by MS
Note
Site restrictions don't prevent users from accessing unauthorized sites; they merely establish a different security level for these sites. To prevent users from accessing restricted sites, you need to configure a proxy server or firewall.
Additional Policies That Might Be Useful for Managing Internet Options
You'll find many policies for managing Internet Options under User ConfigurationAdministrative TemplatesWindows ComponentsInternet Explorer. Key policies are summarized in Table 14-2. As you'll see when you examine the table, many of these policies are useful in preventing users from performing specific actions in Internet Explorer and for controlling Internet Explorer behavior.
Table 14-2: Additional Policies for Managing Internet Explorer
Policy Node
Policy Name
Description
–
Disable Internet Connection Wizard
Prevents users from running the New Connection Wizard.
–
Disable Changing Connection Settings
Prevents users from changing dial-up settings.
–
Disable Changing Proxy Settings
Prevents users from changing proxy server settings.
–
Turn Off Pop-Up Management
Prevents users from configuring pop-up options and hides related dialog boxes. This means pop-up manager controls, notifications, and dialog boxes do not appear when this option is enabled.
–
Pop-Up Allow List
When enabled, permits administrators to specify a list of sites that are permitted to use pop-ups regardless of Internet Explorer settings. Enabling this option and adding internal sites to the list is useful if these sites call the window.open() method in JavaScript or use similar methods to open windows.
–
Turn Off Crash Detection
Crash detection allows the browser to track add-ons that cause problems with browser stability. The user can then elect to disable unstable add-ons. By enabling this option, you turn off this browser feature.
–
Turn On Menu Bar By Default
Controls the display of the classic menu bar. By enabling this option, you turn on the menu bar by default.
–
Turn Off Managing Pop-Up Filter Level
Controls whether users can change the pop-up filter levels. By enabling this option, you prevent users from changing the pop-up filter level.
–
Do Not Allow Users To Enable Or Disable Add-Ons
Add-on management allows users to control whether browser add-ons are enabled or disabled. By enabling this option, you disable add-on management and prevent users from configuring the related settings.
Browser Menus
Hide Favorites Menu
Removes the Favorites menu from Internet Explorer, preventing users from accessing lists of favorites.
Internet Control Panel
Disable The Connections Page
Removes the Connections tab in the Internet Properties dialog box, preventing users from changing connection settings, proxy settings, and automatic configuration settings. Also prevents users from accessing the New Connection Wizard.
Internet Control Panel
Disable The Security Page
Removes the Security tab in the Internet Properties dialog box, preventing users from changing security settings.
Internet Control Panel
Disable The Programs Page
Removes the Programs tab in the Internet Properties dialog box, preventing users from changing the default Internet programs.
Internet Control Panel
Disable The Advanced Page
Removes the Advanced tab in the Internet Properties dialog box, preventing users from enabling advanced features.
Internet Control Panel
Prevent Ignoring Certificate Errors
Prevents users from browsing a site with an expired, revoked, or mismatched name certificate.
Internet Control PanelAdvanced Page
Allow Software To Run Or Install Even If The Signature Is Invalid
By default, downloaded files and other executables are prevented from running and installing if they have invalid signatures. By enabling this policy, you override the default setting and allow files with invalid signatures to be installed.
Internet Control PanelAdvanced Page
Allow Active Content From CDs To Run On User Machines
By default, users see a prompt that allows them to continue or cancel the running of the active content from a CD. By enabling this policy, you override the default setting and allow active content from CDs to run without prompting.
Persistence Behavior
File Size Limits For
Allows you to set size limits for cached dynamic files from each of the security zones. You can set per domain and per document limits.
Toolbars
Configure Toolbar Buttons
Specifies which buttons are enabled on the standard toolbar in Internet Explorer. If you enable this policy, you can specify whether a particular button is displayed by default or hidden.
Note
An en dash (–) in the policy node column indicates the policy is under User ConfigurationAdministrative TemplatesWindows ComponentsInternet Explorer. A named entry in this column means the policy is located in a subnode of User ConfigurationAdministrative TemplatesWindows ComponentsInternet Explorer.
You can easily enable one or more of these policies by double-clicking the policy, selecting Enabled, and then clicking OK. In some cases, you'll need to specify additional parameters, such as a file size limit or whether a button is active or inactive.
Chapter 15: Optimizing Windows Vista
Many different aspects of Microsoft Windows Vista can be optimized. In this chapter, I'll focus on improving drive performance, enhancing data security, and improving computer security. You can improve drive performance by cleaning up temporary files, checking for disk errors, and defragmenting disks. You can enhance security by encrypting disks and their contents. You can also improve security by using Security Center, Windows Firewall, and Windows Defender.
