Description of Internet Explorer security zones registry entries (182569)

MORE INFORMATION

For more information about computer viruses, click the following article number to view the article in the Microsoft Knowledge Base:

Privacy in Internet Explorer 6

Internet Explorer 6 added a Privacy tab to give users more control over cookies. There are different levels of privacy on the Internet zone, and they are stored in the registry at the same location as the security zones.

You can also add a site to allow or to block cookies based on the site, regardless of the privacy policy on the Web site. Those registry keys are stored in the following registry key: Listed under this key are domains that have been added as a managed site. These domains can carry either of the following DWORD values:

Internet Explorer 4.0 and later

Internet Explorer security zones settings are stored under the following registry keys: These registry keys contain the following keys:

• TemplatePolicies
• ZoneMap
• Zones

Note By default, security zones settings are stored in the HKEY_CURRENT_USER registry key. Because this key is dynamically loaded for each user, the settings for one user do not affect the settings for another.

If the Security Zones: Use only machine settings setting in Group Policy is enabled, or if the Security_HKLM_only DWORD value is present and has a value of 1 in the following registry key, only local computer settings are used and all users have the same security settings: With the Security_HKLM_only policy enabled, HKLM values will be used by Internet Explorer, but the HKCU values will still be displayed in the zone settings on the Security tab in Internet Explorer. This is by design and there are no plans to change this functionality.

If the Security Zones: Use only machine settings setting is not enabled in Group Policy, or if the Security_HKLM_only DWORD value does not exist or is set to 0, computer settings are used along with user settings. However, only user settings appear in the Internet Options. For example, when this DWORD value does not exist or is set to 0, HKEY_LOCAL_MACHINE settings are read along with HKEY_CURRENT_USER settings, but only HKEY_CURRENT_USER settings appear in the Internet Options.
Note With the Security_HKLM_only policy enabled, HKLM values will be used by Internet Explorer, but the HKCU values will still be displayed in the zone setting tab within the Internet Explorer Interface. This is by design, and there are no plans to change this functionality at this time.

TemplatePolicies

The TemplatePolicies key determines the settings of the default security zone levels (Low, Medium Low, Medium, and High). You can change the security level settings from the default settings. However, you cannot add additional security levels. The keys contain values that determine the setting for the security zone. Each key contains a Description string value and a Display Name string value that determine the text that appears on the Security tab for each security level.

ZoneMap

The ZoneMap key contains the following keys:

• Domains
• ProtocolDefaults
• Ranges

The Domains key contains domains and protocols that have been added to change their behavior from the default behavior. When a domain is added, a key is added to the Domains key. Subdomains appear as keys under the domain where they belong. Each key that lists a domain contains a DWORD with a value name of the affected protocol. The value of the DWORD is the same as the numeric value of the security zone where the domain is added.

The ProtocolDefaults key specifies the default security zone that is used for a particular protocol (ftp, http, https). To change the default setting, you can either add a protocol to a security zone by clicking Add Sites on the Security tab, or you can add a DWORD value under the Domains key. The name of the DWORD value must match the protocol name, and it must not contain any colons (:) or slashes (/).

The ProtocolDefaults key also contains DWORD values that specify the default security zones where a protocol is used. You cannot use the controls on the Security tab to change these values. This setting is used when a particular Web site does not fall in a security zone.

The Ranges key contains ranges of TCP/IP addresses. Each TCP/IP range that you specify appears in an arbitrarily named key. This key contains a string value (:Range) that contains the specified TCP/IP range. For each protocol, a DWORD value is added that contains the numeric value of the security zone for the specified IP range.

When the Urlmon.dll file uses the MapUrlToZone public function to resolve a particular URL to a security zone, it uses one of the following methods:

• If the URL contains a fully qualified domain name (FQDN), the Domains key is processed.
  
  In this method, an exact site match overrides a random match.
• If the URL contains an IP address, the Ranges key is processed. The IP address of the URL is compared to the :Range value that is contained in each of the arbitrarily named keys under the Ranges key.
  
  Note Because arbitrarily named keys are processed in the order that they were added to the registry, this method may find a random match before it finds an exact match. If so, the URL may be executed in a different security zone than the zone where it is typically assigned. This behavior is by design.

Zones

The Zones key contains keys that represent each security zone that is defined for the computer. By default, the following five zones are defined (numbered zero through four):

   Value    Setting
   ------------------------------
   0        My Computer
   1        Local Intranet Zone
   2        Trusted sites Zone
   3        Internet Zone
   4        Restricted Sites Zone
				

Note By default, My Computer does not appear in the Zone box on the Security tab.

Each of these keys contains the following DWORD values that represent corresponding settings on the custom Security tab.

Note Unless stated otherwise, each DWORD value is equal to zero, one, or three. Typically, a setting of zero sets a specific action as permitted, a setting of one causes a prompt to appear, and a setting of three does not allow the specific action.

