IE9 zone settings


  1. Posts : 12
    Windows 7 PRO x64
       #1

    IE9 zone settings


    Hi.
    I'm using IE9's default zone templates, but if I understand what I'm finding in the registry, my local computer zone is set at 'Low' and I'm kind of thinking I'd like to use GP to lock it down at 'High' and do without gadgets etc.

    Before using GP I'd like to learn which of the registry keys that contain URLAction flag values are applied where the values in a key are different or a key has no value? Does HKCU's 'Internet Settings' zones override HKLM's 'TemplatePolicies' values? I assume HKCU trumps HKLM's 'Internet settings' values?

    Also, outside of applying GP, when (or does?) the 'lockdown_zones' keys apply?
    I've only located 48 of the URLAction flags' text names in the registry, the rest of the 75 names (see pic) I know only from TechNet. Discounting duplicate HKEY_Users usersid keys and with no GP settings configured yet in ~\SOFTWARE\Policies\Microsoft\Windows~,

    the only other relevant keys for the zone flags I know of are:-

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\zones
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\lockdown_zones
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\zones
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\lockdown_zones
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zones
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\lockdown_zones
    HKEY_USERS\<systemsid>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\zones
    HKEY_USERS\<systemsid>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\zones\lockdown_zones
    ...and the default Low, MedLow, Medium, MedHigh and High zone templates found in...
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TemplatePolicies

    Any advice appreciated. Can upload my comparison tables of the 0-4 zones if that'll bring a chuckle...

    Erm image uploaded is pretty useless! pic removed..text list below instead:

    URLAction Flags List
    ==============
    Download signed ActiveX controls.......................................................1001
    Download unsigned ActiveX controls....................................................1004
    Run ActiveX controls and plugins.........................................................1200
    Initialize and script ActiveX controls not marked as safe for scripting...........1201
    Allow scripting of Microsoft web browser control.....................................1206
    ACTIVEX_OVERRIDE_REPURPOSEDETECTION........................................1207
    Allow previously unused ActiveX controls to run without prompt..................1208
    Allow Scriptlets................................................................................1209
    Display video and animation on a web page that does not use external media player............................................................................................12 0A
    Only allow approved domains to use ActiveX without prompt......................120B
    Active scripting................................................................................1400
    Scripting of Java applets....................................................................1402
    Script ActiveX controls marked safe for scripting.....................................1405
    Access data sources across domains.....................................................1406
    Allow Programmatic clipboard access {by websites}................................1407
    ALLOW_XDOMAIN_SUBFRAME_RESIZE.................................................1408
    Enable XSS filter.............................................................................1409
    Submit non-encrypted form data.......................................................1601
    Font download...............................................................................1604
    HTML_JAVA_RUN...........................................................................1605
    Userdata persistence......................................................................1606
    Navigate windows and frames across different domains..........................1607
    Allow META REFRESH.....................................................................1608
    Display mixed content...................................................................1609
    Include local directory path when uploading files to a server...................160A
    ???...........................................................................................1800
    Drag and drop or copy and paste files................................................1802
    File download..............................................................................1803
    Launching programs and files in an IFRAME.......................................1804
    SHELL_WEBVIEW_VERB................................................................1805
    Launching applications and unsafe files.............................................1806
    SHELL_EXECUTE_MODRISK..........................................................1807
    SHELL_EXECUTE_LOWRISK..........................................................1808
    Use Pop-up blocker.....................................................................1809
    SHELL_RTF_OBJECTS_LOAD..........................................................180A
    SHELL_ENHANCED_DRAGDROP_SECURITY.........................................180B
    SHELL_EXTENSIONSECURITY.........................................................180C
    SHELL_SECURE_DRAGSOURCE........................................................180D
    SHELL_REMOTEQUERY...................................................................180E
    SHELL_PREVIEW.........................................................................180F
    Logon.......................................................................................1A00
    COOKIES...................................................................................1A02
    COOKIES_SESSION.......................................................................1A03
    Don't prompt for client certificate selection when only one certificate exists...1A04
    COOKIES_THIRD_PARTY...............................................................1A05
    COOKIES_SESSION_THIRD_PARTY..................................................1A06
    COOKIES_ENABLED.......................................................................1A10
    ???............................................................................................1C00
    CHANNEL_SOFTDIST_PERMISSIONS.................................................1e05
    Binary and script behaviors.............................................................2000
    Run components signed with Authenticode......................................2001
    Run components not signed with Authenticode..................................2004
    DOTNET_USERCONTROLS..........................................................2005
    Permissions for components with manifests....................................2007
    Enable MIME Sniffing....................................................................2100
    Websites in less privileged web content zone can navigate into this zone.....2101
    Allow script-initiated windows without size or position constraints.............2102
    Allow status updates via script.........................................................2103
    Allow webpages to open windows without address or status bars.................2104
    Allow websites to prompt for information using scripted windows...............2105
    FEATURE_DATA_BINDING...................................................................2106
    FEATURE_CROSSDOMAIN_FOCUS_CHANGE...............................................2107
    AUTOMATIC_DOWNLOAD_UI..........................................................2200
    Automatic prompting for ActiveX controls.......................................2201
    Allow webpages to use restricted protocols for active content..................2300
    Use SmartScreen filter.................................................................2301
    XAML browser applications..............................................................2400
    XPS Documents..........................................................................2401
    Loose XAML.................................................................................2402
    LOWRIGHTS Protected Mode enabled...............................................2500
    Enable .NET Framework setup....................................................2600
    INPRIVATE_BLOCKING.............................................................2700
    ALLOW_AUDIO_VIDEO..............................................................2701
    Allow ActiveX Filtering....................................................................2702
    ALLOW_STRUCTURED_STORAGE_SNIFFING..............................................2703
      My Computer


