Internet Explorer Security Zones

Internet Explorer Security Zones

Internet Explorer security zones settings are stored in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings and HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings. By default, security zones settings are stored in HKCU. The settings for one user do not affect the settings for another. The Internet Settings key has the following subkeys:

• TemplatePolicies

• ZoneMap

• Zones

If the Security Zones: Use only machine settings setting in Group Policy is enabled, or if the Security_HKLM_only REG_DWORD value is present and has a value of 1 in HLKM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings, only local computer settings are used and all users have the same security settings. With the Security_HKLM_only policy enabled, HKLM values will be used by Internet Explorer, but the HKCU values will still be displayed in the zone settings on the Security tab in Internet Explorer. This is by design and there are no plans to change this functionality. If the Security Zones: Use only machine settings setting is not enabled in Group Policy, or if the Security_HKLM_only REG_DWORD value does not exist or is set to 0, computer settings are used along with user settings. However, only user settings appear in Internet Options. For example, when this REG_DWORD value does not exist or is set to 0, HKLM settings are read along with HKCU settings, but only HKCU settings appear in the Internet Options.

TemplatePolicies

The TemplatePolicies key determines the settings of the default security zone levels (Low, Medium Low, Medium, and High). You can change the security level settings from the default settings. However, you cannot add additional security levels. The keys contain values that determine the setting for the security zone. Each key contains a Description string value and a Display Name string value that determine the text that appears on the Security tab for each security level.

ZoneMap

The ZoneMap key contains the following keys:

• Domains.

  The Domains key contains domains and protocols that have been added to change their behavior from the default behavior. When a domain is added, a key is added to the Domains key. Subdomains appear as keys under the domain where they belong. Each key that lists a domain contains a REG_DWORD with a value name of the affected protocol. The value of the REG_DWORD is the same as the numeric value of the security zone where the domain is added.

• ProtocolDefaults.

  The ProtocolDefaults key specifies the default security zone that is used for a particular protocol (ftp, http, or https). To change the default setting, you can either add a protocol to a security zone by clicking Sites on the Security tab, or you can add a REG_DWORD value under the Domains key. The name of the REG_DWORD value must match the protocol name, and it must not contain any colons (:) or slashes (/).

  The ProtocolDefaults key also contains REG_DWORD values that specify the default security zones where a protocol is used. You cannot use the controls on the Security tab to change these values. This setting is used when a particular Web site does not fall in a security zone.

• Ranges.

  The Ranges key contains ranges of TCP/IP addresses. Each TCP/IP range that you specify appears in an arbitrarily named key. This key contains a string value (:Range) that contains the specified TCP/IP range. For each protocol, a REG_DWORD value is added that contains the numeric value of the security zone for the specified IP range.

  When the Urlmon.dll file uses the MapUrlToZone public function to resolve a particular URL to a security zone, it uses one of the following methods:

  • If the URL contains a fully qualified domain name (FQDN), the Domains key is processed. In this method, an exact site match overwrites a random match.

  • If the URL contains an IP address, the Ranges key is processed. The IP address of the URL is compared to the :Range value that is contained in each of the arbitrarily named keys under the Ranges key.

NOTE
Because arbitrarily named keys are processed in the order that they were added to the registry, this method might find a random match before it finds an exact match. If so, the URL might be executed in a different security zone than the zone where it is typically assigned. This behavior is by design.

Zones

The Zones key contains keys that represent each security zone that is defined for the computer. By default, the following five zones are defined (numbered zero through four):

• 0. My Computer

• 1. Local Intranet Zone

• 2. Trusted Sites Zone

• 3. Internet Zone

• 4. Restricted Sites Zone

NOTE
By default, My Computer does not appear in the Zone box on the Security tab.

Each of these keys contains the following REG_DWORD values that represent corresponding settings on the custom Security tab:

• 1001. Download signed ActiveX controls

• 1004. Download unsigned ActiveX controls

• 1200. Run ActiveX controls and plug-ins

  Run ActiveX controls and plug-ins (1200) has an extra setting named Administrator approved. When this setting is turned on, the REG_DWORD value is 0x00010000, and HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls is checked for a list of approved controls.

