SUMMARY
Warning If
you choose to make the changes that are described in this article, you may lose some
functionality in some Windows programs and components. Therefore, we recommend that you test the changes extensively to
verify that mission-critical programs continue to work correctly for all users before you
make these changes in a production environment.
This article describes how an administrator can strengthen the security
settings for the Local Machine zone in Microsoft Internet Explorer. The Local
Machine zone is also known as the My Computer zone. The information in this article applies to the following
configurations:
- 32-bit versions of Internet Explorer on 32-bit versions of
Microsoft Windows
- 64-bit versions of Internet Explorer on 64-bit versions of
Microsoft Windows XP
- 64-bit versions of Internet Explorer on 64-bit versions of
Microsoft Windows Server 2003
Note Microsoft Windows XP Service Pack 2 (SP2) puts restrictions on
the Local Machine zone. Therefore, if you installed Windows XP SP2, you may not
have to perform one of the procedures that are
described in this article. For additional information, see the
following Microsoft Web sites:
MORE INFORMATION
The
Internet Explorer user interface lets you configure four security zones:
- Internet
- Local intranet
- Trusted sites
- Restricted sites
A
fifth zone, the Local Machine zone, is an implicit zone that exists on your
local computer. You cannot configure the security settings for this zone in
Internet Explorer. You also cannot configure the
security settings
by using the Internet Options Control Panel. However, if you have
administrator permissions, you can configure the security settings for the
Local Machine zone by changing a registry setting.
Internet Explorer lets you assign a
Web site to a security zone. A Web site that is in the Internet zone has a higher level
of security than a Web site that is in the Trusted sites zone or that is in the Local intranet
zone. By assigning a Web site to a security zone, you can control how a Web site
performs operations on your computer. For example, you can prevent a Web site
from performing potentially unsafe operations on your computer by assigning the
Web site to a security zone that has the most restrictive level of security.
A Web site that is in the Local Machine zone
has a less restrictive security setting than a Web site that is in any one of the other zones. The exception to this rule is any content that Internet Explorer caches on your local computer. A malicious user may try to run arbitrary code on your computer by taking advantage of the less restrictive
security settings for the Local Machine zone.
When you strengthen the security
settings for the Local Machine zone, users may experience one or more of the
following behaviors:
- Users
are prompted before they can open a data source on another domain.
- Users
are prompted before they can run a script on a page.
- ActiveX controls and Java programs will not run.
- The Web page that users are trying to open may not be displayed correctly.
The security settings for
the Local Machine zone are
stored in the following registry subkeys, depending on the following conditions:
- If you let users set their own Internet Explorer security
settings, the security settings for
the Local Machine zone are stored in this subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- If you force all users to have the same Internet Explorer
security settings, the security settings
for the Local Machine zone are stored in
this subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
By
default, the security zone settings are stored in the following registry subtree:
Because this subtree is dynamically loaded for each user, the
settings for one user do not affect the settings for another user. To determine
whether all users have the same security settings, look for one of the
following conditions:
- The Security Zones: The Use only machine settings option in Group Policy is enabled.
- The Security_HKLM_only DWORD value exists, and it has a
value of 1.
The Security_HKLM_only DWORD value is stored in the
following registry subkey:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Computer settings and user settings are used when one of the
following conditions is true:
- The Security Zones: The Use only machine settings option in Group Policy is not enabled
- The Security_HKLM_only DWORD value does not
exist
- The Security_HKLM_only DWORD value is set to 0
If the Security_HKLM_only DWORD value does not exist, or if
the Security_HKLM_only DWORD value is set to 0, Internet Explorer reads the
HKEY_LOCAL_MACHINE registry key and the HKEY_CURRENT_USER registry key,
respectively. However, only the HKEY_CURRENT_USER settings appear in the
Internet Options Control Panel.
The security settings that are
displayed in the Internet Options Control Panel have corresponding numeric
values in the registry. The following table shows the default values for each security setting. The table also shows the recommended values that you can use to
strengthen each security setting for the Local Machine zone.
Security Setting Name in the UI | Registry Value Numeric Name (Type) | Default Registry Value Data | Recommended Registry Value Data |
Run ActiveX controls and plug-ins | 1200
(DWORD) | 0 | 3 |
Initialize and script ActiveX controls not marked as
safe | 1201 (DWORD) | 1 | 3 |
Active scripting | 1400
(DWORD) | 0 | 1 |
Access data sources across domains | 1406
(DWORD) | 0 | 1 |
Java permissions | 1C00 (Binary) | 00 00 02
00 | 00 00 00 00 |
In the aforementioned table, the settings for the DWORD values
mean the following:
- 0 indicates that the action is enabled. This is the default
setting.
- 1 indicates that a prompt appears.
- 3 indicates that the action is disabled.
The default setting of 00 00 02 00 for the Binary value
indicates a medium level of safety. The 00 00 00 00 setting disables
Java.
Note For
Active scripting, a setting of 1 may cause too many prompts to appear.
Therefore, you may want to permit scripting. To do this, set the Active
scripting value to 0. If you do not want to set Active scripting to prompt,
change the line that starts with 1400 in the next section, "How to change security
settings for the Local Machine zone."
Warning If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.
To
change the security settings for the Local Machine zone, change either the
DWORD value or the Binary value. Use the method that is appropriate to your
environment.
