Wednesday, July 06, 2005

Windows Internet Security Zones

Continuing work on the Zone management tool has led to a number of issues.

Here are the best references I have found.

"Introduction to URL Security Zones" (in Web Dev>Security and Privacy>Security Zones)
discusses the zones and the API for using them, with particular emphasis on the enhancements in XP-SP2. But it doesn't really explain the siginificance of different settings and the FLAGS in particular.

Description of Internet Explorer security zones registry entries (KB Q182569) is very much more helpful in that area.

Note that settings can be stored both under HKLM and HKCU, and the machine can be set through group policy or through a local reg key to use only the HKLM settings. (And oddly in that case the user still sees their HKCU settings!)

NB - Only later is it explained that settings and web domains listed in both HKLM and HKCU will both be read and have additive effect:

If you add settings to both the HKEY_LOCAL_MACHINE and the HKEY_CURRENT_USER keys, the settings are additive. If you add Web sites to both keys, only those Web sites in the HKEY_CURRENT_USER are visible. The Web sites in the HKEY_LOCAL_MACHINE key are still enforced according to their settings, but they are not available, and you cannot modify them. This situation can be confusing because a Web site may be listed in only one security zone for
each protocol.

I'd say it can be confusing!!

It also explains precisely what the FLAGS key specifies:

The Flags DWORD value determines the ability of the user to modify the security zone's properties. To determine the Flags value, add the numbers of the appropriate settings together. The following Flags values are available (decimal):
1 Allow changes to custom settings
2 Allow users to add Web sites to this zone
4 Require verified Web sites (https protocol)
8 Include Web sites that bypass the proxy server
16 Include Web sites not listed in other zones
32 Do not show this security zone in Internet Properties
(which is the default setting for My Computer)
64 Show the Requires Server Verification dialog box
128 Treat Universal Naming Connections (UNCs) as intranet connections

more to come...
Here are the best references I have found.


Blogger Allan Wolff said...

I came upon a 'Trust Setter' tool written a few years ago by 'Jason' which he says will remove sites from the Trusted and Restricted zones. It is described at

11:39 AM  

Post a Comment

<< Home