls.
Prevent changing Call placement method: Controls how calls are placed--either directly or via a gatekeeper server--and prevents users from changing how calls are placed once the policy is enabled.
Prevent automatic acceptance of Calls: When enabled, this policy stops users from turning on automatic acceptance of incoming calls, which ensures that other users don't call and connect to NetMeeting when the user isn't present.
Prevent sending files: When enabled, this policy stops users from sending files to others in a conference.
Prevent receiving files: When enabled, this policy stops users from receiving files from others in a conference.
Limit the size of sent files: This policy limits the size of files users send to others in a conference.
Disable Chat: Enabling this feature disables NetMeeting's Chat feature.
Disable NetMeeting 2.x Whiteboard: Enabling this feature disables NetMeeting's 2.x whiteboard feature (available for compatibility).
Disable NetMeeting Whiteboard: Enabling this feature disables NetMeeting's T.126 whiteboard feature.

A.1.1.2 Internet Explorer

User Configuration\Administrative Templates\Windows Components\Internet Explorer

Search: Disable Search Customization: Changes the appearance of the Customize button in the Search Assistant so that it's dimmed. Enabling this policy prevents users from making changes to the Search Assistant settings.
Search: Disable Find Files via F3 within the browser: When you enable this feature, users can't use the F3 key to search in Internet Explorer or Windows Explorer. This policy pertains to situations where administrators want to restrict users from searching the Internet or the hard disk.
Disable external branding of Internet Explorer: Enabling this policy ensures that third parties (such as ISPs) can't customize (or brand) the Internet Explorer and Outlook Express logos and title bars.
Disable importing and exporting of favorites: When you enable this policy, users can't export or import favorite links by using the Import/Export wizard.
Disable changing Advanced page settings: When you enable this policy, users can't change settings on the Advanced tab in the Internet Options dialog box. This policy prevents users from changing advanced Internet settings.
Disable changing home page settings: Controls the home page. If you enable this policy, users can't change their home page.
Use Automatic Detection for dial-up connections: When you enable this policy, Automatic Detection is used automatically to configure dial-up settings for users. Automatic Detection customizes the browser the first time it's started using a DHCP (Dynamic Host Configuration Protocol) or DNS (Domain Name System) server.
Disable caching of Auto-Proxy scripts: When you enable this feature, automatic proxy scripts aren't stored in the users' cache. These scripts interact with a server to automatically configure users' proxy settings.
Display error message on proxy script download failure: Enabling this feature ensures that error messages are displayed to users if problems occur with proxy scripts.
Disable changing Temporary Internet files settings: Controls the browser cache settings. If you enable this policy, users can't change the browser cache settings such as the location of the Temporary Internet Files folder. Note that the Disable the General page removes the General tab from interface.
Disable changing history settings: Controls the history settings. If you enable this policy, users can't change the history settings for the browser. Note that the Disable the General page removes the General tab from interface.
Disable changing color settings: Controls the default web page colors. If you enable this policy, users can't change the default background and text color of web pages. Note that the Disable the General page removes the General tab from interface.
Disable changing link color settings: Controls the color of links on web pages. If you enable this policy, users can't change the colors of their browser's web links. Note that the Disable the General page removes the General tab from interface.
Disable changing font settings: Controls the font settings. If you enable this policy, users can't change the font setting on their browsers. Note that the Disable the General page removes the General tab from interface.
Disable changing language settings: Controls the language settings. If you enable this policy, users can't change the language settings on their browsers. Note that the Disable the General page removes the General tab from interface.
Disable changing accessibility settings: Controls the accessibility settings. If you enable this policy, users can't change the accessibility settings on their browsers. Note that the Disable the General page removes the General tab from interface.
Disable Internet Connection wizard: Controls the Internet Connection wizard. If you enable this policy, users can't use the Internet Connection wizard. Note that this policy overlaps with the Disable the Connections page, which removes the Connections tab from the interface.
Disable changing connection settings: Controls the connection setting. If you enable this policy, users can't use the connections settings on their browsers. Note that this policy overlaps with the Disable the Connections page, which removes the Connections tab from the interface.
Disable changing proxy settings: Controls the proxy settings. If you enable this policy, users can't change their proxy settings. Note that this policy overlaps with the Disable the Connections page, which removes the Connections tab from the interface.
Disable changing Automatic Configuration settings: Controls automatic configuration settings. Administrators can use automatic configuration to update browser settings periodically. If enabled, this policy prevents users from changing automatic configuration settings. Note that this policy overlaps with the Disable the Connections page, which removes the Connections tab from the interface.
Disable changing ratings settings: Controls the ratings that help determine the type of Internet content that can be viewed. Enabling this policy prevents users from changing these ratings settings. Note that the Disable the Content page policy removes the Content tab from Internet Explorer in the Control Panel and takes precedence over this policy.
Disable changing certificate settings: Controls the certificates that verify the identity of software publishers. Enabling this policy prevents users from changing the certificate settings in Internet Explorer. Note that the Disable the Content page policy removes the Content tab from Internet Explorer in the Control Panel and takes precedence over this policy.
Disable changing Profile Assistant settings: Controls the Profile Assistant settings. If you enable this policy, users can't change the Profile Assistant settings. The Disable the Content page policy removes the Content tab from Internet Explorer in the Control Panel and takes precedence over this policy.
Disable AutoComplete for forms: Enabling this policy disables Internet Explorer's AutoComplete feature. This features automatically completes information in forms for users, such as names and addresses. Note that the Disable the Content page policy removes the Content tab from Internet Explorer in the Control Panel and takes precedence over this policy.
Do not allow AutoComplete to save passwords: If you enable this policy, usernames and passwords aren't completed automatically for users. Additionally, users can't choose whether or not their browser remembers passwords automatically. Note that the Disable the Content page policy removes the Content tab from Internet Explorer in the Control Panel and takes precedence over this policy.
Disable changing Messaging settings: If you enable this policy, users can't change their default programs for messaging tasks such as email. Note that the Disable Programs page policy removes the Programs tab and takes precedence over this policy.
Disable changing Calendar and Contact settings: Controls the default programs for managing schedules and contacts. If you enable this policy, users can only use the default programs for managing their schedules and contacts if they default programs are installed.
Disable the Reset Web Settings feature: If you enable this policy, users can't restore their default settings for their home and search pages. Note that the Disable Programs page policy removes the Programs tab and takes precedence over this policy.
Disable changing default browser check: Controls whether Internet Explorer checks to see if it is the default browser. When Internet Explorer performs this check, users are prompted to choose a default browser. This policy is suggested for companies that want to control their organization's default browser.
Identity Manager: Prevent users from using Identities: Controls the ability to configure unique identities by using Identity Manager. Enabling this policy prevents users from creating new identities, managing existing identities, or switching identities.

