Internet Explorer 5.0 and later versions of Internet Explorer
Internet Explorer security zones settings are stored under the
following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
These registry keys contain the following keys:
TemplatePolicies
ZoneMap
Zones
Note:
By default, security zones settings are stored in the
HKEY_CURRENT_USER registry subtree. Because this subtree is
dynamically loaded for each user, the settings for one user do not
affect the settings for another.
If the Security Zones use only machine settings setting in Group Policy is enabled, or if
the Security_HKLM_only DWORD value is present and has a value of 1 in
the following registry subkey, only local computer settings are used
and all users have the same security settings:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
With the Security_HKLM_only policy enabled, HKLM values will be used
by Internet Explorer. However, the HKCU values will still be displayed
in the zone settings on the Security tab in Internet Explorer. In
Internet Explorer 7, the Security tab of the Internet Options dialog
box displays the following message to indicate that settings are
managed by the system administrator:
Some settings are managed by your system administrator
If the Security Zones use only machine settings setting is not enabled in Group Policy, or
if the Security_HKLM_only DWORD value does not exist or is set to 0,
computer settings are used together with user settings. However, only
user settings appear in the Internet Options.
For example, when this DWORD value does not exist or is set to 0,
HKEY_LOCAL_MACHINE settings are read together with
HKEY_CURRENT_USER settings, but only HKEY_CURRENT_USER settings
appear in the Internet Options.
TemplatePolicies
The TemplatePolicies key determines the settings of the default
security zone levels. These levels are Low, Medium Low, Medium, and
High. You can change the security level settings from the default
settings. However, you cannot add more security levels. The keys
contain values that determine the setting for the security zone. Each
key contains a Description string value and a Display Name string
value that determine the text that appears on the Security tab for
each security level.
ZoneMap
The ZoneMap key contains the following keys:
Domains
EscDomains
ProtocolDefaults
Ranges
The Domains key contains domains and protocols that have been added to
change their behavior from the default behavior. When a domain is
added, a key is added to the Domains key. Subdomains appear as keys
under the domain where they belong. Each key that lists a domain
contains a DWORD with a value name of the affected protocol. The value
of the DWORD is the same as the numeric value of the security zone
where the domain is added.
The EscDomains key resembles the Domains key except that the
EscDomains key applies to those protocols that are affected by the
Enhanced Security Configuration (ESC). ESC is introduced in Microsoft
Windows Server 2003.
The ProtocolDefaults key specifies the default security zone that is
used for a particular protocol (ftp, http, https). To change the
default setting, you can either add a protocol to a security zone by
clicking Add Sites on the Security tab, or you can add a DWORD value
under the Domains key. The name of the DWORD value must match the
protocol name, and it must not contain any colons (:) or slashes (/).
The ProtocolDefaults key also contains DWORD values that specify the
default security zones where a protocol is used. You cannot use the
controls on the Security tab to change these values. This setting is
used when a particular Web site does not fall in a security zone.
The Ranges key contains ranges of TCP/IP addresses. Each TCP/IP range
that you specify appears in an arbitrarily named key. This key
contains a :Range string value that contains the specified TCP/IP
range. For each protocol, a DWORD value is added that contains the
numeric value of the security zone for the specified IP range.
When the Urlmon.dll file uses the MapUrlToZone public function to
resolve a particular URL to a security zone, it uses one of the
following methods:
If the URL contains a fully qualified domain name (FQDN), the
Domains
key is processed.
In this method, an exact site match overrides a random match.
If the URL contains an IP address, the
Ranges
key is processed. The IP address of the URL is compared to the :Range value that is contained in the arbitrarily named keys under the
Ranges key.
Note:
Because arbitrarily named keys are processed in the order that they
were added to the registry, this method may find a random match before
it finds a match. If this method does find a random match first, the
URL may be executed in a different security zone than the zone where
it is typically assigned. This behavior is by design.
Zones
Note:
By default, starting with Windows XP SP2, the Local Machine Zone is
locked down to help improve security. For more information, click the
following article number to view the article in the Microsoft
Knowledge Base: 922704 Information about some new Group Policy
settings for Internet Explorer Security Zones in Microsoft Windows XP
Service Pack 2 and in Microsoft Windows Server 2003 Service Pack 1 For
more information, visit the following Microsoft Web site:
http://technet2.microsoft.com/windowsserver/en/library/aebcfc94-25d5-4f41-93cc-7fb6e031de401033.mspx?mfr=true
The Zones key contains keys that represent each security zone that is
defined for the computer. By default, the following five zones are
defined (numbered zero through four):
Value Setting
------------------------------
0 My Computer
1 Local Intranet Zone
2 Trusted sites Zone
3 Internet Zone
4 Restricted Sites Zone
Note:
By default, My Computer does not appear in the Zone box on the
Security tab.
Each of these keys contains the following DWORD values that represent
corresponding settings on the custom Security tab.
Note:
Unless stated otherwise, each DWORD value is equal to zero, one, or
three. Typically, a setting of zero sets a specific action as
permitted, a setting of one causes a prompt to appear, and a setting
of three prohibits the specific action.
Value Setting
1001 ActiveX controls and plug-ins: Download signed ActiveX controls
1004 ActiveX controls and plug-ins: Download unsigned ActiveX controls
1200 ActiveX controls and plug-ins: Run ActiveX controls and plug-ins
1201 ActiveX controls and plug-ins: Initialize and script ActiveX controls not marked as safe for scripting
1206 Miscellaneous: Allow scripting of Internet Explorer Web browser control ^
1207 Reserved #
1208 ActiveX controls and plug-ins: Allow previously unused ActiveX controls to run without prompt ^
1209 ActiveX controls and plug-ins: Allow Scriptlets
120A ActiveX controls and plug-ins: ActiveX controls and plug-ins: Override Per-Site (domain-based) ActiveX restrictions
120B ActiveX controls and plug-ins: Override Per-Site (domain-based) ActiveX restrictions
1400 Scripting: Active scripting
1402 Scripting: Scripting of Java applets
1405 ActiveX controls and plug-ins: Script ActiveX controls marked as safe for scripting
1406 Miscellaneous: Access data sources across domains
1407 Scripting: Allow Programmatic clipboard access
1408 Reserved #
1409 Scripting: Enable XSS Filter
1601 Miscellaneous: Submit non-encrypted form data
1604 Downloads: Font download
1605 Run Java #
1606 Miscellaneous: Userdata persistence ^
1607 Miscellaneous: Navigate sub-frames across different domains
1608 Miscellaneous: Allow META REFRESH * ^
1609 Miscellaneous: Display mixed content *
160A Miscellaneous: Include local directory path when uploading files to a server ^
1800 Miscellaneous: Installation of desktop items
1802 Miscellaneous: Drag and drop or copy and paste files
1803 Downloads: File Download ^
1804 Miscellaneous: Launching programs and files in an IFRAME
1805 Launching programs and files in webview #
1806 Miscellaneous: Launching applications and unsafe files
1807 Reserved ** #
1808 Reserved ** #
1809 Miscellaneous: Use Pop-up Blocker ** ^
180A Reserved #
180B Reserved #
180C Reserved #
180D Reserved #
180E Allow OpenSearch queries in Windows Explorer #
180F Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer #
1A00 User Authentication: Logon
1A02 Allow persistent cookies that are stored on your computer #
1A03 Allow per-session cookies (not stored) #
1A04 Miscellaneous: Don't prompt for client certificate selection when no
certificates or only one certificate exists * ^
1A05 Allow 3rd party persistent cookies *
1A06 Allow 3rd party session cookies *
1A10 Privacy Settings *
1C00 Java permissions #
1E05 Miscellaneous: Software channel permissions
1F00 Reserved ** #
2000 ActiveX controls and plug-ins: Binary and script behaviors
2001 .NET Framework-reliant components: Run components signed with Authenticode
2004 .NET Framework-reliant components: Run components not signed with Authenticode
2007 .NET Framework-Reliant Components: Permissions for Components with Manifests
2100 Miscellaneous: Open files based on content, not file extension ** ^
2101 Miscellaneous: Web sites in less privileged web content zone can navigate into this zone **
2102 Miscellaneous: Allow script initiated windows without size or position constraints ** ^
2103 Scripting: Allow status bar updates via script ^
2104 Miscellaneous: Allow websites to open windows without address or status bars ^
2105 Scripting: Allow websites to prompt for information using scripted windows ^
2200 Downloads: Automatic prompting for file downloads ** ^
2201 ActiveX controls and plug-ins: Automatic prompting for ActiveX controls ** ^
2300 Miscellaneous: Allow web pages to use restricted protocols for active content **
2301 Miscellaneous: Use Phishing Filter ^
2400 .NET Framework: XAML browser applications
2401 .NET Framework: XPS documents
2402 .NET Framework: Loose XAML
2500 Turn on Protected Mode [Vista only setting] #
2600 Enable .NET Framework setup ^
2702 ActiveX controls and plug-ins: Allow ActiveX Filtering
2708 Miscellaneous: Allow dragging of content between domains into the same window
2709 Miscellaneous: Allow dragging of content between domains into separate windows
270B Miscellaneous: Render legacy filters
270C ActiveX Controls and plug-ins: Run Antimalware software on ActiveX controls
{AEBA21FA-782A-4A90-978D-B72164C80120} First Party Cookie *
{A8A88C49-5EB2-4990-A1A2-0876022C854F} Third Party Cookie *
-
* indicates an Internet Explorer 6 or later setting
-
** indicates a Windows XP Service Pack 2 or later setting
-
# indicates a setting that is not displayed in the user interface in Internet Explorer
-
^ indicates a setting that only has two options, enabled or disabled