Exam ADM-201 topic 1 question 181 discussion

B. is a valid answer https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/login_ip_ranges.htm#:~:text=You%20can%20further%20restrict%20access,that%20have%20login%20IP%20restrictions. To restrict IP addresses in profiles: From Setup, in the Quick Find box, enter Profiles, and then select Profiles. Depending on which user interface you're using, do one of the following: In the enhanced profile user interface, click Login IP Ranges, and then click Add IP ranges. In the original profile user interface, scroll down to the Login IP Ranges related list, and then click New. Specify allowed IP addresses for the profile. Enter a valid IP address in the IP Start Address field and a higher-numbered IP address in the IP End Address field. To allow logins from a single IP address, enter the same address in both fields. The IP addresses in a range must be either IPv4 or IPv6. ...

By default, Salesforce doesn’t restrict the time for login access. For additional security, only administrators can restrict it. Restricting login access by time can only be achieved at the PROFILE level. For each profile, administrators can specify the hours when users can log in.

A & C are correct

Org wide IP restrictions do NOT restrict access to the org. Only Profile IP restrictions, and Profile login hours do. Org wide has Trusted IP ranges that will require anyone not within the trusted range to authenticate that they are who they say they are before logging into the org. If their IP address is on the trusted list then they will never receive a login challange.