A.1.1.2.1 Internet Control Panel

User Configuration\Administrative Templates\Windows Components\Internet 
Explorer\Internet Control Panel

Disable the General page: If you enable this policy, the General tab is removed from the Internet Options dialog box. If you remove the General tab, users can't see and change settings for the home page, the cache, history, web page appearance, and accessibility.
Disable the Security page: If you enable this policy, the Security tab is removed from the Internet Options dialog box. If you remove the Security tab, users can't see and change settings for security zones, such as scripting, downloads, and user authentication.
Disable the Content page: If you enable this policy, the Content tab is removed from the Internet Options dialog box. If you remove the Content tab, users can't see and change ratings, certificates, AutoComplete, Wallet, and Profile Assistant settings.
Disable the Connections page: If you enable this policy, the Connections tab is removed from the Internet Options dialog box. If you remove the Connections tab, users can't see and change connection and proxy settings.
Disable the Programs page: If you enable this policy, the Programs tab is removed from the Internet Options dialog box. If you remove the Connections tab, users can't see and change default settings for Internet programs.
Disable the Advanced page: If you enable this policy, the Advanced tab is removed from the Internet Options dialog box. If you remove the Connections tab, users can't see and change advanced Internet settings, such as security, multimedia, and printing.

A.1.1.2.2 Offline Pages

User Configuration\Administrative Templates\Windows Components\Internet 
Explorer\Offline Pages

Disable adding channels: If you enable this policy, users can't add channels to Internet Explorer or or content that's based on a channel to their desktop. Channels are web sites that are updated automatically by channel providers for users who have added the channel to their web browsers.
Disable removing channels: If you enable this policy, users can't disable channel synchronization in Internet Explorer. Channels are web sites that are updated automatically by channel providers for users who have added the channel to their web browsers. This policy is recommended for administrators who wish to ensure that users' computers are being updated uniformly.
Disable adding schedules for offline pages: If you enable this policy, users can't specify web pages for offline viewing or add new schedules for downloading offline content. This policy helps administrators who wish to control their server load for downloading content.
Disable editing schedules for offline pages: If you enable this policy, users can't edit an existing schedule to download web pages for offline viewing or display the schedule properties of pages that have been set up for offline viewing. This policy helps administrators that wish to control their server load for downloading content.
Disable removing schedules for offline pages: If you enable this policy, users can't clear the preconfigured settings for web pages to be downloaded for offline viewing. It helps administrators who wish to control their server load for downloading content.
Disable offline page hit logging: Enabling this policy disables any channel logging settings set by channel providers in the channel definition format (.cdf ) file; this prevents channel providers from recording information about when their channel pages are viewed by users who are working offline.
Disable all scheduled offline pages: Enabling this policy disables existing schedules for downloading web pages for offline viewing. This policy helps administrators who wish to control their server load for downloading content. Note that the Hide Favorites Menu policy takes precedence over this policy.
Disable channel user interface completely: If you enable this policy, users can't view the Channel bar interface. Channels are web sites updated automatically by channel providers for users who have added the channel to their web browsers.
Disable downloading of site subscription content: If you enable this policy, subscription content from sites users have subscribed to aren't downloaded. Note that the Hide Favorites Menu policy and the Disable editing schedules for offline pages policy takes precedence over this policy.
Disable editing and creating of schedule groups: If you enable this policy, users can't add, edit, or remove schedules for offline viewing of web pages and groups of web pages they've subscribed to. Note that the Hide Favorites Menu policy and the Disable editing schedules for offline pages policy takes precedence over this policy.
Subscription Limits: Controls the amount of information downloaded for offline viewing. Enabling this policy lets you set limits for the size and number of pages users can download.

A.1.1.2.3 Browser Menus

User Configuration\Administrative Templates\Windows Components\Internet 
Explorer\Browser menus

File menu: Disable Save As... menu option: If you enable this policy, users can't save web pages from the browser File menu to their hard disk or to a network share. Note that this policy takes precedence over the File Menu: Disable Save As Web Page Complete policy.
File menu: Disable New menu option: If you enable this policy, users can't use the File menu to open a new browser. While the File menu user interface remains the same, the New menu item doesn't work for users; they are informed that the command is not available to them.
File menu: Disable Open menu option: If you enable this policy, users can't open a file or web page by using the File menu in Internet Explorer. While the File-menu user interface remains the same, the Open menu item won't work for users; they are informed the command isn't available to them.
File menu: Disable Save As Web Page Complete: If you enable this policy, users can't save the entire contents of a web page, including graphics, scripts, linked files, and other elements. Users can save content from a web page.
File menu: Disable closing the browser and Explorer windows: If you enable this policy, users can't close Internet Explorer and Windows Explorer from either the File menu or the X (close) button in the upper-right corner of the interface.
View menu: Disable Source menu option: If you enable this policy, users can't view the HTML source of web pages by clicking the Source command on the View menu. In order to prevent users from viewing source code at all, also refer to the Disable context menu policy.
View menu: Disable Full Screen menu option: If you enable this policy, users can't display their browsers in full-screen (kiosk) mode, without the standard toolbar. This policy is useful for organizations with many beginning users, because using the browser without the toolbar can be confusing for beginners.
Hide Favorites menu: If you enable this policy, users can't add, remove, or edit the list of Favorite links. This policy is useful for organizations that wish to keep a consistent list of Favorites across their company.
Tools menu: Disable Internet Options... menu option: If you enable this policy, users can't open the Internet Options dialog box from the Tools menu in Internet Explorer. This prevents users from changing options such as default home page, cache size, and connection and proxy settings from the Tools menu.
Help menu: Remove "Tip of the Day" menu option: If you enable this policy, users can't view or change the Tip of the Day; the Tip of the Day command is removed from the Help menu.
Help menu: Remove "For Netscape Users" menu option: If you enable this policy, tips for users who are switching from Netscape aren't displayed. This policy doesn't remove the tips for Netscape users from the Internet Explorer Help file.
Help menu: Remove "Tour" menu option: If you enable this policy, users can't run the Internet Explorer Tour from the Help menu in Internet Explorer; the Tour menu item is removed from the Help menu.
Help menu: Remove "Send Feedback" menu option: If you enable this policy, users can't send feedback to Microsoft by clicking the Send Feedback menu item on the Help menu; the Send Feedback menu item is removed from the Help menu.
Disable Context menu: If you enable this policy, users don't see context menus when they right-click their mouse while using the browser. This policy is useful if you need to make certain that users don't run commands you have removed from other parts of the interface.
Disable Open in New Window menu option: If you enable this policy, users can't open a link in a new browser window. In order to prevent users from opening new browser windows further, also refer to the File menu: Disable Menu option policy.
Disable Save this program to disk option: If you enable this policy, users can't save files or programs to the hard disk Internet Explorer has downloaded.

A.1.1.2.4 Toolbars

User Configuration\Administrative Templates\Windows Components\Internet 
Explorer\Toolbars

Disable customizing browser toolbar buttons: Controls the buttons that appear on the Internet Explorer and Windows Explorer standard toolbars. For more information on toolbar policies, refer to the Disable customizing browser toolbars policy.
Disable customizing browser toolbars: Controls which toolbars are displayed in Internet Explorer and Windows Explorer. For more information on toolbar policies, refer to the Disable customizing browser toolbar buttons policy.
Configure Toolbar Buttons: Controls which buttons are displayed on the standard toolbar in Internet Explorer. This policy allows you to select the buttons that are displayed on the toolbar by checking or clearing a checkbox for each button.

