Overview: You probably have run through the following popup when using Internet Explorer add-ons and extensions:
In this example, I clicked a link in an Internet web page that pointed to an XPS file. This prompt is due to the fact that Internet Explorer is running in Protected Mode, and tries to open an application or extension outside of Protected Mode.
The IE behavior regarding this prompt is governed by the following registry keys:
You can check more details at http://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx and http://blogs.msdn.com/b/ieinternals/archive/2009/12/01/understanding-internet-explorer-security-protected-mode-elevation-dialog.aspx
If an administrator wants to deploy specific Protected Mode prompts for specific applications, can do two things:
Managing Elevation Policy through Group Policy: Using Group Policy infrastructure, you can actually change the Protected Mode behavior, to for example, always prompt for to allow an extension to run. Notice the greyed-out checkbox. This prevents the user to check it and override this prompt.
In the same manner, you can use Group Policy to hide prompts for trusted applications automagically, so if you are deploying an application you can transparently run it through Protected Mode (i.e. Microsoft Office Live Meeting) whenever it gets deployed to the managed desktop computer, without bothering the user with the security warning.
The problem here is that neither Windows Vista nor Windows 7 (or their server counterparts) include an Administrative template to manage these settings out of the box, so http://support.microsoft.com/kb/918239 provides some guidance and templates to manage these configuration. However, the provided ADM/ADMX are not perfect. This is how it looks in GPEditor:
The problems of this ADMX include:
So I decided to give ADMX creation a try, and end up with the following:
The advantages of this custom ADMX include:
Here are the ADMX files. Just copy ADMX to “%SystemRoot%\PolicyDefinitions” and ADML to “%SystemRoot%\PolicyDefinitions\en-US”, or place them in Central Store.