Differences between Proactive & Internet Security configs [v5]

Here is my understanding of how Proactive Configuration differs from Internet Security Configuration based on Version 5.9 of CIS. (Updates to 5.8 & 9 were created by experience, not a formal XML comparison, so some differences may be omitted).

SUMMARY
In all modules alert suppression settings are disabled by default. In defense plus proactive configuration provides more Defense Plus protections than Internet Security configuration, including protection against malware initiated shutdown and program termination. In safe mode execution of untrusted files will require your permission if the sandbox is turned off. In paranoid mode execution of any executable will require your permission. In the firewall, outgoing connections by unrecognised files are set to ask by default, not allow.

DEFENSE PLUS DIFFERENCES
1. Additional protected items
COM Interfaces
Pseudo COM Interfaces - Privileges
Debug
Shutdown
Pseudo COM Interfaces - Ports
\RPC control\wzcsvc
Protected File (Group): Windows Sockets Interface

2. Rescinded permissions
All Applications Group cannot Terminate Process Of every file and device

3. Treatment differences
Explorer.exe is treated as a Trusted Application instead of a Windows System Application

4. Additional file group for use in protected item above
Windows Sockets Interface which contains \device\nfd\endpoint AND \device\nsi

5. Adaptive D+ behaviour under high system load is enabled

FIREWALL DIFFERENCES

  1. Outgoing connections by unrecognized files are not allowed by default, they are set to ask.

DIFFERENCES APPLICABLE TO ALL MODULES

  1. Alert suppression settings are disabled by default