Strengthening default settings for the Local Machine zoneIn
an Active Directory environment, use Group Policy Object Editor, formerly known
as Group Policy Editor. To strengthen the security settings for the Local
Machine zone, follow these steps:
- Copy
the following text and paste it into a text editor, such as Notepad.
If users can set their own
security settings, use the following text:REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1200"=dword:00000003
"1201"=dword:00000003
"1400"=dword:00000001
"1406"=dword:00000001
"1C00"=hex:00,00,00,00
If
all users must use the same security settings, use the following text:REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1200"=dword:00000003
"1201"=dword:00000003
"1400"=dword:00000001
"1406"=dword:00000001
"1C00"=hex:00,00,00,00
- Save the file as ADHardenLMZ.reg.
- On
the computer where you want to run Group Policy Object Editor, run the
ADHardenLMZ.reg file to import the registry settings into the registry.
- Open
Group Policy Object Editor for the Active Directory object that you want to
modify.
- You may be prompted for the following actions:
- Permit scripts to run
- Confirm that you want to
continue running scripts
If
you receive this prompt, click Yes. If you receive a message
that states that your current settings do not let ActiveX controls to be run, click
OK.
Note After you strengthen the security settings for the Local Machine
zone, the Help pane will no longer appear in Group Policy Object Editor. - Expand
User Configuration, expand Windows Settings,
expand Internet Explorer Maintenance, and then expand
Security. Double-click Security Zones and Content
Ratings.
- Click Import the current security zones and privacy
settings, and then click OK.
Restoring default settings for the Local Machine zoneTo restore the default settings for the Local Machine zone, follow these steps:
- Copy
the following text and paste it into a text editor, such as Notepad.
If users can set their own
security settings, use the following text:REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1200"=dword:00000000
"1201"=dword:00000001
"1400"=dword:00000000
"1406"=dword:00000000
"1C00"=hex:00,00,02,00
If
all users must use the same security settings, use the following text:REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1200"=dword:00000000
"1201"=dword:00000001
"1400"=dword:00000000
"1406"=dword:00000000
"1C00"=hex:00,00,02,00
- Save the file as ADDefaultLMZ.reg.
- On
the computer where you want to run Group Policy Object Editor, run the
ADDefaultLMZ.reg file to import the default settings into the registry.
- Open
Group Policy Object Editor for the Active Directory object that you want to
modify.
- You may be prompted for the following actions:
- Permit scripts to run
- Confirm that you want to
continue running scripts
If
you receive this prompt, click Yes. If you receive a message
that states that your current settings do not let ActiveX controls to be run, click
OK.
Note After you strengthen the security settings for the Local Machine
zone, the Help pane will no longer appear in Group Policy Object Editor. - Expand
User Configuration, expand Windows Settings,
expand Internet Explorer Maintenance, and then expand
Security. Double-click Security Zones and Content
Ratings.
- Click Import the current security zones and privacy
settings, and then click OK.
Strengthening default settings for the Local Machine zoneTo
strengthen the security settings for the Local Machine zone, import the updated
security settings into the registry. To do this, follow these steps:
- Copy
the following text and paste it into a text editor, such as Notepad.
If users can set their own
Internet Explorer security settings, use the following text:REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1200"=dword:00000003
"1201"=dword:00000003
"1400"=dword:00000001
"1406"=dword:00000001
"1C00"=hex:00,00,00,00
If
all users have the same security settings, use the following text:REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1200"=dword:00000003
"1201"=dword:00000003
"1400"=dword:00000001
"1406"=dword:00000001
"1C00"=hex:00,00,00,00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"Security_HKLM_only"=dword:00000001
- Save the file as HardenLMZ.reg.
- Run
the HardenLMZ.reg file on all client computers to import the settings into the
registry.
Restoring default settings for the Local Machine zone To restore the default settings for the Local Machine zone, follow these steps:
- Copy
the following text and paste it into a text editor, such as Notepad.
If users can set their own
Internet Explorer security settings, use the following text:REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1200"=dword:00000000
"1201"=dword:00000001
"1400"=dword:00000000
"1406"=dword:00000000
"1C00"=hex:00,00,02,00
If
all users have the same security settings, use the following text:REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1200"=dword:00000000
"1201"=dword:00000001
"1400"=dword:00000000
"1406"=dword:00000000
"1C00"=hex:00,00,02,00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"Security_HKLM_only"=dword:00000001
- Save the file as DefaultLMZ.reg.
- Run
the DefaultLMZ.reg file on all client computers to import the settings into the
registry.
After you strengthen the security settings for
the Local Machine zone, you can assign a local HTML file that contains scripts,
ActiveX controls, or Java programs to the Internet zone. When Internet Explorer
opens the HTML file, Internet Explorer looks for the "saved from URL" comment.
If Internet Explorer finds the "saved from URL" comment, Internet Explorer uses
the security settings for the Internet zone instead of the settings for the Local Machine zone.
If the Internet zone is configured to run scripts, to run ActiveX controls, or
to run Java programs, these items will run and you will not experience the
behaviors that are described in the "Before you strengthen security settings for the
Local Machine zone" section.
To assign a
local HTML file to the Internet zone, you can add a "saved from URL" comment to
the local HTML file. This comment instructs Internet Explorer to apply the
security settings for the Internet zone to the HTML file that is saved on your
hard disk. This comment must look similar to the following:
<!-- saved from url=(0023)http://www.contoso.com/ -->
The value in parentheses represents the number of
characters in the URL that follows the equal sign. In this example, this value is 0023. Contoso represents the name of an
Internet Web site.