6.2 Basic Policies
Basic policies are used to regulate operations on networked computers, restricting clients from making unauthorized changes to system settings. This prevents accidental or malicious damage and enhances overall computer security.
Basic policies primarily work by modifying registry values. Unlike device control or other real-time trigger policies, basic policies are state-based, meaning changes or deletions are handled differently from other types of policies.
Supported items under basic policies include: Control Panel, Computer Management, System, Network, IP/MAC Binding, and ActiveX Controls.
Control Panel Items:
| Basic Policy Item |
Description |
| Control Panel |
Includes all functions available in the Windows Control Panel. |
| Set Display Properties |
Restricts clients from changing desktop settings, screen savers, and desktop appearance. |
| Add Printer |
Prevents clients from adding printers. |
| Delete Printer |
Prevents clients from removing printers. |
| Fast User Switching |
Disables simultaneous login of multiple users via Windows fast user switching (Windows XP only). |
| Rename Computer |
Prevents clients from changing the computer name. |
Computer Management includes the following five items:
| Basic Policy Item |
Description |
| Device Manager |
Restricts clients from using Device Manager. |
| Disk Management |
Restricts clients from using Disk Management. |
| Local Users and Groups |
Restricts clients from accessing Local Users and Groups in the Control Panel. |
| System Services Management |
Restricts clients from managing system services. |
| Other Computer Management |
Restricts access to Computer Management tools, Event Viewer, Disk Defragmenter, and Shared Folders. |
The System category includes the following five items:
| Basic Policy Item |
Description |
| Task Manager |
Restricts clients from using Task Manager. |
| Registry Editor |
Restricts clients from accessing the Windows Registry. |
| Command Prompt |
Restricts clients from using the command prompt (Command.exe in Windows 9x, CMD.exe in Windows NT and later). |
| Run Programs in Registry 'Run' |
If set to Deny, programs under the 'Run' key will not start at system boot. A logout or restart is required to take effect. |
| Run Programs in Registry 'RunOnce' |
If set to Deny, programs under the 'RunOnce' key will not execute on the next boot. A logout or restart is required to take effect. |
The Network category includes the following six items:
| Basic Policy Item |
Description |
| Modify Network Properties |
Restricts clients from changing network properties. |
| Show "Network Neighborhood" |
If set to Deny, the "Network Neighborhood" icon on the desktop will be hidden; a logout or restart is required to take effect. |
| Modify Internet Options |
Restricts clients from changing Internet Options settings. |
| Default Network Shares |
If set to Deny, default network shares on the client are disabled. |
| Use Network Shares |
If set to Deny, clients cannot access shared documents. |
| Add Network Shares |
If set to Deny, clients cannot create new network shares. |
IP/MAC Binding
| Basic Policy Item |
Description |
| Modify Network IP/MAC |
Restricts clients from changing network IP or MAC settings. Once enabled, the client's current IP and MAC are saved, and any unauthorized changes are immediately reverted. To modify the IP, this policy must first be disabled. |
The ActiveX Controls category includes the following four types:
| Basic Policy Item |
Description |
| Chat ActiveX Controls |
Restricts clients from using chat-related ActiveX controls. Users are blocked from using chat functions. |
| Media ActiveX Controls |
Restricts clients from using media-related ActiveX controls, typically required for online music or video playback. Blocking this prevents media playback. |
| Game ActiveX Controls |
Restricts clients from using game-related ActiveX controls, which are required by some online games. Blocking this prevents such games from running. |
| Flash ActiveX Controls |
Restricts clients from using Flash-related ActiveX controls, preventing playback of Flash files. |
Others
| Basic Policy Item |
Description |
| System Restore |
Prevents clients from using System Restore, stopping them from uninstalling the client via restore points. |
| Use Print Screen Key |
Disables the Print Screen key to prevent clients from capturing screen content, reducing data leakage risks. |
| Windows Automatic Updates |
Disables Windows Automatic Updates on the client machine. |
Policy Example
Suppose your requirement is to prevent IP address changes while at the office but allow changes when working from home or on business trips. An administrator can configure basic policies for the target computers (e.g., the entire network) as follows:
- Set a policy to Deny modification of IP/MAC properties.
- Set an Offline-Only policy to Allow modification of IP/MAC properties.
According to the policy matching rules, the most recently added policy takes precedence. When the client is offline, the offline policy matches first, allowing IP/MAC changes. When online, the offline policy does not match, so the system evaluates the next policy. If conditions are met, the first policy applies, denying any IP/MAC changes.
Note:
- Basic policies affecting network IP/MAC configuration, System Restore, and network sharing apply to computers, not individual users.
Don't see what you're looking for?
