Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.



Windows 7: IE9 zone settings

04 Jul 2011   #1

Windows 7 PRO x64
 
 
IE9 zone settings

Hi.
I'm using IE9's default zone templates, but if I understand what I'm finding in the registry, my local computer zone is set at 'Low' and I'm kind of thinking I'd like to use GP to lock it down at 'High' and do without gadgets etc.

Before using GP I'd like to learn which of the registry keys that contain URLAction flag values are applied where the values in a key are different or a key has no value? Does HKCU's 'Internet Settings' zones override HKLM's 'TemplatePolicies' values? I assume HKCU trumps HKLM's 'Internet settings' values?

Also, outside of applying GP, when (or does?) the 'lockdown_zones' keys apply?
I've only located 48 of the URLAction flags' text names in the registry, the rest of the 75 names (see pic) I know only from TechNet. Discounting duplicate HKEY_Users usersid keys and with no GP settings configured yet in ~\SOFTWARE\Policies\Microsoft\Windows~,

the only other relevant keys for the zone flags I know of are:-

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\zones
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\lockdown_zones
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\zones
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\lockdown_zones
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zones
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\lockdown_zones
HKEY_USERS\<systemsid>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\zones
HKEY_USERS\<systemsid>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\zones\lockdown_zones
...and the default Low, MedLow, Medium, MedHigh and High zone templates found in...
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TemplatePolicies

Any advice appreciated. Can upload my comparison tables of the 0-4 zones if that'll bring a chuckle...

Erm image uploaded is pretty useless! pic removed..text list below instead:

URLAction Flags List
==============
Download signed ActiveX controls.......................................................1001
Download unsigned ActiveX controls....................................................1004
Run ActiveX controls and plugins.........................................................1200
Initialize and script ActiveX controls not marked as safe for scripting...........1201
Allow scripting of Microsoft web browser control.....................................1206
ACTIVEX_OVERRIDE_REPURPOSEDETECTION........................................1207
Allow previously unused ActiveX controls to run without prompt..................1208
Allow Scriptlets................................................................................1209
Display video and animation on a web page that does not use external media player............................................................................................12 0A
Only allow approved domains to use ActiveX without prompt......................120B
Active scripting................................................................................1400
Scripting of Java applets....................................................................1402
Script ActiveX controls marked safe for scripting.....................................1405
Access data sources across domains.....................................................1406
Allow Programmatic clipboard access {by websites}................................1407
ALLOW_XDOMAIN_SUBFRAME_RESIZE.................................................1408
Enable XSS filter.............................................................................1409
Submit non-encrypted form data.......................................................1601
Font download...............................................................................1604
HTML_JAVA_RUN...........................................................................1605
Userdata persistence......................................................................1606
Navigate windows and frames across different domains..........................1607
Allow META REFRESH.....................................................................1608
Display mixed content...................................................................1609
Include local directory path when uploading files to a server...................160A
???...........................................................................................1800
Drag and drop or copy and paste files................................................1802
File download..............................................................................1803
Launching programs and files in an IFRAME.......................................1804
SHELL_WEBVIEW_VERB................................................................1805
Launching applications and unsafe files.............................................1806
SHELL_EXECUTE_MODRISK..........................................................1807
SHELL_EXECUTE_LOWRISK..........................................................1808
Use Pop-up blocker.....................................................................1809
SHELL_RTF_OBJECTS_LOAD..........................................................180A
SHELL_ENHANCED_DRAGDROP_SECURITY.........................................180B
SHELL_EXTENSIONSECURITY.........................................................180C
SHELL_SECURE_DRAGSOURCE........................................................180D
SHELL_REMOTEQUERY...................................................................180E
SHELL_PREVIEW.........................................................................180F
Logon.......................................................................................1A00
COOKIES...................................................................................1A02
COOKIES_SESSION.......................................................................1A03
Don't prompt for client certificate selection when only one certificate exists...1A04
COOKIES_THIRD_PARTY...............................................................1A05
COOKIES_SESSION_THIRD_PARTY..................................................1A06
COOKIES_ENABLED.......................................................................1A10
???............................................................................................1C00
CHANNEL_SOFTDIST_PERMISSIONS.................................................1e05
Binary and script behaviors.............................................................2000
Run components signed with Authenticode......................................2001
Run components not signed with Authenticode..................................2004
DOTNET_USERCONTROLS..........................................................2005
Permissions for components with manifests....................................2007
Enable MIME Sniffing....................................................................2100
Websites in less privileged web content zone can navigate into this zone.....2101
Allow script-initiated windows without size or position constraints.............2102
Allow status updates via script.........................................................2103
Allow webpages to open windows without address or status bars.................2104
Allow websites to prompt for information using scripted windows...............2105
FEATURE_DATA_BINDING...................................................................2106
FEATURE_CROSSDOMAIN_FOCUS_CHANGE...............................................2107
AUTOMATIC_DOWNLOAD_UI..........................................................2200
Automatic prompting for ActiveX controls.......................................2201
Allow webpages to use restricted protocols for active content..................2300
Use SmartScreen filter.................................................................2301
XAML browser applications..............................................................2400
XPS Documents..........................................................................2401
Loose XAML.................................................................................2402
LOWRIGHTS Protected Mode enabled...............................................2500
Enable .NET Framework setup....................................................2600
INPRIVATE_BLOCKING.............................................................2700
ALLOW_AUDIO_VIDEO..............................................................2701
Allow ActiveX Filtering....................................................................2702
ALLOW_STRUCTURED_STORAGE_SNIFFING..............................................2703