Many other optimization techniques were discussed in previous chapters. As discussed in the "The Advanced Tab" section of Chapter 2, "Managing Windows Vista Systems," you can improve the performance of the operating system by optimizing processor scheduling, appropriately configuring memory management, and removing graphics-intensive features from the menu system. You can also improve Windows Vista performance by reducing the number of operating system components, processes, and services running on the computer as discussed in the "Adding and Removing Windows Features" section of Chapter 5, "Installing and Maintaining Programs." When you remove unneeded system components, processes and services used by those services are also removed.
Applications running at startup can also use system resources. Startup applications that aren't required should be disabled or removed as discussed in the "Managing Startup and Running Programs with Software Explorer" section of Chapter 5. Removing or disabling unneeded startup applications can speed up startup and logon, and it can also free system memory so it can be used for other applications and operating system components.
Optimizing and Safeguarding Disk Drives
Windows Vista makes extensive use of disk drives during startup and normal operations. You can often dramatically improve operating system and application performance by optimizing a computer's disk drives. You should focus on disk space usage, disk errors, and disk fragmentation. You might also want to compress data to reduce the space used by data files, freeing up space for additional files.
Data security is also an important aspect to consider when optimizing disk drives. The organization's data should be protected and stored in the most secure form possible. With this in mind, you might want to consider converting file allocation table (FAT16 or FAT32) drives to NTFS file system (NTFS) as discussed in the "C
onverting a Volume to NTFS" section in Chapter 9, "Managing Disk Drives and File Systems." Such a conversion enables you to take advantage of the Windows Vista user and group security features and then encrypt drive data once you do this. Data encryption prevents unauthorized users from accessing important files.
Note
Disk maintenance tools, such as Disk Cleanup, Check Disk, and Disk Defragmenter, take advantage of new resource prioritization features in Windows Vista, as discussed in the "Understanding and Using Windows SuperFetch" section of Chapter 9. These changes enable these tools to run in the background and to take advantage of system idle time while running. As a result, users get a consistently good performance level even when background maintenance tasks are running.
Reducing Disk Space Usage
You should closely monitor disk space usage on all system drives. As drives begin to fill up, their performance and the performance of the operating system as a whole can be reduced, particularly if the system runs low on space for storing virtual memory or temporary files. One way to reduce disk space usage is to use the Disk Cleanup tool to remove unnecessary files and compress old files. For details on using this tool, see the "Working with Disk Cleanup" section in Chapter 2. To eliminate the need to remind users to run Disk Cleanup, you can schedule Disk Cleanup to run regularly as discussed in the "Scheduling Maintenance Tasks" section of Chapter 16, "Supporting and Troubleshooting Windows Vista."
Checking for Disk Errors
You should periodically use the Check Disk tool to check the integrity of disks. Check Disk examines disks and can correct many types of common errors on FAT16, FAT32, and NTFS drives. One of the ways Check Disk locates errors is by comparing the volume bitmap with the disk sectors assigned to files in the file system. Check Disk can't repair corrupted data within files that appear to be structurally intact, however. You can run Check Disk from the command line or through a graphical interface.
Running Check Disk from the Command Line
You can run Check Disk from an elevated command prompt or within other tools. At the elevated command prompt, you can test the integrity of drive C by typing the following command:
chkdsk C:
Check Disk then performs an analysis of the disk and returns a status message regarding any problems it encounters. Without specifying further options, Check Disk won't repair problems, however. To find and repair errors on drive C, use this command:
chkdsk /f C:
When you use this command, Check Disk performs an analysis of the disk and then repairs any errors found, provided that the disk isn't in use. If the disk is in use, Check Disk displays a prompt that asks whether you want to schedule the disk to be checked the next time you restart the system. Click Yes to schedule this check.
The complete syntax for Check Disk is as follows:
CHKDSK [volume[[path]filename]] [/F] [/V] [/R] [/X] [/I] [/C] [/L[:size]]
The options and switches for Check Disk are used as follows:
Volume Sets the volume to work with
filename (FAT16 and FAT32 only) Specifies files to check for fragmentation
/F Fixes errors on the disk
/V (FAT16 and FAT32) Displays the full path and name of every file on the disk (NTFS); displays cleanup messages if any
/R Locates bad sectors and recovers readable information (implies /F)
/L:size (NTFS only) Sets the log file size
/X Forces the volume to dismount first if necessary (implies /F)
/I (NTFS only) Performs a minimum check of index entries
/C (NTFS only) Skips checking of cycles within the folder structure
Running Check Disk Interactively
You can also run Check Disk interactively using Windows Explorer. To use Windows Explorer to check disk drives on the local computer, follow these steps:
Click Start and then click Computer. Under Hard Disk Drives, right-click a drive and then select Properties.
On the Tools tab, click Check Now. This displays the Check Disk dialog box, shown in Figure 15-1.