  2. Posts : 2,303
    Windows 7 & Windows Vista Ultimate
       #2

    Hi, Quibbler.

    That certainly seems like quite an exercise and an opportunity for error. Why not merely change the default setting for the Local Intranet Zone?

    This article may be of interest. Understanding Local Machine Zone Lockdown - EricLaw's IEInternals

    and

    Internet Explorer Security Zones - Add or Remove Sites
    Last edited by Brink; 04 Jul 2011 at 13:28. Reason: added link
      My Computer


  3. Posts : 12
    Windows 7 PRO x64
    Thread Starter
       #3

    Corrine said:
    That certainly seems like quite an exercise and an opportunity for error.
    My sentiments exactly. I embarked on learning exercise because setting GP for IE zones without knowing downsides was too scary.

    Corrine said:
    Why not merely change the default setting for the Local Intranet Zone?
    It's zone 0 "Local machine Zone" that I'm keen to secure. I've found this quote:

    "By default, starting with Windows XP SP2, the Local Machine Zone is locked down to help improve security" in Msoft article ID 182569. But my TemplatePolicies key shows the local zone 0 current level as hex:10000, which (i think) is the "LOW" setting? :-

    Low 10000
    Med Low 10500
    Medium 11000
    Med high 11500
    High 12000

    Can see this isn't an easy game for mere mortals:

    If 'Security Zones: Use only machine settings' setting in Group Policy is enabled, or if 'Security_HKLM_only' DWORD value is present and has a value of 1 in subkey:

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

    ...only HKLM settings are used by Internet Explorer and all users have the same security settings. However, the HKCU values will still be displayed in the zone settings on the Security tab in Internet Explorer.

    On the other hand, if 'Security Zones: Use only machine settings' setting in Group Policy is not enabled , or if 'Security_HKLM_only' DWORD value does not exist or is set to 0 in the above subkey, HKLM settings are read together with HKCU settings, but only HKCU settings appear in the Internet Options.

    So what you see isn't what you get it seems. All I want to do is set the zone 0 to higher than LOW and I can't do that in Internet Options.

    I'm thinking maybe I just configure GP's lockdown Zone 0 template? Not sure if that's all i need to do, tho. Thanks for links. Will trawl on!
      My Computer


  4. Posts : 12
    Windows 7 PRO x64
    Thread Starter
       #4

    Hi,

    Now read the linked blog and realise I referred to wrong key earlier. TemplatePolicies is the default zones.

    Maybe images explain better than a thousand rambling words, so here are (hopefully clear) pics of my Local Machine Zone 0 's current level, as appearing in HKLM and HKCU. (Not even hex:10000, but 0 ??? )

    I don't have GP configured for any zones.

    This is why I don't grasp the explanation about Zone 0 being locked down?

    Unless my zone 0 setting has gone awol or maybe I'm looking in the wrong place?
    Attached Thumbnails Attached Thumbnails IE9 zone settings-hkcu-zone-0-level.png   IE9 zone settings-hkcu-lockdown-zone-0-level.png   IE9 zone settings-hklm-zone0-level.png   IE9 zone settings-hklm-lockdown-zone-0-level.png  
      My Computer


  5. Posts : 2,303
    Windows 7 & Windows Vista Ultimate
       #5
      My Computer


  6. Posts : 12
    Windows 7 PRO x64
    Thread Starter
       #6

    Cheers for links. This is making me think if nothing else
      My Computer


  7. Posts : 2,303
    Windows 7 & Windows Vista Ultimate
       #7

    You're welcome.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 00:59.
Find Us