1.5 Configure 'Do not allow users to enable or disable add-ons'

Information




This policy setting allows you to manage whether users have the ability to allow or deny
add-ons through Add-On Manager. If you enable this policy setting, users cannot enable or
disable add-ons through Add-On Manager. The only exception occurs if an add-on has been
specifically entered into the 'Add-On List' policy setting in such a way as to allow users to
continue to manage the add-on. In this case, the user can still manage the add-on through
the Add-On Manager. If you disable or do not configure this policy setting, the appropriate
controls in the Add-On Manager will be available to the user. Configure this setting in a
manner that is consistent with security and operational requirements of your organization.

*Rationale*

Users often choose to install add-ons that are not permitted by an organization's security
policy. Such add-ons can pose a significant security and privacy risk to your network.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to
Not Configured.

Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Do not allow users to enable or disable add-ons

Impact-When the Do not allow users to enable or disable add-ons setting is enabled, users will not
be able to enable or disable their own Internet Explorer add-ons. If your organization uses
add-ons, this configuration may affect their ability to work.

Default Value-Disabled

See Also

https://workbench.cisecurity.org/files/1518

Item Details

Audit Name: CIS IE 11 v1.0.0

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: Windows

Control ID: 1a6040413d0f2db083278b97d68b24e391439f97e99e4b792ad1ff4546cb2816