How do the Additional restrictions for anonymous connections and Network access: Do not allow anonymous enumeration of SAM accounts and shares policies impact each other when configured within the same Group Policy Object (GPO), and do those policies have anything to do with the Allow anonymous SID/name translation and Let Everyone permissions apply to anonymous users policies?

When you edit a GPO from a Windows 2000 computer, you'll see Additional restrictions for anonymous connections but not Network access: Do not allow anonymous enumeration of SAM accounts or Network access: Do not allow anonymous enumeration of SAM accounts and shares. On Windows Server 2003 and Windows XP, you'll see the two Network access policies but not Additional restrictions for anonymous connections. If you set Additional restrictions for anonymous connections to Do not allow enumeration of SAM accounts and shares or No access without explicit anonymous permissions, then view the same GPO from an XP or later computer, Network access: Do not allow anonymous enumeration of SAM accounts and shares will show up and will be enabled. If you set Additional restrictions for anonymous connections to None. Rely on default permissions, Network access: Do not allow anonymous enumeration of SAM accounts and shares will show up and will be disabled.

On the other hand, if you enable Network access: Do not allow anonymous enumeration of SAM accounts and shares, you're setting Additional restrictions for anonymous connections from the standpoint of Win2K computers to Do not allow anonymous enumeration of SAM accounts and shares. Disabling Network access: Do not allow anonymous enumeration of SAM accounts and shares has the effect of setting Additional restrictions for anonymous connections to None. Rely on default permissions.

Confused yet? In a nutshell, Additional restrictions for anonymous connections and Network access: Do not allow anonymous enumeration of SAM accounts and shares both set the RestrictAnonymous registry value for the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey. The three settings for Additional restrictions for anonymous connections correspond to RestrictAnonymous's three values: 0=None. Rely on default permissions; 1=Do not allow enumeration of SAM accounts and shares; and 2=No access without explicit anonymous permissions.

To disable Network access: Do not allow anonymous enumeration of SAM accounts and shares, specify 0 for RestrictAnonymous; to enable, specify 1 for RestrictAnonymous. The only way to set Restrict-Anonymous to 2 on Win2K computers is to edit the GPO from a Win2K computer and set Additional restrictions for anonymous connections to No access without explicit anonymous permissions.

When XP and later computers apply the policy, they'll set RestrictAnonymous to 1 because 2 doesn't apply to these computers. Instead, XP and Windows 2003 have three new values: Network access: Do not allow anonymous enumeration of SAM accounts (described in the first question and answer), Allow anonymous SID/name translation (discussed in "Access Denied: Controlling SAM Accounts and Shares," InstantDoc ID 42327), and Let Everyone permissions apply to anonymous users. This last policy, when disabled, prevents Windows from adding Everyone to the access token of anonymous connections at logon. If an anonymous user tries to access an object, the access token doesn't contain Everyone, and the permissions granted to Everyone won't apply. See "Access Denied: Preventing Anonymous Users from Gaining Access to Files and Other Resources," InstantDoc ID 24671, for additional background about the risks involving Everyone and anonymous connections.