   Value    Setting
   -----------------------------------------------------------------------
   1001     Download signed ActiveX controls
   1004     Download unsigned ActiveX controls
   1200     Run ActiveX controls and plug-ins
   1201     Initialize and script ActiveX controls not marked as safe
   1206     Allow scripting of Internet Explorer Webbrowser control
   1400     Active scripting
   1402     Scripting of Java applets
   1405     Script ActiveX controls marked as safe for scripting
   1406     Access data sources across domains
   1407     Allow paste operations via script
   1601     Submit non-encrypted form data
   1604     Font download
   1605     Run Java
   1606     Userdata persistence
   1607     Navigate sub-frames across different domains
   1608     Allow META REFRESH *
   1609     Display mixed content *
   1800     Installation of desktop items
   1802     Drag and drop or copy and paste files
   1803     File Download
   1804     Launching programs and files in an IFRAME
   1805     Launching programs and files in webview 
   1806     Launching applications and unsafe files
   1807     Reserved **
   1808     Reserved **
   1809     Use Pop-up Blocker **
   1A00     Logon
   1A02     Allow persistent cookies that are stored on your computer
   1A03     Allow per-session cookies (not stored)
   1A04     Don't prompt for client certificate selection when no 
            certificates or only one certificate exists *
   1A05     Allow 3rd party persistent cookies *
   1A06     Allow 3rd party session cookies *
   1A10     Privacy Settings *
   1C00     Java permissions
   1E05     Software channel permissions

   1F00     Reserved **

   2000     Binary and script behaviors
   2001     Run .NET components signed with Authenticode
   2004     Run .NET components not signed with Authenticode
   2100     Open files based on content, not file extension **
   2101     Web sites in less priveleged web content zone can navigate into this zone **
   2102     Allow script initiated windows without size or position constraints **
   2200     Automatic prompting for file downloads **
   2201     Automatic prompting for ActiveX controls **
   2300     Allow web pages to use restricted protocols for active content **
   {AEBA21FA-782A-4A90-978D-B72164C80120}   First Party Cookie *
   {A8A88C49-5EB2-4990-A1A2-0876022C854F}   Third Party Cookie *

*  indicates an Internet Explorer 6 or later setting
** indicates a Windows XP Service Pack 2 or later setting
				

Notes about 1200, 1803, 1A00, 1A10, 1E05, and 1C00

Run ActiveX controls and plug-ins (1200) has an extra setting named Administrator approved. When this setting is turned on, the DWORD value is 00010000. When this setting is turned on, the following registry key is checked for a list of approved controls: There is no prompt setting for File Download (1803) because it is either allowed or not allowed.

Logon setting (1A00) may have any one of the following values (hexadecimal):

Value    Setting
   ---------------------------------------------------------------
   0x00000000 Automatically logon with current username and password
   0x00010000 Prompt for user name and password
   0x00020000 Automatic logon only in the Intranet zone
   0x00030000 Anonymous logon
				

Privacy Settings (1A10) is used by the Privacy tab slider. The DWORD values are: Based on the settings in the slider it will also modify the values in {A8A88C49-5EB2-4990-A1A2-0876022C854F} or {AEBA21Fa-782A-4A90-978D-B72164C80120} or both appropriately.
Software channel permissions (1E05) has 3 different values; high, low, and medium safety. Values for these are: The Java Permissions setting (1C00) has the following five possible values (binary):

   Value    Setting
   -----------------------
   00 00 00 00 Disable Java
   00 00 01 00 High safety
   00 00 02 00 Medium safety
   00 00 03 00 Low safety
   00 00 80 00 Custom
				

If Custom is selected, it uses {7839DA25-F5FE-11D0-883B-0080C726DCBB} (that is located in the same registry location) to store the custom information in a binary.

Each security zone contains the Description string value and the Display Name string value. The text of these values appears on the Security tab when you click a zone in the Zone box. There is also an Icon string value that sets the icon that appears for each zone. Except for the My Computer zone, each zone contains a CurrentLevel, MinLevel, and RecommendedLevel DWORD value. The MinLevel value sets the lowest setting that can be used before you receive a warning message, CurrentLevel is the current setting for the zone, and RecomendedLevel is the recommended level for the zone.

What values for Minlevel, RecommendedLevel, and CurrentLevel mean:

Value (Hexadecimal)        Setting
----------------------------------
0x00010000         Low Security
0x00010500         Medium Low Security
0x00011000         Medium Security
0x00012000         High Security
				

The Flags DWORD value determines the ability of the user to modify the security zone's properties. To determine the Flags value, add the numbers of the appropriate settings together. The following Flags values are available (decimal):

   Value    Setting
   ------------------------------------------------------------------
   1        Allow changes to custom settings
   2        Allow users to add Web sites to this zone
   4        Require verified Web sites (https protocol)
   8        Include Web sites that bypass the proxy server
   16       Include Web sites not listed in other zones
   32       Do not show security zone in Internet Properties (default
            setting for My Computer)
   64       Show the Requires Server Verification dialog box
   128      Treat Universal Naming Connections (UNCs) as intranet
            connections
				

If you add settings to both the HKEY_LOCAL_MACHINE and the HKEY_CURRENT_USER keys, the settings are additive. If you add Web sites to both keys, only those Web sites in the HKEY_CURRENT_USER are visible. The Web sites in the HKEY_LOCAL_MACHINE key are still enforced according to their settings, but they are not available, and you cannot modify them. This situation can be confusing because a Web site may be listed in only one security zone for each protocol.

Internet Explorer 3.x

The security settings for Internet Explorer 3.x are kept in two sections, one for changing options and one for level.

Options that are enabled or disabled are located in the following registry keys: The specific options under the Security tab are: The settings for the safety levels are located in the following registry keys: The options for the registry listings are: