Exposing IE’s Hidden Zone

Customizing the My Computer Zone
The My Computer zone represents your local computer, which means all other computers—including intranet and Internet sites—are considered to be in one of the other security zones. Microsoft presets the security configuration for the My Computer zone, but you can change that configuration.

Tightening the security of users' My Computer zone is a good idea. When you do so, users aren't as vulnerable to such nuisances as the Download.Ject Trojan horse and other malicious code because malicious code often relies on looser (i.e., default) security in the My Computer zone. By tightening this zone's security, many forms of malicious code are rendered relatively harmless. In addition, if the My Computer zone is locked down more securely, you can loosen the security of the Internet zone to allow scripting components, ActiveX controls, and other components without overly exposing a system to intrusion.

As I mentioned previously, the My Computer zone doesn't show up on IE's Security tab like the other four zones do. For the My Computer zone to appear, you need to manually edit the registry or use a third-party tool to change the zone's security settings.

Manually editing the registry. To manually edit the registry, open a registry editor and navigate to the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones key. As Figure 1, page 2, shows, you'll see five subkeys listed:

When you look at the entries in each subkey, you'll see that the names are cryptic. Without a guide, trying to figure out which entry enables or disables the various IE features would be difficult and tedious. Fortunately, the Microsoft article "Description of Internet Explorer security zones registry entries" (http://support.microsoft.com/?kbid=182569) describes what each entry is for and the possible values.

In each of the five subkeys, you'll find the Flags entry, which specifies the degree to which the user can modify a security zone's properties. This entry requires a DWORD value that you calculate by adding together the values that represent the desired capabilities. Table 1 shows the possible capabilities and their values. Because the Flags entry requires a DWORD value, you need to convert the resulting decimal value to a hexadecimal number.

For example, suppose you want to allow changes to custom settings (1), allow users to add Web sites (2), require verified Web sites (4), and show the Requires Server Verification dialog box (64) for the My Computer zone. Adding the decimal values together gives you a total of 71, which is equal to the hexadecimal value of 47. (You can use the Windows Calculator to convert a decimal value to a hex value. On the Start menu, select Programs, Accessories, Calculator. In Calculator, select Scientific on the View menu. Use the number pad to enter the decimal value, then select the Hex radio button.)

To determine the functionalities that the current registry setting specifies, you can reverse this process. You can convert the Flags entry's hex value into a decimal value. Then, using Table 1, you can determine which values were used.

For purposes of easily changing the My Computer zone's security settings, here's a shortcut you might be able to use, depending on which version of IE and Windows you're using: In the registry, change the Zone 0 subkey's Flags entry to a hex value of 47, which will cause the My Computer zone to appear on IE's Security tab. With the My Computer zone now visible, you can use the Security tab options to change that zone's security settings. For more information about this shortcut, read the Microsoft article "How to Enable the My Computer Security Zone in Internet Options" (http://support.microsoft.com/?kbid=315933).

Before you jump into customizing the My Computer zone settings, be aware that there's a chance you might break the functionality of applications that rely on specific IE settings. You should consider performing trials to determine whether your adjusted settings cause any problems with your other applications.

Third-party tools. Another way to edit the My Computer zone's security settings is to use a third-party tool, such as PivX Solutions' Qwik-Fix Pro (http://www.pivx.com). With Qwik-Fix Pro, you can reconfigure the security settings of the My Computer zone in one fell swoop with a click of a
button, or you can use Qwik-Fix Pro's settings as a guideline and manually reconfigure the zone. In the latter approach, you create custom registry files, then import those files into the systems of your choice. To create an importable registry file for the My Computer zone, you need to export the Zone 0 subkey to a .reg file, modify the values in the file as you see fit, then import the file back into the registry (more on this process in the next section).

Table 2 lists the entries that Qwik-Fix Pro modifies to tighten security. The table also provides the default values for those entries and the values that Qwik-Fix Pro recommends. Settings not listed in Table 2 aren't changed by Qwik-Fix Pro at the time of this writing.

As you'll learn in the Microsoft article "Description of Internet Explorer security zones registry entries," most zone entries use a value of 0 to enable a particular functionality, a value of 1 to prompt the user before enabling a particular functionality, and a value of 3 to disable a particular functionality. (The value of 2 isn't used.) One exception is the 1E05 entry. For that entry, a setting of 10000 means high security, 20000 means medium security, and 30000 means low security.

Adding Custom Zones
You can easily add more security zones that have custom security settings. Adding new zones provides a way to obtain a more granular level of trust. For example, you can configure the built-in Internet zone to have high security settings, then add two more zones for Internet-related use: one for medium security and one for medium-low security. You can then add particular Web sites to each of the new zones, depending on how you rank a Web site's risk to your environment. Let's walk through the process of adding these two new zones.

A simple way to add a new zone to IE is to copy an existing zone and modify its security settings. To copy a zone, open regedit, then use regedit's Export function to export the zone subkey to a .reg file. In this case, you'd export the Zone 4 subkey because the last zone in the default IE installation is Zone 4.

Next, use a text editor such as Notepad to open the .reg file. Perform the following steps:

1.Find the zone number at the end of the registry subkey path. Increment this number by 1. For this example, change 4 to 5.
2.Change the DisplayName value to a name that's appropriate for your new zone.
3.Change the Description value to something meaningful.

4.If you want to be able to add Web sites to the zone, change the Flags value. As Table 1 shows, if you set the Flags value to 32, the zone won't appear on IE's Security tab. If you set the Flags value to 1, the zone will appear on the tab and users can change its values, but they won't be able to add sites to the zone. So, you need to set the value to at least 2, which tells IE that users can add Web sites to the zone. If you want IE to consider all sites not explicitly listed in another part of your new zone, set the Flags value to 18, which is value 16 (include Web sites not listed in other zones) plus value 2 (allow users to add Web sites to this zone). Keep in mind that you should have only one security zone that includes the value of 16 in its overall value setting.

5.Save the .reg file. Figure 2, page 4, shows an example of what the modified .reg file might look like.

6.Make a copy of the .reg file you just saved, then open the copy in Notepad. Repeat Steps 1 through 5, except in Step 1, change the zone number to 6.

At this point, you have two .reg files ready for import into the registry. Open regedit and use its Import function to import the files. Open the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones key. You should see the Zone 5 and Zone 6 subkeys.

Now that the registry contains the new zones, you need to finish customizing the new zones' security settings. Although you could have customized the .reg file in Notepad, it's much easier to modify the rest of the security settings through IE's Security tab. So, open IE and navigate to the Security tab. You should see the two new zones listed alongside the other visible zones. Edit the security settings of the new zones the same way you'd edit the security settings of any other zone. If you want to use these zones in other systems on your network, you can export their registry subkeys to .reg files, then import those .reg files into the other systems.

That's all there is to it! As you can see, tightening security by customizing the My Computer zone and adding custom zones is easy once you know a few trade secrets, such as which registry subkeys to use and what the entry names and values mean.