Tuesday, July 05, 2005

IE Shell programming, Security

I have been programming a utility to manage the Internet Zones using the URL Security Zones via the IInternetSecurityManager COM Interface to IE. I started with some sample code from Mike Friedman's IE Security Zones post at the IEBlog, which I mentioned a month ago. That showed how to use one call, but not how to use COM Interop and translate data back and forth between .NET and COM. Since then with some effort I have made good progress now. For example, I have learned how to get back an array of strings from UCOMIEnumString which is the .NET wrapper for IEnumString. It is rather more complicated than using a standard enumerator. I had thought I would have to ask for help from some forum or friends, but actually got it going by walking away for a while and coming back after studying some references.

These are some of the most helpful references:
[TODO - fill in more refs here, to MSDN Library]
This article on Shell programming was some help.

Note that under Server2003 there is a new type of "Enhanced Security Zone" which appears to be more restrictive in some ways. See the details under Enhanced Security Configuration for Internet Explorer.

While doing this I observed a rather surprising situation with these zone entries in IE. While you can check the box "Require server verification (https://) for all sites in this zone", all it seems to do is insure that you have put that protocal specifier at the front of the string you entered. There is absolutely NO validation of the rest of the string. You can enter a string with spaces and some punctuation characters such as a comma or parens! I thought this might only be true through the programmatic interface, but it is also true when adding zones through the Tools-Security tab in IE. Pretty surprising, not to say shocking.

I want to continue this application to allow creation and editing of custom URL zones. A comment to the post above discusses manually editing the registry to do this. As did Guy in a comment to my earlier post. And these links discuss was to extend the IE user interface:
And, on the topic of security in IE, I noticed several posts on the MS IEBlog regarding some plans to allow a new version, apparently not IE7 on XP, to run with diminished privileges.
See Rob Franco’s "Clarifying Low-Rights IE" post and "A Follow up to Low-Rights IE" .

These are some more extensive articles on Shell programming which I want to try
Windows Shell: Create Namespace Extensions for Windows Explorer with the .NET - MSDN Mag, January 2004

Chris Sells wrote a three part series of articles: Creating Document-Centric Applications in Windows Forms, Part 2 (Wonders of Windows Forms)


Post a Comment

<< Home