Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
JSI Tip 5130. How can I manage Internet Explorer Security Zones via the registry?
Jerold Schulman
April 7, 2002
5 Min Read
The security zone settings for Internet Explorer are located at:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionInternet Settings
AND
HKEY_Local_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet Settings
The values that are located in both keys are additive. If a Web site is added to both keys, only the HKCU sites can be seen in the GUI, but both settings are enforced.
If you only want machine based settings to be enforced, copy and paste the following to a HKLM_Only.reg file and Merge it with the computers registry:
REGEDIT4
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet Settings]
"Security_HKLM_only"=dword:00000001
The sub-keys of the Internet Settings key, for both HKLM and HKCU paths, are:
TemplatePolicies
ZoneMap
Zones
The Zones sub-key contains a sub-key for each zone defined. The defaults are:
Key | Meaning |
|---|---|
0 | My Computer, NOT available in the Zone box of the Security tab. |
1 | Local Intranet Zone. |
2 | Trusted sites Zone. |
3 | Internet Zone. |
4 | Restricted Sites Zone |
These sub-keys contain the following Value Names:
Value Name | Data Type | Meaning |
|---|---|---|
Description | REG_SZ | Displayed when you select a Zone in the Zone box of the GUI. |
DisplayName | REG_SZ | Displayed when you select a Zone in the Zone box of the GUI. |
Icon | REG_SZ | The icon that is displayed. |
CurrentLevel | REG_DWORD | The current Security setting. |
MinLevel | REG_DWORD | The lowest Security level allowed before a warning is issued. |
RecommendedLevel | REG_DWORD | The recommended Security level. |
Flags | REG_DWORD | Controls the users ability to modify the Security settings. |
The data values for the CurrentLevel, MinLevel, and RecommendedLevel Value Names are:
Data value | Meaning |
|---|---|
0x00010000 | Low Security. |
0x00011000 | Medium Security. |
0x00012000 | High Security. |
The data values for the Flags value Name are additive:
Data value | Meaning |
|---|---|
1 | Allow changes to custom settings. |
2 | Allow users to add Web sites to this zone. |
4 | Require HTTPS Web sites. |
8 | Include Web sites that bypass the proxy server. |
16 | Include Web sites not listed in other zones. |
32 | Do NOT show security zone in Internet Properties. |
64 | Show the Requires Server Verification dialog. |
128 | UNCs are treated as Intranet connections. |
NOTE: The My Computer zone does NOT contain the CurrentLevel, MinLevel, and RecommendedLevel Value Names.
The following Value Names are all REG_DWORD data types. Their data values are:
Data value | Meaning |
|---|---|
0 | This action is allowed. |
1 | This action will generate a prompt. |
3 | This action is prohibited. |
Value Setting Name 1001 Download signed ActiveX controls 1004 Download unsigned ActiveX controls 1200 Run ActiveX controls and plug-ins 1201 Initialize and script ActiveX controls not marked as safe 1206 Allow scripting of Internet Explorer Webbrowser control 1400 Active scripting 1402 Scripting of Java applets 1405 Script ActiveX controls marked as safe for scripting 1406 Access data sources across domains 1407 Allow paste operations via script 1601 Submit non-encrypted form data 1604 Font download 1605 Run Java 1606 Userdata persistence 1607 Navigate sub-frames across different domains 1608 Allow META REFRESH * 1609 Display mixed content * 1800 Installation of desktop items 1802 Drag and drop or copy and paste files 1803 File Download 1804 Launching programs and files in an IFRAME 1805 Launching programs and files in webview 1806 Launching applications and unsafe files 1807 Reserved ** 1808 Reserved ** 1809 Use Pop-up Blocker ** 1A00 Logon 1A02 Allow persistent cookies that are stored on your computer 1A03 Allow per-session cookies (not stored) 1A04 Don't prompt for client certificate selection when no certificates or only one certificate exists * 1A05 Allow 3rd party persistent cookies * 1A06 Allow 3rd party session cookies * 1A10 Privacy Settings * 1C00 Java permissions 1E05 Software channel permissions 1F00 Reserved ** 2000 Binary and script behaviors 2001 Run .NET components signed with Authenticode 2004 Run .NET components not signed with Authenticode 2100 Open files based on content, not file extension ** 2101 Web sites in less priveleged web content zone can navigate into this zone ** 2102 Allow script initiated windows without size or position constraints ** 2200 Automatic prompting for file downloads ** 2201 Automatic prompting for ActiveX controls ** 2300 Allow web pages to use restricted protocols for active content ** {AEBA21FA-782A-4A90-978D-B72164C80120} First Party Cookie * {A8A88C49-5EB2-4990-A1A2-0876022C854F} Third Party Cookie ** indicates an Internet Explorer 6 or later setting** indicates a Windows XP Service Pack 2 or later setting
The 1A00 Value Name, a REG_DWORD data type, has the following possible data values:
Decimal Data value | Meaning |
|---|---|
0 | Automatically logon with current username and password. |
65536 | Prompt for user name and password. |
131072 | Automatic logon only in the Intranet zone. |
196608 | Anonymous logon. |
The 1C00 Value Name, a REG_DWORD data type, has the following possible JAVA data values:
Decimal Data value | Meaning |
|---|---|
0 | Disable Java. |
65536 | High safety. |
131072 | Medium safety. |
196608 | Low safety. |
8388608 | Custom. |
The 1E05 Value Name, a REG_DWORD data type, specifies software channel permissions.
The TemplatePolicies sub-key of the Internet Settings key has the defaultsecurity zones settings. The Low, Medium, and High sub-keys contains Value Names that represents the Zones default values.
The ZoneMap sub-key of the Internet Settings key has the following sub-keys:
Domains - Contains domains and protocols that have been added. Each added domain is a sub-key of Domains. Sub-domains are sub-keys of the the domain that they belong to. Each domain has a protocol Value Name (ftp, http, https, etc.) whose data value is the numerical value of the security zone (0x00012000 is High Security) to which it is added.
The ProtocolDefaults sub-key of the Internet Settings key defines the default security zone for a given protocol, by adding a Value Name (file, ftp, http, https, etc.), with NO colons (:) or slashes (/). These REG_DWORD data types the following possible data values:
Key | Meaning |
|---|---|
0 | My Computer, NOT available in the Zone box of the Security tab. |
1 | Local Intranet Zone. |
2 | Trusted sites Zone. |
3 | Internet Zone. |
4 | Restricted Sites Zone |
The Ranges sub-key of the Internet Settings key contain arbitrary sub-keys that define the ranges of the TCP/IP address. The :Ranges Value Name of these arbitrary sub-keys, a REG_SZ data type, contains the range affected (192.168.0.*). A * Value Name, a REG_DWORD data type, contains the security zone that the range falls within (0x1 is Local Intranet).
About the Author
You May Also Like
.png?width=700&auto=webp&quality=80&disable=upscale)