Registry Entries For Deploying Xpsp2

[HickoryShade]

This is an office debate that is currently being played out. It all has to do with disabling the Security Center, Firewall, Antivirus & Securing IE6

On the one side of the debate the mindset is to run only the following registry entries:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]

"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

"EnableFirewall"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

"EnableFirewall"=dword:00000000

On the other side of the coin the mindset is to run these registry entries:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]

"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

"EnableFirewall"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

"EnableFirewall"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

"CurrentLevel"=dword:00010500

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

"CurrentLevel"=dword:00010000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

"CurrentLevel"=dword:00011000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]

"CurrentLevel"=dword:00012000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InformationBar]

"FirstTime"=dword:00000000

Are there any added benefits with running the additional registry entries? What side do you fall on if the objective is to disable the Security Center, Firewall, Antivirus & Secure IE6?

[Yzöwl]

If the security center service is disabled, then there is no benefit in disabling messages which should not come up due to the disabled service.

As for the zones settings, they have no bearing on security center. On my machines I set the RecommendedLevels for example to 0x00012000 (High), and the MinLevel to 0x00011000 (Medium), but the CurrentLevel is usually 0x00000000. This is because I manually configure each of the Values to my preferred settings first.

Out of the two, I would therefore go for the former rather than the latter.