The following settings can be used to control Internet Explorer tracking protection (Adblock):

Browser.IEAdBlockControls whether or not Internet Explorer tracking protection is enabled. The default is on.

Browser.IEAdBlockListLocation Allows you to specify a tracking protection list (TPL) file to use when Adblock for Internet Explorer is enabled. You can also use the Browser.IEAdBlockListUpdateIntervalsetting to set the interval (in days, 1 - 9999) between checking for and downloading updated TPL files. The default for this setting is 7.

Browser.IEAdBlockAddresses The list of domains on which Internet Explorer tracking protection is enabled. The default value *.* enables tracking protection for all sites.

Browser.IEAllowUnblockAds Allows users to enable or disable ad blocking for individual web sites using the context menu. The default setting is on.

For endpoints on intranets, trusted sites accessed using IP address can be configured to open on desktops. To do this, use the following settings:

Browser.TrustIntranetNetblocks = 1

Containment.EnableIntranetDetection = 1

Containment.ForceAppearOnIntranet = 0

Temporary Trust allows users to override the trust level of a web site for a single session in isolated Internet Explorer, Chromium, or Firefox browsers. It is activated when users right-click on an untrusted web page and select the Temporary Trust option from the context menu.

To enable this feature, apply the following settings to the policy:

Browser.TemporaryTrust.Mode

0 = Feature disabled (default)

1 = Request mode; user types reason and submits request for trust

2 = User can trust sites but must first enter a reason

3 = User can trust sites without entering a reason

Browser.TemporaryTrust.RequireUAC

ON = Require UAC prompt before trusting (default)

Browser.TemporaryTrust.PromptText

Custom text is shown when users temporarily trust a site. The default is blank, in which case an internationalized default is used.

Browser.TemporaryTrust.RequestPromptText

Custom text is shown when users request trust for a site The default is blank, in which case internationalized default is used.

Browser.TemporaryTrust.BlockedSites

List of sites for which the temporary trust workflow is blocked.

Controls support for websites requiring certificate-based authentication. Must be used with Browser.EnableClientCertAuth.

0 - Off

1 - On (default)

By default, when turned on, certificate-based authentication is allowed only for sites listed as intranet and SaaS.

You can configure isolation to block downloads from all websites in Internet Explorer and allow downloads from specific addresses. By default, downloads are allowed (0) from all websites. To block downloads, use the following setting:

Browser.BlockDownloads = 1

To allow downloads from a specific address, use the setting:

Browser.BlockedDownloadAddresses = <address>

Separate multiple addresses with commas.

Users are prompted with a message if a download is attempted from a blocked website.

Isolation opens untrusted web pages using the default browser. If you have multiple web browsers on a system, such as both Firefox and Internet Explorer, configure a supported browser as the default browser to ensure that websites open securely in a supported browser or prompt the user to select the browser.

0 - Skip this check and use the current default browser

1 - Set the default browser to Internet Explorer

2 - Prompt the user to select a browser

print - Display the current value

-1- Auto detect and enable protection for Chrome on endpoints that have Chrome installed

Isolation must be reinitialized after enabling this setting.

Controls which Chrome extensions to blacklist. Ensure that Browser.ChromeExtensionsEnabled=1.

To blacklist extensions, set the following:

Browser.ChromeExtensionsBlackList=<extension 
ID>

To view extension IDs:

1. Open a Chrome browser.
2. Go to chrome://extensions/
3. Check the Developer Mode box.
   The ID is listed in the extension details.

0 - Chrome extensions are off

1 - Chrome extensions are on

Controls which Chrome extensions to whitelist. Ensure that Browser.ChromeExtensionsEnabled=1.

To whitelist all extensions, set the following:

Browser.ChromeExtensionsWhiteList=*

To whitelist specific extensions, set the following:

Browser.ChromeExtensionsWhiteList=extension 
IDs to whitelist

To get an extension ID, follow the steps described in the Browser.ChromeExtensionsBlacklist description.

Determines whether or not you need to specify a location for individual file downloads in Chrome. Use one of the following values:

0 - off

1 - on

This setting is on by default.

