Wednesday, May 25, 2005

Internet Explorer Tweaks and Tools

As mentioned below, when discussing Internet Zone settings in IE, I find it frustrating that there are no intermediate ones between untrusted Internet and Trusted Sites. In the past I had looked into this briefly without luck, but a google search now shows some remarks suggesting this is possible.

There are several interesting posts at IEBlog - the Microsoft Internet Explorer Weblog, a blog by members of the Microsoft IE team. An article IE Security Zones posted there by Mike Friedman is the most helpful I have found. He describes the zones, and posts a utility that uses the URL Security Zones API to programmtically assign urls to zones without going through the IE>Tools>Security tabbed interface. I will report after I try it. He also links to a number of good reference articles.

His post generated some rather nasty cross postings attacking Microsoft, and I respect their forbearance in tolerating that stuff. As to the validity of the content of the arguments about security holes I am uncertain. The Secunia site linked to says (as of 2005-02-10) regarding:

Internet Explorer Security Zone Bypass and Address Bar Spoofing -
The vulnerability has been fixed silently in some cumulative security update.


Blogger Guy said...

Here is the "quick 'n dirty" way to create additional Zones in Internet Explorer.

Some stuff:

This is "quick 'n dirty" (I did not think about it too much).
By default there are 5 zones (0-4) 0 = the My Computer zone which is hidden; change DWORD "Flags" to 0(zero) to make visible.
Users look at both HKLM and HKCU but only see HKCU.
When DWORD "Security_HKLM_only" is set to 1(one) in
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
only HKLM settings will be used.

Bunch of stuff I forgot to write... anyway

I show HKLM - after reboot will propagate to HKCU

Regedit drill down to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

Pick a Zone to duplicate and export the branch to a REG file.

Edit the REG file to add a new Zone.


Making an additional Restricted Zone:

Export the branch:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4

Open REG file and make some edits:

Change the Zone number from 4 to 5:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\5

(I believe one may go to number 99)

Change the "DisplayName" and "Description" String values to your liking.
Change the "Icon" String value for a nice icon.

Sorry I'm not home so I cant check the resources for available icons in inetcpl.cpl
4485 is a "script/scrap" looking icon.. good enough for this demo.

Merge the reg file and do a reboot.
After boot make adjustments to the security for the new zone.

Well I said it was "quick 'n dirty" plus I'm sure I let out alot. But it gets one on their way..



3:57 PM  
Blogger Allan Wolff said...

Hey Guy,

I wondered whether just exporting one of those keys and then importing under another key would work. There are few GUIDs I wasn't sure about. I'll give it a shot. Thanks.

Was the utility in the page I link the same one you mentioned. I have not tried it yet.

Hope there was something useful for you last night. Did you see the NET LOCALGROUP commands?


5:18 PM  
Blogger Guy said...


Here is the Internet Explorer 5 Power Tweaks Web Accessories which works on whatever is here(6.0.02900.2180.xpsp_sp2_gdr... blah blah).

Adds the "Add to Trusted..." Add to Restricted Zone" functions in the Tools Menu.


Actually it should be easy enough to add the functions as toolbar icons if one desired.



4:35 PM  
Blogger Allan Wolff said...

Hey again, Guy. Thanks for the links. I had looked at the addons for IE6 but never looked at that list for IE5 - Web Accessories for Internet Explorer 5. I particularly like several of the functions in the Web Accessories for Internet Explorer 5 . I have installed a javascript version of 'Show Frame in New Window' on a number of machines, but never saw this one. As to the add site to Zone utility, it is really a big improvement over going through the standard dialog, because it will actually remove an item from the current zone if needed!

9:06 AM  
Blogger Allan Wolff said...

Googling led me to the following site by Ramesh Srinivasan which has lots of good tips on WinXP and IE Ramesh's Windows XP Troubleshooting site
And tips for IE are at:
Internet Explorer - Tips
Internet Explorer - Notes

11:04 AM  

Post a Comment

<< Home