A.1.1.2.5 Persistance Behavior

User Configuration\Administrative Templates\Windows Components\Internet 
Explorer\Persistance Behavior

File size limits for Local Machine zone: Controls the amount of storage a page or site using the DHTML Persistence behavior can use for the Local Computer security zone. This policy allows you to set the persistence storage amount per domain or per document for this security zone.
File size limits for Intranet zone: Controls the amount of storage a page or site using the DHTML Persistence behavior can use for the Local Intranet security zone. This policy allows you to set the persistence storage amount per domain or per document for this security zone.
File size limits for Trusted Sites zone: Controls the amount of storage a page or site using the DHTML Persistence behavior can use for the Trusted Sites security zone. This policy allows you to set the persistence storage amount per domain or per document for this security zone.
File size limits for Internet zone: Controls the amount of storage a page or site using the DHTML persistence behavior can use for the Internet security zone. This policy allows you to set the persistence storage amount per domain or per document for this security zone.
File size limits for Restricted Sites zone: Controls the amount of storage a page or site using the DHTML Persistence behavior can use for the Restricted Sites security zone. This policy allows you to set the persistence storage amount per domain or per document for this security zone.

A.1.1.2.6 Administrator Approved Controls

User Configuration\Administrative Templates\Windows Components\Internet 
Explorer\Administrator Approved Controls

Databinding

User Configuration\Administrative Templates\Windows Components\Internet 
Explorer\Administrator Approved Controls\Databinding

RDS: This policy allows web developers to move data from a server to a client application or web page, manipulate the data on the client, and return updates to the server in a single round trip. If you enable this policy, it gives administrator approval to the Remote Data Service (RDS) ActiveX control.
TDC: This policy allows data to be displayed in a delimited text file within tables or within a form and allows data to be sorted and filtered by the browser without interaction with the web server. You can run this control in security zones where you specify that administrator-approved controls can be run if you enable this policy.
XML: This policy marks the Extensible Markup Language (XML) Data Source Object as administrator-approved. This control enables developers to use data-binding functionality in Dynamic HTML to connect to XML data and provide it to an HTML page. If you enable this policy, you can run this control in security zones where you specify that administrator-approved controls can be run.

Internet Explorer

User Configuration\Administrative Templates\Windows Components\Internet 
Explorer\Administrator Approved Controls\Internet Explorer

Active Setup: Enabling this policy marks Active Setup ActiveX control as administrator-approved. If a connection is lost during setup, Active Setup recovers the setup process. If you enable this policy, you can run this control in security zones where you specify that administrator-approved controls can be run.
Media Player: Enabling this policy marks Media Player ActiveX control as administrator-approved. Sounds, videos, and other media are made possible by the use of this control.
Extras: Enabling this policy marks this group of Microsoft ActiveX controls (the Extras) that extend browser functionality as administrator-approved. If you enable this policy, you can run this control in security zones where you specify that administrator-approved controls can be run.
Menu Controls: Enabling this policy marks a set of Microsoft ActiveX controls used to manipulate pop-up menus in the browser as administrator-approved.
Microsoft Agent: Enabling this policy marks the Microsoft Agent ActiveX control as administrator-approved. If you enable this policy, you can run this control in security zones where you specify that administrator-approved controls can be run.
Microsoft Chat: Enabling this policy marks the Microsoft Chat ActiveX control as administrator-approved. Web authors can use this control to build text- and graphical-based Chat communities for real-time conversations on the Web. If you enable this policy, you can run this control in security zones where you specify that administrator-approved controls can be run.
Webpost: Enabling this policy marks the WebPost ActiveX control as administrator-approved. This control enables administrators to post web content to web servers and is based on the Web Publishing wizard. If you enable this policy, you can run this control in security zones where you specify that administrator-approved controls can be run.

MSN

User Configuration\Administrative Templates\Windows Components\Internet 
Explorer\Administrator Approved Controls\MSN

Cache Preloader: Enabling this policy marks the Microsoft Network (MSN) Cache Preloader ActiveX control as administrator-approved. This control enables administrators to load a web page into the user's cache before the user views it.
Carpoint: Enabling this policy marks the Microsoft Network (MSN) Carpoint automatic pricing control as administrator-approved. Users come to the Carpoint web site to get information about vehicles and shop for vehicles. This control enables users to benefit from enhanced pricing functionality on the Carpoint web site.
Install: Enabling this policy marks the Microsoft Network (MSN) Install controls as administrator-approved. Microsoft Network (MSN) Install controls install and manage MSN services.
Investor: Enabling this policy marks Microsoft Network (MSN) Investor controls as administrator-approved. Users can view updated lists of stocks on their web pages with Microsoft Network (MSN) Investor controls. If you enable this policy, you can run this control in security zones where you specify that administrator-approved controls can be run.
MSNBC: Enabling this policy marks MSNBC controls as administrator-approved. Users will benefit from enhanced browsing of news reports on the MSNBC web site with MSNBC controls. If you enable this policy, you can run this control in security zones where you specify that administrator-approved controls can be run.
Music: Enabling this policy marks Microsoft Network (MSN) music controls as administrator-approved. Users benefit from enhanced music services on the MSN web site with Microsoft Network (MSN) music controls. If you enable this policy, you can run this control in security zones where you specify that administrator-approved controls can be run.
Quick View Access: Enabling this policy marks Quick View Access control as administrator-approved. Quick View Access displays the number of email messages a user has received on the user's taskbar and provides quick access to MSN sites. If you enable this policy, you can run this control in security zones where you specify that administrator-approved controls can be run.

A.1.1.3 Windows Explorer

User Configuration\Administrative Templates\Windows Components\Windows Explorer

Enable Classic Shell: Enabling this policy prevents users from using Active Desktop, Web view, and thumbnail views. The interface resembles and operates as Windows NT 4.0 does.
Remove the Folder Options menu item from the Tools menu: Enabling this policy prevents users from using the Folder Options dialog box, which in turn prevents them from setting the properties of Windows Explorer, including Active Desktop and Web view.
Remove File menu from Windows Explorer: Enabling this policy prevents users from using File menu but doesn't prevent users from performing File menu tasks run with other methods.
Remove "Map Network Drive" and "Disconnect Network Drive": Enabling this policy prevents users from connecting to other computers or closing existing connections from Windows Explorer or My Network Places. Note that users can still connect to other computers by typing the name of a shared folder in the Run dialog box.
Remove Search button from Windows Explorer: Enabling this policy removes the Search button from Windows Explorer toolbar in all the places the Windows Explorer toolbar is used.
Disable Windows Explorer's default context menu: If you enable this policy, users can't see or use shortcut menus when they right-click on their desktop or in Windows Explorer.
Hides the Manage item on the Windows Explorer context menu: If you enable this policy, users can't see or use the Manage item in the Windows Explorer context menu when they right-click Windows Explorer or My Computer.
Only allow approved Shell extensions: If you enable this policy, Windows starts only user interface extensions the system security or the users have approved. Administrators interested in protecting their system from damage caused by programs that don't operate correctly or are intended to cause harm may be interested in using this policy.
Do not track Shell shortcuts during roaming: Controls whether or not Windows 2000 traces shortcuts back to their sources when it can't find the target on the user's system. If enabled, this policy prevents the system from searching for the original path when it can't find the target file in the current target path.
Hide these specified drives in My Computer: If you enable this policy, selected hard drives are removed from My Computer, Windows Explorer, and My Network Places and the drive letters representing the selected drives don't appear in the standard Open dialog.
Prevent access to drives from My Computer: If you enable this policy, users can't gain access to the content of selected drives through My Computer. Users aren't prevented from using programs to access local and network drives or from using the Disk Management snap-in to view and change drive characteristics.
Hide Hardware tab: Enabling this policy removes the Hardware tab from the Mouse, Keyboard, Sounds and Multimedia in Control Panel, and from the Properties dialog box for all local drives.
Disable UI to change menu animation setting: Controls the Hide keyboard navigation indicators until the ALT key option in Display in Control Panel is used. If you enable this policy, the underlining that indicates a keyboard shortcut character (hot key) doesn't appear on menus until you press ALT.
Disable UI to change keyboard navigation indicator setting: Enabling this policy marks Media Player ActiveX control as administrator-approved. Sounds, videos, and other media are enabled with this control.
Disable DFS tab: When you enable this policy, the Distributed File System tab is removed from Windows Explorer and from other programs that use the Windows Explorer browser, such as My Computer.
No "Computers Near Me" in My Network Places: If you enable this policy, computers in the user's workgroup and domain are removed from lists of network resources in Windows Explorer and My Network Places. Note that users can still connect to computers in their workgroup and domain with other methods, such as typing the share name in the Run dialog box or using the Map Network Drive dialog box.
No "Entire Network" in My Network Places: If you enable this policy, computers outside the user's workgroup and domain are removed from lists of network resources in Windows Explorer and My Network Places. Note that users can still connect to computers in their workgroup and domain with other methods, such as typing the share name in the Run dialog box or using the Map Network Drive dialog box.
Maximum number of recent documents: Controls the number of shortcuts displayed in the Documents menu on the Start menu. Note that the system displays 15 documents by default.
Do not request alternate credentials: If you enable this policy, users can't submit alternate logon credentials to install a program.
Request credentials for network installations: Controls whether or not users are prompted for alternate logon credentials during network-based installations. If you enable this policy, a Install Program As Other User dialog box is displayed when files are being installed.