Specifies corporate cloud /SaaS sites that you want to protect. These websites still open in micro-VMs, but they are invisible to other micro-VMs that are not in this list.

Add sites using domain wildcard notation, for example:

*://*.domain.com

add *://*.domain.com - Add a DNS name

del *://*.domain.com - Delete a DNS name

print - Display the current value

Controls access to cookies of a specific website from a different website. For example, if you browse to abc.com, it can request cookies set by xyz.com. While this is normal browser functionality, it can have security implications.

0 - No cookies from other domains may be accessed by the current website

1 - Persistent cookies from other domains may be accessed but access is blocked to session cookies, which usually contain sensitive information. (Recommended.)

2 - All cookies from other domains may be accessed by the current website

print - Display the current value

Controls support for websites requiring certificate-based authentication. Must be used with Browser.AllowClientCertAuthFromAllVMs.

0 - Off

1 - On (default)

By default, when turned on, certificate-based authentication is allowed only for sites listed as intranet and SaaS.

1- Auto detect and enable protection for Internet Explorer on endpoints that have Internet Explorer installed

Note: Isolation must be reinitialized after enabling Internet Explorer protection.

Allows you to enable Flash on domains present in Browser.IEFlashBlockAddresses and then disable it again from the context menu. The options available are:

1 - Off. Flash is not available in the context menu

0 and the domain is present in Browser.IEFlashBlockAddresses - Users can right-click to enable Flash and are permitted to disable Flash

By default, SmartScreen is on. To disable it, use the value 0.

On Windows 8.1, isolation does not protect web browsing sessions open in the Metro version of Internet Explorer. Isolation can be configured to either block browsing in Metro Internet Explorer or to allow native browsing in Metro Internet Explorer (default behavior.) The desktop Internet Explorer will be protected in the same way as Windows 7. To change the behavior, use the following configuration:

0 - Allow native browsing in Metro Internet Explorer (default)

1 - Block browsing in Metro Internet Explorer

Controls persistent caching in Internet Explorer.

0 - Disabled (default)

1 - Enabled

Specifies a list of intranet DNS or network zones for your enterprise. Untrusted web pages and documents opened in micro-VMs will not have network access to the intranet. Do not remove the default localhost entry.

Bromium recommends entering both the DNS zone and Netblocks for the intranet because both are required to isolate the intranet from micro-VMs running untrusted content.

Add sites using domain wildcard notation, for example:

*.domain.com
1.2.3.0/2

print - Display the current value.

Controls how associated sites are isolated so you can maximize user privacy without breaking cross-site dependencies.

0 - Unrestricted: associated sites are isolated together.

1 - Restricted: sites that explicitly trust each other are isolated together.

2 - Strict: all sites are mutually isolated.

print - Display the current value.

Specifies which websites open natively without isolation. Bromium pre-populates this list with the sites Microsoft uses to deliver software updates. Use this list to allow applications, such as screen sharing software, native access to systems in order to run plugins, and so on.

Add sites using domain wildcard notation, for example:

*://*.domain.com

add *://*.domain.com - Add a DNS name

del *://*.domain.com - Delete a DNS name

print - Display the current value

Controls whether or not to mark sites listed in the Trusted Corporate/Intranet Sites list as trusted, thereby disabling isolation for these sites and opening them natively. This permits these sites to deliver custom ActiveX plugins and other code requiring native access to Bromium endpoints.

0 - Trust only the intranet sites specified in the configuration

1 - Trust websites located on the Intranet, as specified in Browser.IntranetSites

print - Display the current value

Controls whether to include the sites specified in Internet Explorer Trusted Sites and Intranet sites in the list of trusted sites. Web contents and downloads from trusted sites run on the main Windows desktop and are unprotected by isolation.

0 - Do not allow sites listed in Internet Explorer Intranet and Trusted Zones to be opened without isolation

1 - Allow sites listed in Internet Explorer Intranet and Trusted Zones be opened natively without isolation

print - Display the current value

The network isolation setting controls whether or not network isolation is used, and the if the Intranet, Cloud\SaaS, Associated Sites, and the Advanced tabs are displayed in the Desktop Console. The network containment setting is off by default for standalone installs.

1- On

0- Off (default)