JSI Tip 5130. How can I manage Internet Explorer Security Zones via the registry?

The security zone settings for Internet Explorer are located at:

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionInternet Settings

                    AND

HKEY_Local_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet Settings

The values that are located in both keys are additive. If a Web site is added to both keys, only the HKCU sites can be seen in the GUI, but both settings are enforced.

If you only want machine based settings to be enforced, copy and paste the following to a HKLM_Only.reg file and Merge it with the computers registry:

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet Settings]
"Security_HKLM_only"=dword:00000001

The sub-keys of the Internet Settings key, for both HKLM and HKCU paths, are:

TemplatePolicies
ZoneMap
Zones

The Zones sub-key contains a sub-key for each zone defined. The defaults are:

These sub-keys contain the following Value Names:

The data values for the CurrentLevel, MinLevel, and RecommendedLevel Value Names are:

The data values for the Flags value Name are additive:

NOTE: The My Computer zone does NOT contain the CurrentLevel, MinLevel, and RecommendedLevel Value Names.

The following Value Names are all REG_DWORD data types. Their data values are:

   Value    Setting   Name   1001     Download signed ActiveX controls   1004     Download unsigned ActiveX controls   1200     Run ActiveX controls and plug-ins   1201     Initialize and script ActiveX controls not marked as safe   1206     Allow scripting of Internet Explorer Webbrowser control   1400     Active scripting   1402     Scripting of Java applets   1405     Script ActiveX controls marked as safe for scripting   1406     Access data sources across domains   1407     Allow paste operations via script   1601     Submit non-encrypted form data   1604     Font download   1605     Run Java   1606     Userdata persistence   1607     Navigate sub-frames across different domains   1608     Allow META REFRESH *   1609     Display mixed content *   1800     Installation of desktop items   1802     Drag and drop or copy and paste files   1803     File Download   1804     Launching programs and files in an IFRAME   1805     Launching programs and files in webview    1806     Launching applications and unsafe files   1807     Reserved **   1808     Reserved **   1809     Use Pop-up Blocker **   1A00     Logon   1A02     Allow persistent cookies that are stored on your computer   1A03     Allow per-session cookies (not stored)   1A04     Don't prompt for client certificate selection when no             certificates or only one certificate exists *   1A05     Allow 3rd party persistent cookies *   1A06     Allow 3rd party session cookies *   1A10     Privacy Settings *   1C00     Java permissions   1E05     Software channel permissions   1F00     Reserved **   2000     Binary and script behaviors   2001     Run .NET components signed with Authenticode   2004     Run .NET components not signed with Authenticode   2100     Open files based on content, not file extension **   2101     Web sites in less priveleged web content zone can navigate into this zone **   2102     Allow script initiated windows without size or position constraints **   2200     Automatic prompting for file downloads **   2201     Automatic prompting for ActiveX controls **   2300     Allow web pages to use restricted protocols for active content **   {AEBA21FA-782A-4A90-978D-B72164C80120}   First Party Cookie *   {A8A88C49-5EB2-4990-A1A2-0876022C854F}   Third Party Cookie **  indicates an Internet Explorer 6 or later setting** indicates a Windows XP Service Pack 2 or later setting

The 1A00 Value Name, a REG_DWORD data type, has the following possible data values:

The 1C00 Value Name, a REG_DWORD data type, has the following possible JAVA data values:

The 1E05 Value Name, a REG_DWORD data type, specifies software channel permissions.

The TemplatePolicies sub-key of the Internet Settings key has the defaultsecurity zones settings. The Low, Medium, and High sub-keys contains Value Names that represents the Zones default values.

The ZoneMap sub-key of the Internet Settings key has the following sub-keys:

Domains - Contains domains and protocols that have been added. Each added domain is a sub-key of Domains. Sub-domains are sub-keys of the the domain that they belong to. Each domain has a protocol Value Name (ftp, http, https, etc.) whose data value is the numerical value of the security zone (0x00012000 is High Security) to which it is added.

The ProtocolDefaults sub-key of the Internet Settings key defines the default security zone for a given protocol, by adding a Value Name (file, ftp, http, https, etc.), with NO colons (:) or slashes (/). These REG_DWORD data types the following possible data values:

The Ranges sub-key of the Internet Settings key contain arbitrary sub-keys that define the ranges of the TCP/IP address. The :Ranges Value Name of these arbitrary sub-keys, a REG_SZ data type, contains the range affected (192.168.0.*). A * Value Name, a REG_DWORD data type, contains the security zone that the range falls within (0x1 is Local Intranet).