A.1.1.3.1 Common Open File Dialog

User Configuration\Administrative Templates\Windows Components\Windows 
Explorer\Common Open File Dialog

Hide the common dialog places bar: If you enable this policy, the shortcut bar is removed from the Open dialog box. Administrators can use this policy to remove new features added in Windows 2000, which causes the Open dialog box to resemble the Open dialog box in Windows NT 4.0 and earlier versions.
Hide the common dialog back button: If you enable this policy, the Back button is removed from the Open dialog box. Administrators can use this policy to remove new features added in Windows 2000, which causes the Open dialog box to resemble the Open dialog box in Windows NT 4.0 and earlier versions.
Hide dropdown list of recent files: If you enable this policy, the list of most recently used files is removed from the Open dialog box. Administrators can use this policy to remove new features added in Windows 2000, which causes the Open dialog box to resemble the Open dialog box in Windows NT 4.0 and earlier versions.

A.1.1.4 Microsoft Management Console

User Configuration\Administrative Templates\Windows Components\Microsoft 
Management Console

Restrict the user from entering author mode: If you enable this policy, users can't enter author mode. This includes opening the MMC in author mode, opening console files in author mode, and opening any console files that open in author mode by default.
Restrict users to the explicitly permitted list of snap-ins: If you enable this policy, you can permit the use of Microsoft Management Console (MMC) snap-ins on a select basis, which you determine, or not at all. If you don't enable this policy, users can access all snap-ins.

A.1.1.4.1 Restricted/Permitted snap-ins

User Configuration\Administrative Templates\Windows Components\Microsoft 
Management Console\Restricted/Permitted snap-ins

Active Directory Users and Computers

Controls use of this snap-in. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.

Active Directory Domains and Trusts

Active Directory Sites and Services

Certificates

Controls the use of this snap-in. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.

Computer Management

DCOM Config

Device Manager

Disk Management

Disk Defragmenter

Distributed File System

Event Viewer

FAX Service

Indexing Service

Internet Authentication Service (IAS)

IAS Logging

Internet Information Services

IP Security

Local Users and Groups

Performance Logs and Alerts

QoS Admission Control

Removable Storage Management

Routing and Remote Access

Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.

Security Configuration and Analysis

Security Templates

Services

Shared Folders

System Information

Telephony

Extension snap-ins

User Configuration\Administrative Templates\Windows Components\Microsoft 
Management Console\Restricted/Permitted snap-ins\Extension snap-ins

AppleTalk Routing: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Certification Authority: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Component Services: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Connection Sharing (NAT): Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Device Manager: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
DHCP Relay Management: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Event Viewer: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
IGMP Routing: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
IP Routing: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
IPX RIP Routing: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
IPX Routing: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
IPX SAP Routing: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Logical and Mapped Drives: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
OSPF Routing: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Public Key Policies: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
RAS Dialin - User Node: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Remote Access: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Removable Storage: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
RIP Routing: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Routing: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Send Console Message: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Service Dependencies: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
SMTP Protocol: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
SNMP: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
System Properties: Controls the use of this snap-in extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.

Group Policy

User Configuration\Administrative Templates\Windows Components\Microsoft 
Management Console\Restricted/Permitted snap-ins\Group Policy

Group Policy snap-in: Controls the use of this snap-in extension-allows or prohibits use of the Group Policy snap-in. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Group Policy Tab for Active Directory Tools: Allows or prohibits use of Administrative Templates (Computers) Group Policy folder. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Administrative Templates (Computers): Allows or prohibits use of the Group Policy Tab for Active Directory Tools. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Administrative Templates (Users): Allows or prohibits use of the Administrative Templates (Users) Group Policy folder. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Folder Redirection: Allows or prohibits use of the Group Policies that use the Folder Redirection client-side extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Remote Installation Services: Allows or prohibits use of the Group Policies that use the Remote Installation Services client-side extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Scripts (Logon/Logoff): Allows or prohibits use of the Group Policies that use the Logon/Logoff Scripts client-side extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Scripts (Startup/Shutdown): Allows or prohibits use of the Group Policies that use the Startup/Shutdown Scripts client-side extension. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Security Settings: Allows or prohibits use of the policies in the Security Settings folder in Group Policy. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Software Installation (Computers): Allows or prohibits use of policies in the Software Installation (Computers) folder in Group Policy. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.
Software Installation (Users): Allows or prohibits use of policies in the Software Installation (Users) folder in Group Policy. This policy is affected by the setting of the Restrict users to the explicitly permitted list of snap-ins policy. You can prohibit users from accessing any snap-ins by enabling the Restrict users to the explicitly permitted list of snap-ins policy and not configuring any of the policies in this folder.

A.1.1.5 Task Scheduler

User Configuration\Administrative Templates\Windows Components\Task Scheduler

Hide Property Pages: When this policy is enabled, users can't view or change the properties of an existing task, which simplifies task creation for beginning users. These properties may include the program the task runs, details of its schedule, idle time and power management settings, and its security context. Note that this policy appears in both the Computer Configuration and User Configuration folders, but the Computer Configuration folder takes precedence.
Prevent Task Run or End: When this policy is enabled, users can't start or stop tasks manually. This means that users can't force tasks to end before they are finished or start tasks manually. Note that this policy appears in both the Computer Configuration and User Configuration folders, but the Computer Configuration folder takes precedence.
Disable drag-and-drop: When you enable this policy, users can't use the drag-and-drop method to add or remove tasks in the Scheduled Tasks folder.
Disable New Task Creation: When you enable this policy, users can't create new tasks. This policy also prevents the system from responding when users try to move, paste, or drag programs or documents into the Scheduled Tasks folder. Note that this policy appears in both the Computer Configuration and User Configuration folders, but the Computer Configuration folder takes precedence.
Disable Task Deletion: When you enable this policy, users can't delete tasks from the Scheduled Tasks folder. Additionally, the system doesn't respond if users try to cut or drag a task from the Scheduled Tasks folder. Note that this policy appears in both the Computer Configuration and User Configuration folders, but the Computer Configuration folder takes precedence.
Disable Advanced Menu: When this policy is enabled, users can't view or change the properties of newly created tasks, which simplifies task creation for beginning users. These properties may include the program the task runs, details of its schedule, idle time and power management settings, and its security context. Note that this policy appears in both the Computer Configuration and User Configuration folders, but the Computer Configuration folder takes precedence.
Prohibit Browse: When this policy is enabled, users' newly scheduled tasks are limited to items on the user's Start menu, and users can't change the scheduled program for existing tasks. Note that this policy appears in both the Computer Configuration and User Configuration folders, but the Computer Configuration folder takes precedence.