Figure 15-1: Check Disk is available by clicking Check Now in the Properties dialog box. Use it to check a disk for errors and repair them.
To check for errors without repairing them, click Start without selecting either of the check boxes in the Check Disk dialog box.
To check for errors and attempt to resolve them, select either or both of the following options and then click Start.
q Automatically Fix File System Errors Determines whether Windows Vista repairs file system errors it finds
q Scan For And Attempt Recovery Of Bad Sectors Determines whether Windows Vista checks for bad sectors and attempts to recover readable information from them
If the disk is in use, Check Disk displays a prompt that asks whether you want to schedule the disk to be checked the next time you restart the system. Click Yes to schedule this check.
When Check Disk finishes analyzing and repairing the disk, click OK.
Defragmenting Disks
Whenever you add files to or remove files from a drive, the data on the drive can become fragmented. When a drive is fragmented, large files can't be written to a single contiguous area on the disk, and the operating system often must write a single large file to several smaller areas on the disk. This can increase the write time as well as the read time for files. To reduce fragmentation, Windows Vista automatically defragments disks periodically using Disk Defragmenter. You can modify the automatic defragmentation schedule or defragment disks manually as discussed in the sections that follow.
Modifying or Cancelling Automated Defragmentation
By default, Windows Vista runs disk defragmenter automatically at 4:00 A.M. every Sunday. As long as the computer is on at the scheduled run time, automatic defragmentation will occur. You can cancel automated defragementation or modify the defragmentation schedule by following these steps:
Click Start and then click Computer. Under Hard Disk Drives, right-click a drive and then select Properties.
On the Tools tab, click Defragment Now. This displays the Disk Defragmenter dialog box, shown in Figure 15-2.
Figure 15-2: Disk Defragmenter analyzes and defragments disks efficiently. The more frequently data is updated on drives, the more often you should run this tool.
To cancel automated defragmentation, clear Run Automatically and then click OK twice. Skip the remaining steps.
To modify the defragmentation schedule, click Modify Schedule. Use the Modify Schedule dialog box, shown in Figure 15-3, to set the desired run schedule.
Figure 15-3: Set the desired run schedule for automated defragmentation.
Use the options provided to set the desired run schedule for automated defragmentation. The How Often selection list enables you to choose Daily, Weekly, or Monthly as the run schedule. If you choose a weekly or monthly run schedule, you'll need to set the run day of the week or month using the What Day selection list. Finally, the What Time selection list lets you set the time of the day that automated defragmentation should occur.
Click OK twice to save your settings.
Performing Defragmentation Manually
You can manually defragment a disk by completing the following steps:
Click Start and then click Computer. Under Hard Disk Drives, right-click a drive and then select Properties.
On the Tools tab, click Defragment Now.
In the Disk Defragmenter dialog box, click Defragment Now.
Note
Depending on the size of the disk, defragmentation can take several hours. You can click Cancel Defragmentation at any time to stop defragmentation.
Compressing Drives and Data
When you format a drive for NTFS, Windows Vista allows you to turn on the built-in compression feature. With compression, all files and folders stored on a drive are automatically compressed when created. Because this compression is transparent to users, compressed data can be accessed just like regular data can. The difference is that you can store m
ore information on a compressed drive than you can on an uncompressed drive—at a slight cost to performance, because compressing and decompressing data requires processing power and memory.
Note
You cannot compress encrypted data. If you try to do so, Windows Vista automatically decrypts the data and then compresses it. Likewise, if you try to encrypt compressed data, Windows Vista uncompresses the data and then encrypts it.
Compressing Drives
To compress a drive and all its contents, complete these steps:
In Windows Explorer or Disk Management, right-click the drive that you want to compress and then select Properties.
On the General tab, select Compress Drive To Save Disk Space and then click OK.
When prompted, specify whether you want to compress only the root folder of the drive or the entire drive. To compress the drive's root folder only, select Apply Changes To Drive…Only. To compress the drive's root folder, subfolders, and files, select Apply Changes To Drive…, Subfolders And Files.
Click OK.
Compressing Files and Folders
If you decide not to compress an entire drive, Windows Vista lets you selectively compress files and folders. To compress a file or folder, complete these steps:
In Windows Explorer, right-click the file or folder that you want to compress and then select Properties.
On the General tab of the related property dialog box, click Advanced. In the Advanced Attributes dialog box, select the Compress Contents To Save Disk Space check box.
Click OK. For an individual file, Windows Vista marks the file as compressed and then compresses it. For a folder, Windows Vista marks the folder as compressed and then compresses all the files in it. If the folder contains subfolders, Windows Vista displays the Confirm Attribute Changes dialog box, which allows you to compress all the subfolders associated with the folder. Simply select Apply Changes To This Folder, Subfolders And Files and then click OK. Once you compress a folder, any new files added or copied to the folder are compressed automatically.
