Block launching desktop programs associated with a protocol This policy setting allows you to minimize the risk involved when an app launches the default program for a protocol. Because desktop programs run at a higher integrity level than apps, there is a risk that a protocol launched by an app could compromise the system by launching a desktop program. If you enable this policy setting, Windows prevents apps from launching protocols that would be passed to a desktop program. When you enable this policy setting, apps may only launch protocols that can be passed to another app. If you disable or do not configure this policy setting, apps could launch protocols that would be passed to a desktop program. Note: Enabling this policy setting will not block apps from launching http, https, and mailto protocols that would be passed to a desktop program. The handlers for these protocols are accustomed to handling data from untrusted sources and are therefore hardened against protocol based vulnerabilities. The risk of allowing these protocols to be passed to a desktop program is minimal.

(1) GPO: User Configuration\Administrative Templates\Windows Components\App runtime!Block launching desktop programs associated with a protocol (2) REG: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!BlockProtocolElevation