A.1.1.6 Windows Installer

User Configuration\Administrative Templates\Windows Components\Windows Installer

Always install with elevated privileges: Enabling this policy directs Windows Installer to use system permissions when it installs any program on the system. This allows a user to install programs that require access to directories the user may not have permission to view or change. Note that this policy appears in both the Computer Configuration and User Configuration folders; the policy must be enabled in both folders to make the policy effective.
Search order: This policy allows you to set the order Windows Installer uses to search the installation files. Note that Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL) by default.
Disable rollback: When this policy is enabled, Windows Installer doesn't generate and save the files it needs to reverse an interrupted or unsuccessful installation; it's unable to record the original state of the computer. This policy reduces the amount of temporary disk space required to install programs.
Disable media source for any install: When this policy is enabled, users can't install programs from removable media including CD-ROMs, floppy disks, and DVDs. If you enable this policy, it continues to run when the installation is running in the user's security context.

A.1.2 Start Menu & Taskbar

User Configuration\Administrative Templates\Start Menu & Taskbar

Remove user's folders from the Start Menu: When you enable this policy, users can't see the user-specific (top) section of the Start menu. This policy works best with redirected folders, because they appear on the main (bottom) section of the Start menu. Removing them from the top of the Start menu means that users don't see them twice in the Start menu, which can be confusing.
Disable and remove links to Windows Update: When you enable this policy, users can't connect to the Windows Update web site. The Windows Update web site is the online extension of Windows. The site provides software updates to keep a user's system up to date in addition to other information.
Remove common program groups from Start Menu: This policy removes items in the All Users profile from the Programs menu on the Start menu. If you enable this policy, users see only items in the user's profile in the Programs menu.
Remove Documents menu from Start Menu: When you enable this policy, users can't access the Documents menu from the Start menu; it's removed. This prohibits users from opening recently used files.
Disable programs on Settings menu: Controls the user's ability to run Control Panel, Printers, and Network and Dial-up Connections. If you enable this policy, the Control Panel, Printers, and Network and Dial-up Connections are removed from My Computer and Windows Explorer, and programs represented by these folders won't run.
Remove Network and Dial-up Connections from Start Menu: Controls the user's ability to run Network and Dial-up Connections. If you enable this policy, users can't utilize Network and Dial-up Connections.
Remove Favorites menu from Start Menu: Controls the Favorites menu on the Start menu. The Favorites menu doesn't appear on the Start menu by default; if you enable this policy users can't add it manually.
Remove Search menu from Start Menu: If you enable this policy, the Search item on the Start menu and some Windows Explorer search elements are removed or disabled. Additionally, users won't get a response if they press the Application key (the key with the Windows logo) + F.
Remove Help menu from Start Menu: If you enable this policy, the Help menu is removed from the Start menu only; it isn't removed or affected in other locations.
Remove Run menu from Start Menu: If you enable this policy, the Run command is removed from the Start menu, and the New Task (Run) command is removed from Task Manager.
Add Logoff to the Start Menu: This policy adds the Log Off <username> item to the Start menu and prevents users from removing it. Be aware that this policy affects only the Start menu; it doesn't affect the Log Off item on the Windows Security dialog box.
Disable Logoff on the Start Menu: Enabling this policy removes the Log Off <username> item from the Start menu and the Display Logoff item from Start Menu Options. Also, users can't restore the Log Off <username> item.
Disable and remove the Shut Down command: When you enable this policy, users can't shut down or restart Windows. This policy doesn't prevent users from running other programs to shut Windows down, but it does prevent them from using the Windows interface to shut down.
Disable drag-and-drop context menus on the Start Menu: When you enable this policy, users can't reorder or remove items from the Start menu using the drag-and-drop method. This policy also removes the context menus from the Start menu. Users can use other means to customize the Start menu or to perform context menu tasks.
Disable changes to Start Menu & Taskbar Settings: Enabling this policy removes the Start Menu & Taskbar item from Settings on the Start menu and prevents users from opening the Taskbar Properties dialog box.
Disable context menu for taskbar: This policy eliminates the menus that appear when you right-click the taskbar and items on the taskbar for users.
Do not keep history of recently opened documents: If you enable this policy, the system doesn't save shortcuts to the Documents menu. Users use these shortcuts to quickly open their most recently used documents.
Clear history of recently opened documents on exit: Controls whether the system deletes the contents of the Documents menu on the Start menu when the user logs off. If you enable this policy, users will have an empty documents menu when they log on.
Disable personalized menus: Enabling this policy turns off personalized menus for users. Personalized menus work by moving recently used items to the top of the menu and hiding the remaining items.
Disable user tracking: If you enable this policy, the system doesn't track the programs users run, the paths they navigate, and the documents they open. Windows 2000 uses tracking information to customize features.
Add "Run in Separate Memory Space" check box to Run dialog box: Allows users to run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process. This policy lets users run a 16-bit program in its own dedicated NTVDM process.
Do not use the search-based method when resolving shell shortcuts: If you enable this policy, the system doesn't perform a search of the target drive when it can't find a target file for a shortcut (.lnk).
Do not use the tracking-based method when resolving shell shortcuts: If you enable this policy, the system doesn't try to locate a file by using its file ID if a the system can't find a target file for a shortcut. Note that FAT partitions don't have this ID tracking and search capability, as a result, this policy doesn't apply.
Gray unavailable Windows Installer programs Start Menu shortcuts: If you enable this policy, Start menu shortcuts to partially installed programs are displayed in gray text. This helps users quickly distinguish between fully and partially installed programs.

A.1.3 Desktop

User Configuration\Administrative Templates\Desktop

Hide all icons on Desktop: If you enable this policy, icons, shortcuts, and other default and user-defined items are removed from the desktop. These include Briefcase, Recycle Bin, My Computer, and My Network Places. Removing these icons doesn't prevent users from opening these items by other means.
Remove My Documents icon from desktop: If you enable this policy, the My Documents icon is removed from the desktop, from Windows Explorer, from programs that use the Windows Explorer windows, and from the standard Open dialog box. Removing these icons doesn't prevent users from opening My Documents by other means and doesn't remove My Documents from the Start menu.
Remove My Documents icon from Start Menu: If you enable this policy, the My Documents icon is removed from the Start menu. Removing this icon doesn't prevent users from opening My Documents by other means.
Hide My Network Places icon on desktop: If you enable this policy, the My Network Places icon is removed from the desktop. Removing this icon doesn't prevent users connecting to the network or browsing for shared computers on the network. Removing this icon doesn't prevent users from starting Internet Explorer by other means.
Do not add shares from recently opened documents to the My Network Places folder: Enabling this policy prevents remote-shared folders from being added to My Network Places when you open a document in the shared folder.
Prohibit user from changing My Documents path: If you enable this policy, users can't change the path to the My Documents folder by typing a new path in the Target box of the Properties dialog box for My Documents.
Disable adding, dragging, dropping and closing the Taskbar's toolbars: Controls the manipulation of desktop toolbars. This policy prevents users from adding or removing toolbars from the desktop and dragging toolbars on to or off of docked toolbars when enabled.
Disable adjusting desktop toolbars: Enabling this policy prevents users from adjusting the length of desktop toolbars or repositioning items or toolbars on docked toolbars.
Don't save settings at exit: Enabling this policy prevents users from saving such changes as the positions of open windows and the size and position of the taskbar. Note that shortcuts placed on the desktop are always saved.