• 1201. Initialize and script ActiveX controls not marked as safe

• 1206. Allow scripting of Internet Explorer Webbrowser control

• 1400. Active scripting

• 1402. Scripting of Java applets

• 1405. Script ActiveX controls marked as safe for scripting

• 1406. Access data sources across domains

• 1407. Allow paste operations via script

• 1601. Submit non-encrypted form data

• 1604. Font download

• 1605. Run Java

• 1606. Userdata persistence

• 1607. Navigate sub-frames across different domains

• 1608. Allow META REFRESH

• 1609. Display mixed content

• 1800. Installation of desktop items

• 1802. Drag and drop or copy and paste files

• 1803. File Download

  There is no prompt setting for File Download (1803) because it is either allowed or not allowed.

• 1804. Launching programs and files in an IFRAME

• 1805. Launching programs and files in webview

• 1806. Launching applications and unsafe files

• 1807. Reserved

• 1808. Reserved

• 1809. Use Pop-up Blocker

• 1A00. Logon

  Logon setting (1A00) may have any one of the following values:

  • 0x00000000. Automatically logon with current username and password

  • 0x00010000. Prompt for user name and password

  • 0x00020000. Automatic logon only in the Intranet zone

  • 0x00030000. Anonymous logon

• 1A02. Allow persistent cookies that are stored on your computer

• 1A03. Allow per-session cookies (not stored)

• 1A04. Don't prompt for client certificate selection when no certificates or only one certificate exists

• 1A05. Allow 3rd party persistent cookies

• 1A06. Allow 3rd party session cookies

• 1A10. Privacy Settings

  Privacy Settings (1A10) is used by the Privacy tab slider. The REG_DWORD values are in the following list:

  • 00000003. Block All Cookies

  • 00000001. High

  • 00000001. Medium High

  • 00000001. Medium

  • 00000001. Low

• 00000000. Accept All Cookies

• 1C00. Java permissions

  The Java Permissions setting (1C00) has the following five possible REG_BINARY values (binary):

  • 00 00 00 00. Disable Java

  • 00 00 01 00. High safety

  • 00 00 02 00. Medium safety

  • 00 00 03 00. Low safety

  • 00 00 80 00. Custom

• 1E05. Software channel permissions

  Software channel permissions (1E05) has three different values:

  • 00010000. High

  • 00020000. Medium

  • 00030000. Low

• 1F00. Reserved

• 2000. Binary and script behaviors

• 2001. Run .NET components signed with Authenticode

• 2004. Run .NET components not signed with Authenticode

• 2100. Open files based on content, not file extension

• 2101. Web sites in less privileged Web content zone can navigate into this zone

• 2102. Allow script-initiated windows without size or position constraints

• 2200. Automatic prompting for file downloads

• 2201. Automatic prompting for ActiveX controls

• 2300. Allow Web pages to use restricted protocols for active content

• {AEBA21FA-782A-4A90-978D-B72164C80120}First Party Cookie

• {A8A88C49-5EB2-4990-A1A2-0876022C854F}Third Party Cookie

Unless stated otherwise, each REG_DWORD value is equal to zero, one, or three. Typically, a setting of zero sets a specific action as permitted, a setting of one causes a prompt to appear, and a setting of three does not allow the specific action.

Each security zone also contains the Description string value and the Display Name string value. The text of these values appears on the Security tab when you click a zone in the Zone box. There is also an Icon string value that sets the icon that appears for each zone. Except for the My Computer zone, each zone contains a CurrentLevel, a MinLevel, and a RecommendedLevel REG_DWORD value. The MinLevel value sets the lowest setting that can be used before you receive a warning message, CurrentLevel is the current setting for the zone, and RecommendedLevel is the recommended level for the zone. The following list describes the settings for these values:

• 0x00010000.

  Low Security

• 0x00010500.

  Medium Low Security

• 0x00011000.

  Medium Security

• 0x00012000.

  High Security

The Flags REG_DWORD value determines the ability of the user to modify the security zone's properties. To determine the Flags value, add the numbers of the appropriate settings together. The following Flags values are available:

• 1. Allow changes to custom settings

• 2. Allow users to add Web sites to this zone

• 4. Require verified Web sites (https protocol)

• 8. Include Web sites that bypass the proxy server

• 16. Include Web sites not listed in other zones

• 32. Do not show security zone in Internet Properties (default setting for My Computer)

• 64. Show the Requires Server Verification dialog box

• 128. Treat Universal Naming Connections (UNCs) as intranet connections