My System SpecsSystem Spec
.

04 Jul 2011   #2

Windows 7 & Windows Vista Ultimate
 
 

Hi, Quibbler.

That certainly seems like quite an exercise and an opportunity for error. Why not merely change the default setting for the Local Intranet Zone?

This article may be of interest. Understanding Local Machine Zone Lockdown - EricLaw's IEInternals

and

Internet Explorer Security Zones - Add or Remove Sites
My System SpecsSystem Spec
05 Jul 2011   #3

Windows 7 PRO x64
 
 

Quote   Quote: Originally Posted by Corrine View Post
That certainly seems like quite an exercise and an opportunity for error.
My sentiments exactly. I embarked on learning exercise because setting GP for IE zones without knowing downsides was too scary.

Quote   Quote: Originally Posted by Corrine View Post
Why not merely change the default setting for the Local Intranet Zone?
It's zone 0 "Local machine Zone" that I'm keen to secure. I've found this quote:

"By default, starting with Windows XP SP2, the Local Machine Zone is locked down to help improve security" in Msoft article ID 182569. But my TemplatePolicies key shows the local zone 0 current level as hex:10000, which (i think) is the "LOW" setting? :-

Low 10000
Med Low 10500
Medium 11000
Med high 11500
High 12000

Can see this isn't an easy game for mere mortals:

If 'Security Zones: Use only machine settings' setting in Group Policy is enabled, or if 'Security_HKLM_only' DWORD value is present and has a value of 1 in subkey:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

...only HKLM settings are used by Internet Explorer and all users have the same security settings. However, the HKCU values will still be displayed in the zone settings on the Security tab in Internet Explorer.

On the other hand, if 'Security Zones: Use only machine settings' setting in Group Policy is not enabled , or if 'Security_HKLM_only' DWORD value does not exist or is set to 0 in the above subkey, HKLM settings are read together with HKCU settings, but only HKCU settings appear in the Internet Options.

So what you see isn't what you get it seems. All I want to do is set the zone 0 to higher than LOW and I can't do that in Internet Options.

I'm thinking maybe I just configure GP's lockdown Zone 0 template? Not sure if that's all i need to do, tho. Thanks for links. Will trawl on!
My System SpecsSystem Spec
.


05 Jul 2011   #4

Windows 7 PRO x64
 
 

Hi,

Now read the linked blog and realise I referred to wrong key earlier. TemplatePolicies is the default zones.

Maybe images explain better than a thousand rambling words, so here are (hopefully clear) pics of my Local Machine Zone 0 's current level, as appearing in HKLM and HKCU. (Not even hex:10000, but 0 ??? )

I don't have GP configured for any zones.

This is why I don't grasp the explanation about Zone 0 being locked down?

Unless my zone 0 setting has gone awol or maybe I'm looking in the wrong place?


Attached Thumbnails
IE9 zone settings-hkcu-zone-0-level.png   IE9 zone settings-hkcu-lockdown-zone-0-level.png   IE9 zone settings-hklm-zone0-level.png   IE9 zone settings-hklm-lockdown-zone-0-level.png  
My System SpecsSystem Spec
06 Jul 2011   #5

Windows 7 & Windows Vista Ultimate
 
 

My System SpecsSystem Spec
07 Jul 2011   #6

Windows 7 PRO x64
 
 

Cheers for links. This is making me think if nothing else
My System SpecsSystem Spec
07 Jul 2011   #7

Windows 7 & Windows Vista Ultimate
 
 

You're welcome.
My System SpecsSystem Spec
Reply

 IE9 zone settings





Thread Tools



Similar help and support threads for2: IE9 zone settings
Thread Forum
Solved Time Zone not being listed General Discussion
Site to Zone Browsers & Mail
Fans in the Red Zone Performance & Maintenance
Anyone tried Zone Alarm with Windows 7? System Security
*.jpg:zone identifyer?? System Security
Restricted Zone - need help. System Security
MSE and Zone Alarm System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 07:23 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33