A.1.3.1 Active Directory

User Configuration\Administrative Templates\Desktop\Active Directory

Maximum size of Active Directory searches: With this policy, you can set the maximum number of objects the system displays in response to a command to browse or search Active Directory. This policy protects your network and domain controller from the sometimes negative effects of expansive searches.
Enable filter in Find dialog box: If you enable this policy, the filter bar appears automatically above the results of an Active Directory search. The filter bar allows users to quickly refine their search results.
Hide Active Directory folder: If you enable this policy, the Active Directory folder doesn't appear in My Network Places. The Active Directory folder displays Active Directory objects in a browse window.

A.1.3.2 Active Desktop

User Configuration\Administrative Templates\Desktop\Active Desktop

Enable Active Desktop: Controls use of Active Desktop. If you enable this policy, Active Desktop is enabled, and users can't disable it. Note that Active Desktop is disabled by default, but users can choose to enable it if this policy isn't in effect.
Disable Active Desktop: Controls use of Active Desktop. If you enable this policy, it locks down the configuration you establish by using other policies in this folder. Users can't enable or disable the Active Desktop themselves.
Prohibit changes: This policy allows you to remove Active Desktop content and prevents users from adding Active Desktop content. Note that this policy doesn't disable Active Desktop.
Disable all items: This policy allows you to removes Active Desktop content and prevent users from adding Active Desktop content. Note that this policy doesn't disable Active Desktop.
Prohibit adding items: If you enable this policy, users can't add web content to their Active Desktop; they can, however, remove web content from their Active Desktop. Note that this policy will not remove any existing content from Active Desktop.
Prohibit editing items: If you enable this policy, users can't change the properties of web content items on their Active Desktop.
Prohibit deleting items: If you enable this policy, users can only remove--not delete--web content from their Active Desktop. Note that with this policy enabled, users can still add content to their Active Desktop.
Prohibit closing items: If you enable this policy, users can't remove web content from their Active Desktop. This means that items added to the Active Directory remain on the desktop at all times; they can't be closed.
Add/Delete items: You can use this policy to add or delete certain items to or from users' desktops. Note that if policies allow, users can still add or delete items from their desktops.
Active Desktop Wallpaper: Controls the desktop background (or wallpaper) displayed on all users' desktops. This policy allows you to specify users' wallpaper and the characteristics of the wallpaper--whether it is centered, tiled, and so on.
Allow only bitmapped wallpaper: Limits users to only bitmap images for desktop backgrounds, or wallpaper. Wallpaper doesn't load if it has another image format, such as JPEG, GIF, PNG, or HTML.

A.1.4 Control Panel

User Configuration\Administrative Templates\Control Panel

Disable Control Panel: If you enable this policy, Control.exe doesn't run. Additionally, the Control Panel menu item is removed from the Start menu, and the Control Panel folder is removed from Windows Explorer.
Show only specified control panel applets: This policy lets you specify which Control Panel items and folders are visible to users. Enabling this policy hides all the Control Panel items and folders, except for the items and folders you specify. This policy can be overridden by the Hide specified Control Panel applets policy.
Hide specified control panel applets: This policy lets you specify which Control Panel items and folders to hide from users. This policy overrides the Show only specified Control Panel applets policy.

A.1.4.1 Add/Remove Programs

User Configuration\Administrative Templates\Control Panel\Add/Remove Programs

Disable Add/Remove Programs: Controls use of Add/Remove Programs. Users can install, uninstall, repair, add, and remove features and components of Windows 2000 and a wide variety of Windows programs with the Add/Remove Programs feature. This feature is enabled for users by default.
Hide Change or Remove Programs page: Enabling this policy removes the Change or Remove Programs button from the Add/Remove Programs bar, which prevents users from users uninstalling, repairing, adding, or removing features of installed programs by this means.
Hide Add New Programs page: Enabling this policy removes the Add New Programs button from the Add/Remove Programs bar, which prevents users from installing programs published or assigned by a system administrator by this means.
Hide Add/Remove Windows Components page: Enabling this policy removes the Add/Remove Windows Components button from the Add/Remove Programs bar, which prevents users from configuring installed services and using the Windows Component wizard to add, remove, and configure components of Windows 2000 from the installation files by this means.
Hide the "Add a program from CD-ROM or floppy disk" option: Enabling this policy removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page, which prevents users from installing media with Add/Remove Programs. Note that this doesn't prevent users from installing media by other means.
Hide the "Add programs from Microsoft" option: Enabling this policy removes the "Add programs from Microsoft" section from the Add New Programs page, which prevents users from connecting to the Windows update using Add/Remove Programs. Note that this doesn't prevent users connecting to the Windows update by other means.
Hide the "Add programs from your network" option: If you enable this policy, users can't add or install published programs. Users can't tell which programs have been published by the administrator and they can't use Add/Remove Programs to install published programs. Published programs are those programs that administrators make available to users.
Go directly to Components wizard: If you enable this policy users can't use the Set Up Services section of the Add/Remove Windows Components Page. Instead, the Windows Component wizard runs.
Disable Support Information: When you enable this policy, hyperlinks to the Support Info dialog box from programs on the Change or Remove Programs page are removed. The programs on the Change or Remove Programs page sometimes include a hyperlink called "Click here for support information."
Specify default category for Add New Programs: If you enable this policy, you can choose one category of programs to display when users display the Add New Programs page. Users can view additional programs by using the Category drop-down list on the Add New Programs page.

A.1.4.2 Display

User Configuration\Administrative Templates\Control Panel\Display

Disable Display in control panel: When you enable this policy, users can't use Display in the Control Panel; it won't run.
Hide Background tab: This policy prevents users from changing the pattern and wallpaper on the desktop through the Control Panel by removing the Background tab from Display in Control Panel.
Disable Changing Wallpaper: This policy prevents users from adding or changing the background design (or wallpaper) of the desktop.
Hide Appearance tab: This policy prevents users from changing colors or color schemes of the desktop and windows through the Control Panel, because it removes the Appearance tab from Display in Control Panel.
Hide Settings tab: This policy prevents users from adding, configuring, or changing the display settings on the computer through the Control Panel, because it removes the Settings tab from Display in Control Panel.
Hide Screen Saver tab: This policy prevents users from adding, configuring, or changing the screen saver on the computer through the Control Panel, because it removes the Screen Saver tab from Display in Control Panel.
No screen saver: Enabling this policy ensures that all screen savers are disabled. Further, users can't change screen-saver options through the Control Panel.
Screen saver executable name: Enabling this policy ensures that all the computers in your system will display the specific screen saver you designate. Further, users can't change the screen saver because this policy disables the drop-down list of screen savers on the Screen Saver tab in Display in Control Panel.
Password protect the screen saver: If you enable this policy all screen savers must be password-protected. If you disable it, passwords can't be set up for screen savers. If you don't configure it, users can set up a password if they like, but it isn't required.

