Details
This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user.
The recommended state for this setting is: Disabled.
Rationale:
Suppressing the system warning can pose a security risk and increase the attack surface on the system.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled:
Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsWindows InstallerPrevent Internet Explorer security prompt for Windows Installer scripts
Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
Impact:
None – this is the default behavior.
Default Value:
Disabled. (When a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation.)
References:
CCE-37524-6
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.