Add info about port binding controls (Desktop 4.52) (#23737)

<!--Delete sections as needed -->

## Description

Adds information on the new port binding settings that are going into
Docker Desktop 4.52, including a brief description of how it works, and
information about settings management.

<!-- Tell us what you did and why -->

## Reviews

<!-- Notes for reviewers here -->
<!-- List applicable reviews (optionally @tag reviewers) -->

- [ ] Technical review
- [x] Editorial review
- [ ] Product review

---------

Co-authored-by: Allie Sadler <[email protected]>

Author: gavin-docker

content/manuals/desktop/features/networking/_index.md

@@ -61,7 +61,7 @@ For example, with `docker run -p 80:80 nginx`:
 - Inside the VM, the connection is routed to the container’s internal IP address and port, for example `172.17.0.2:80`.
 - The container responds through the same path, so you can access it from your host just like any other local service.
 
-By default, `docker run -p` listens on all network interfaces (`0.0.0.0`), but you can restrict it to a specific address, such as `127.0.0.1` (localhost) or a particular network adapter.
+By default, `docker run -p` listens on all network interfaces (`0.0.0.0`), but you can restrict it to a specific address, such as `127.0.0.1` (`localhost`) or a particular network adapter. This behavior can be modified to bind to `localhost` by default in [Docker Desktop's network settings](/manuals/desktop/settings-and-maintenance/settings.md#network)
 
 Host firewalls can permit or deny inbound connections by filtering on `com.docker.backend`.
 

content/manuals/desktop/settings-and-maintenance/settings.md

@@ -315,6 +315,8 @@ On Windows and Mac, you can also set the default networking mode and DNS resolut
 
 On Mac, you can also select the **Use kernel networking for UDP** setting. This lets you use a more efficient kernel networking path for UDP. This may not be compatible with your VPN software.
 
+You can also define the behavior of port bindings. By default Docker Desktop binds all ports on containers to `0.0.0.0` on the host, though this can be overridden by providing a specific IP. You can change this default behavior by changing the **Port binding behavior** setting, allowing you to either bind to `localhost` (`127.0.0.1`) by default, or only allow containers to bind to `localhost` under any circumstances, even if requested otherwise.
+
 ### WSL Integration
 
 On Windows in WSL 2 mode, you can configure which WSL 2 distributions will have the Docker
@@ -534,4 +536,4 @@ Use the **Docker Offload** tab to:
 - Toggle **Enable Docker Offload**. When enabled, you can start Offload sessions.
 - Select **Idle timeout**. This is the duration of time between no activity and Docker Offload entering idle mode.For
   details about idle timeout, see [Active and idle states](../../offload/configuration.md#understand-active-and-idle-states)
-- Check **Enable GPU support**. When enabled, workloads can use cloud GPU if available.
+- Check **Enable GPU support**. When enabled, workloads can use cloud GPU if available.

content/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md

@@ -239,6 +239,10 @@ The following sample is an `admin-settings.json` file with common enterprise set
   "enableInferenceGPUVariant": {
     "locked": true,
     "value": true
+  },
+  "portBindingBehavior": {
+    "locked": true,
+    "value": "default-port-binding"
   }
 }
 ```
@@ -357,6 +361,7 @@ The following tables describe all available settings in the `admin-settings.json
 |:-------------------------------|---|:-------------------------------|---|
 | `defaultNetworkingMode` | Windows and Mac only | Defines the default IP protocol for new Docker networks: `dual-stack` (IPv4 + IPv6, default), `ipv4only`, or `ipv6only`. | Docker Desktop version 4.43 and later. |
 | `dnsInhibition` | Windows and Mac only | Controls DNS record filtering returned to containers. Options: `auto` (recommended), `ipv4`, `ipv6`, `none`| Docker Desktop version 4.43 and later. |
+| `portBindingBehavior` | Linux-based containers only | Defines port binding restrictions and default behavior, allowing admins to control how a user exposes ports from their containers. Options: `default-port-binding`, `default-local-port-binding`, `local-only-port-binding` | Docker Desktop version 4.52 and later. |
 
 For more information, see [Networking](/manuals/desktop/features/networking.md#networking-mode-and-dns-behaviour-for-mac-and-windows).