A.1.4.3 Printers

User Configuration\Administrative Templates\Control Panel\Printers

Disable deletion of printers: Enabling this policy also prevents users from deleting local and network printers. Users can delete printers by other means.
Disable addition of printers: Controls the methods that add local and network printers. Enabling this policy also prevents users from adding printers by dragging a printer icon into the Printers folder. Note that this policy doesn't prevent users from adding printers with the Add Hardware wizard or from running additional programs to add printers.
Browse the network to find printers: This policy allows users to search the network for shared printers through the Add Printer wizard. When enabled, this policy allows users to select a printer from a list the Add Printer wizard displays if users click "Add a network printer", but don't fill in a printer name while searching.
Default Active Directory path when searching for printers: This policy allows you to choose the Active Directory location where users' searches for printers begin when they use the Add Printer wizard. If you enable this policy, users start their search at the location you specify instead of starting at the default location. The root of the Active Directory is the default.
Browse a common web site to find printers: This policy adds a web link to the Add Printer wizard. The web link directs users to a web page that they can install printers from.

A.1.4.4 Regional Options

User Configuration\Administrative Templates\Control Panel\Regional Options

Restrict selection of Windows 2000 menus and dialogs language: If you enable this policy, users are restricted to either a specified language or the default language, which is English.

A.1.5 Network

User Configuration\Administrative Templates\Network

A.1.5.1 Offline Files

User Configuration\Administrative Templates\Network\Offline Files

Disable user configuration of Offline Files: If you enable this policy, users can't enable, disable, or change the configuration of Offline Files. This policy uses other policies in this folder to lock down the configuration you set up.
Synchronize all offline files before logging off: Controls whether the system performs a quick or full synchronization of offline files when users log off. Enabling this policy ensures that the system performs a full synchronization.
Action on server disconnect: Controls whether network files remain available if the computer is suddenly disconnected from the server hosting the files. Enabling this policy allows you to use the Action box to specify whether or not users can work offline when the server is inaccessible.
Non-default server disconnect actions: Controls how computers respond when they are disconnected from particular offline file servers. This policy allows you to determine whether or not users can access a server's files offline when they are disconnected from that particular server. This policy takes precedence over default response, a user-specified response, and the response specified in the Action on server disconnect policy.
Disable "Make Available Offline": Controls the ability to make network files and folders available offline. If you enable this policy, users can't save files for offline use. The system isn't prevented from saving local copies of files located on network shares designated for automatic caching.
Prevent use of Offline Files folder: If you enable this policy, users can't access the Offline Files Folder to view or open copies of network files stored on their computer. Users can still work offline and save local copies of files available offline.
Administratively assigned offline files: Controls the specified files and folders available offline to users. This policy provides a list of network files and folders users can access at any time for offline use.
Disable reminder balloons: Enabling this policy removes the reminder balloons. Reminder balloons notify users when they have lost the connection to a networked file and are working on a local copy of the file.
Reminder balloon frequency: Controls when reminder balloon updates appear. You can use this policy to change the default update interval, which displays a reminder balloon every 60 minutes for 15 seconds.
Initial reminder balloon lifetime: Controls how long the initial reminder balloon update appears onscreen. You can use this policy to change the default display time for an initial reminder balloon. Thirty seconds is the default time for the first reminder.
Reminder balloon lifetime: Controls how long reminder balloon updates appear for onscreen. You can use this policy to change the default display time for an reminder balloon updates. Fifteen seconds is the default time for the reminder balloon updates.
Event logging level: Controls the events that are recorded in the Offline Files feature records in the event log. If you enable this policy, you can choose a number in between and 3 to determine the number of events you want recorded.

A.1.5.2 Network and Dial-up Connections

User Configuration\Administrative Templates\Network\Network and Dial-up Connections

Enable deletion of RAS connections: Controls users' ability to delete private dial-up connections. Users can delete their private RAS connections if you enable this policy. Users can also delete their private RAS connections if you don't configure this policy.
Enable deletion of RAS connections available to all users: Controls users' ability to delete shared dial-up connections. Users can delete their private RAS connections if you enable this policy. Note that the Enable deletion of RAS connections policy overrides this policy if it's disabled.
Enable connecting and disconnecting a RAS connection: Controls users' ability to connect and disconnect from dial-up connections. Enabling this policy allows users to connect and disconnect from dial-up connections. Note that this doesn't prevent users from connecting and disconnecting to a dial-up connection via the Status page.
Enable connecting and disconnecting a LAN connection: Controls users' ability to connect and disconnect local area connections. Enabling this policy allows users to connect and disconnect from local area connections. Note that this doesn't prevent users from connecting and disconnecting to a dial-up connection via the Status page.
Enable access to properties of a LAN connection: Controls users' ability to view and change the properties of a local area connection for users. Enabling this policy allows users to view and change the properties of a local area connection. Note that this policy overrides any policies that removes or disables parts of the Local Area Connection Properties dialog box.
Allow access to current user's RAS connection properties: Controls users' ability to view and change the properties of private dial-up connections. Private connections are only available to one user. Note that this policy overrides other policies that remove or disable parts of the Dial-up Connection Properties dialog box.
Enable access to properties of RAS connections available to all users: Controls users' ability to view and change the properties of dial-up connections that are available to all users of the computer. Enabling this policy allows users to view and change the properties. Note that this policy overrides other policies that remove or disable parts of the Dial-up Connection Properties dialog box.
Enable renaming of connections, if supported: Controls users' ability to rename dial-up and local area connections. Enabling this policy allows users to rename all connections, including their private dial-up connections.
Enable renaming of RAS connections belonging to the current user: Controls users' ability to rename their private dial-up connections. Enabling this policy allows users to rename their private dial-up connection.
Enable adding or removing components of a RAS or LAN connection: Controls users' ability to add and remove network components. Enabling this policy allows users to add and remove network components through the Install and Uninstall buttons in Network and Dial-up Connections or through the Windows Components wizard.
Allow connection components to be enabled or disabled: Controls users' ability to enable and disable the components used by dial-up and local area connections. This policy adds a checkbox beside the name of each component listed in each connection's Properties dialog box. Checking the box enables the component.
Enable access to properties of components of a LAN connection: Controls users' ability to change the properties of components used by a local area connection. Enabling this policy (or not configuring it at all) allows users to change the properties. Note that some network components properties are never configurable.
Enable access to properties of components of a RAS connection: Controls users' ability to view and change the properties of components used by a dial-up connection. Enabling this policy (or not configuring it at all) will allow users to change the properties. Note that some network components properties are never configurable.
Display and enable the Network Connection wizard: Controls users' ability to create new network connections with the Network Connection wizard. Enabling this policy allows users to utilize the Make New Connection icon in Network and Dial-up Connections to start the Network Connection wizard.
Enable status statistics for an active connection: Controls users' ability to view the Status page for an active connection. Enabling this policy allows users to utilize the Status page to view information about the connection and its activity and to disconnect and configure the properties of the connection through buttons on this page.
Enable the Dial-up Preferences item on the Advanced menu: If you enable this policy, the Dial-up Preferences item on the Advanced menu in Network and Dial-up Connections is enabled. This allows users to create and change connections before logon and to configure AutoDialing and callback features.
Enable the Advanced Settings item on the Advanced menu: If you enable this policy, the Advanced Settings item on the Advanced menu in Network and Dial-up Connections are enabled. This allows users to view and change bindings, the order that the computer accesses connections, network providers, and print providers.
Allow configuration of connection sharing: Controls the ability to enable, disable, and configure the Internet Connection Sharing feature of a dial-up connection. If this policy is enabled, administrators and power users can manipulate the Internet Connections Sharing feature. Internet Connection Sharing provides network services to the network and allows users to configure their system as an Internet gateway for a small network.
Allow TCP/IP advanced configuration: Controls users' ability to use Network and Dial-up Connections to configure TCP/IP, DNS, and WINS settings. Enabling this policy allows users to open the Advanced TCP/IP Settings Properties page and modify IP settings.

A.1.6 System

User Configuration\Administrative Templates\System

Don't display welcome screen at logon: If you enable this policy, the "Getting Started with Windows 2000" welcome screen is hidden from users. Users can access this screen from the Start menu. Note that this policy appears in both the Computer Configuration and User Configuration folders, but the Computer Configuration folder takes precedence.
Century interpretation for Year 2000: Controls how two-digit years are interpreted by programs. Two-digit numbers greater than the number you specify (the default number is 29) are preceded by 19, and two-digit numbers less than the number specified are preceded by 20.
Code signing for device drivers: Controls what happens when a user tries to install device driver files that aren't digitally signed. You can set up the least secure response permitted on the system with this policy. After you enable this policy, you can use the drop-down box to specify the desired response: either Ignore, Warn, or Block.
Custom user interface: Controls the user interface for the system. With this policy, you can enable a user interface other than the default Windows interface.
Disable the command prompt: If you enable this policy, users can't run the interactive command prompt, Cmd.exe or run batch files (.cmd and .bat) on their computers. Keep in mind that you don't want to disable batch files if your system uses logon, logoff, startup, or shutdown batch file scripts, or if you have users that use Terminal Services.
Disable registry editing tools: Enabling this policy disables the Windows registry editors, Regedt32.exe and Regedit.exe. See the "Run only allowed Windows" applications policy for more information.
Run only allowed Windows applications: If you enable this policy, you can control and limit the programs users run that are started by the Windows Explorer process by creating a List of Allowed Applications. After you enable this policy, the system allow users to run only programs you have entered from your approved list.
Don't run specified Windows applications: If you enable this policy, you can prevent users from running programs that are started by the Windows Explorer process by creating a List of Allowed Applications. After you enable this policy, the system allows users to run only programs you have entered from your approved list.
Disable Autoplay: Enabling this feature disables Autoplay. As a result, setup files for programs and the music on audio media don't start immediately; users have to start the setup files themselves. Note that this policy appears in both the Computer Configuration and User Configuration folders, but the Computer Configuration folder takes precedence.
Download missing COM components: If you enable this policy, your system searches the Active Directory for all missing Component Object Model (COM) components a program requires. Enabling this policy may cause programs to start or run slower, but the programs won't suffer impaired functionality or stop functioning as a result of missing COM components.

A.1.6.1 Logon/Logoff

User Configuration\Administrative Templates\System\Logon/Logoff

Disable Task Manager: Controls the Task Manager. If you enable this policy, users can't use the Task Manager. The Task Manager's many functions include allowing users to start and stop programs.
Disable Lock Computer: When you enable this policy, users can't lock the system.
Disable Change Password: When you enable this policy, users can't change their passwords on demand. Users can still change their passwords when prompted by the system.
Disable Logoff: When you enable this policy, users can't log off the system using any method.
Run logon scripts synchronously: Enabling this policy ensures that logon script processing is complete before the user starts working. If you enable this policy, the system waits for the logon scripts to finish running before it starts the Windows Explorer interface program and creates the desktop. Keep in mind that this policy can delay the appearance of the desktop.
Run legacy logon scripts hidden: Enabling this policy ensures that the instructions in logon scripts written for Windows NT 4.0 and earlier are hidden from users. By default, these scripts run in a command window. This policy is recommended for beginning users.
Run logon scripts visible: Enabling this policy ensures that the instructions in logon scripts written for Windows NT 4.0 and earlier run in a command window for users. This policy is recommended for advanced users.
Run logoff scripts visible: Enabling this policy ensures that logoff scripts run in a command window for users. This policy is recommended for advanced users.
Connect home directory to root of the share: Controls the definitions of the %HOMESHARE% and %HOMEPATH% environment variables. Enabling this policy ensures that the system uses the definitions for Windows NT. Disabling or not configuring this policy ensures that the system uses the definitions that come with Windows 2000.
Limit profile size: This policy allows you to determine the maximum size of a roaming user profile and the system's response when a roaming user profile reaches the maximum size. The maximum size of a roaming user profile is unlimited if you don't configure this policy.
Exclude directories in roaming profile: If you enable this policy, you can exclude folders normally included in the user's profile. The History, Local Settings, Temp, and Temporary Internet Files folders are excluded by default. Folders that you exclude aren't stored by the network server on which the profile resides and won't follow users to other computers.
Run these programs at user logon: Enabling this policy allows you to choose additional programs or documents that Windows 2000 starts automatically when a user logs on to the system. Note that this policy appears in both the Computer Configuration and User Configuration folders and, if both are configured, the Computer Configuration programs and documents starts first.
Disable the run once list: The system ignores the run-once list if you enable this policy. Note that this policy appears in both the Computer Configuration and User Configuration folders, but the Computer Configuration folder takes precedence.
Disable legacy run list: When you enable this policy, the system ignores any customized run lists for Windows NT 4.0 and earlier. Thus, the items on these legacy lists aren't started automatically by the system.

A.1.6.2 Group Policy

User Configuration\Administrative Templates\System\Group Policy

Group Policy refresh interval for users: Controls the background update rate for Group Policies in the User Configuration folder. Enabling this policy allows you to change the update rate from the default, which is an update in the background every 90 minutes, with a random offset of to 30 minutes.
Group Policy slow link detection: Enabling this policy allows you to define a slow connection for purposes of applying and updating Group Policy for your system. Connection speed is determined by the rate at which data is transferred from the domain controller providing a policy update to the computers in the group. After you define the slow connection speed, the system interprets a slow connection as one that exceeds your specification.
Group Policy domain controller selection: Enabling this policy allows you to choose which domain controller the Group Policy snap-in uses. You can choose from three options: Use the Primary Domain Controller, Inherit from the Active Directory Snap-ins, or Use any available domain controller. The Group Policy snap-in uses the domain controller designated as the PDC Operations Master for the domain by default if you disable or don't configure this policy.
Create new Group Policy object links disabled by default: This policy creates new Group Policy object links in the disabled state. You can then configure and test the new object links. If the links pass your testing, you can enable them to use on the system.
Enforce Show Policies Only: This policy stops administrators from viewing or using Group Policy preferences. Enabling this policy ensures that Group Policy displays only true policies; preferences aren't displayed.
Disable automatic update of ADM files: Controls the systems' ability to update the Administrative Templates source files automatically when you open Group Policy. If you enable this policy, you have to update the .adm files manually, because the system loads the .adm files you used the last time you ran Group Policy.