Internet Explorer Local Machine Zone Lockdown

The Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as Microsoft Internet
Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying morerestrictiveInternet
Explorer security settings that disablescripts, ActiveX components,and file downloads for resources in theInternet security
zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will not beas
noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and Pop-up
Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not using the
enhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service Pack 2.
What Does Local Machine Zone Lockdown do?
When InternetExplorer opens a Web page, it places restrictions on what the pagecan do, based on the page’s InternetExplorer
security zone.Thereareseveral possiblesecurity zones,each with different sets of restrictions.Thesecurity zonefor a pageis
determined by its location.For example, pages thatarelocated on theInternet will normally bein the morerestrictiveInternet
security zone.They might not beallowed to perform some operations, such as accessing thelocal hard drive. Pages thatare
located on your corporate network would normally bein theIntranet security zone,and havefewer restrictions.The precise
restrictions thatareassociated with most of thesezones can beconfigured by the user through Internet Options on the
Tools menu.
Prior to Windows XP Service Pack 2, thecontent on thelocal filesystem,asidefrom that cached by InternetExplorer, was
considered to besecureand was assigned to theLocal Machinesecurity zone.This security zone normally allows content to
run in InternetExplorer with relatively few restrictions. However,attackers often try to takeadvantage of theLocal Machine
zoneto elevate privilegeand compromisea computer.
Many of theexploits that involvetheLocal Machinezone were mitigated by other changes to InternetExplorer in Windows XP
SP2.Thesechanges wereincorporated into InternetExplorer in Windows Server 2003 Service Pack 1. However,attackers may
still beableto figure out ways to exploit theLocal Machinezone. Currently, InternetExplorer further protects the user by
locking down theLocal Machinezone by default.Local HTML hosted in other applications will run under theless restrictive
settings of theLocal Machinezone used in previous version of InternetExplorer unless thatapplication makes use of Local
Machine ZoneLockdown.
Administrators will beableto use Group Policy to manageLocal Machine ZoneLockdown and moreeasily apply it to groups
of computers.
Who does this feature apply to?
All application developers should review this feature. Applications that host local HTML files in InternetExplorer arelikely to be
affected. Developers of standaloneapplications that host InternetExplorer will want to modify their applications to make use of
Local Machine ZoneLockdown.
By default,Local Machine ZoneLockdown is only enabled for InternetExplorer. Developers will need to register their
applications to takeadvantage of thechanges. Applications that do not usethis mitigation should independently review their
applications for Local Machinezoneattack vectors.
Software developers with applications that host InternetExplorer should usethis feature by adding their process nameto the
registry as described later in this document. In thefuture, Microsoft might implement this feature using an “opt out” policy
rather than an “opt in” policy. Applications that host InternetExplorer should betested to ensurethat they function properly
with Local Machine ZoneLockdown enabled for their process.
Network Administrators might havelocal scripts that will beaffected by theserestrictions. Administrators should review the
availablesolutions to enabletheir local scripts without compromising thesecurity of their users’ client computers.
Developers of Web sites thatare hosted on theInternet or Local Intranet zones should not beaffected by changes to theLocal
Machinezone,except when loading thosefiles from thelocal machine during development.
Users could beaffected by applications thatare not compatible with these morestringent restrictions.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Changes to Local Machine zone security settings
Detailed description
TheLocal Machinezoneis now morerestrictivethan theInternet zone. Any timethat contentattempts one of thefollowing
actions in this zone, theInformation Bar will appear in InternetExplorer with thefollowing text:
To help protect your security, InternetExplorer has restricted this file from showing active content that could
access your computer. Click here for options…
The user can click theInformation Bar to removethelockdown from therestricted content.
Thesecurity settings that control the privileges thatare granted to content running in theLocal Machinezoneareknown as
URL actions.When Local Machine ZoneLockdown is applied to a given process, it changes the behavior of URL actions from
the previous Local Machinezonesetting ofEnabled to Disabled. As a result, scripts and ActiveX controls will not run.The
default URL actions changed are:
URLACTION _SCRIPT_RUN
URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX
URLACTION_ACTIVEX_RUN
URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY (to Prompt, not Disabled)
URLACTION_CLIENT_CERT_PROMPT
URLACTION_BEHAVIOR_RUN
URLACTION_JAVA_PERMISSIONS
URLACTION_BEHAVIOR_RUN (to Administrator approved, not Disabled)
URLACTION_FEATURE_MIME_SNIFFING
URLACTION_FEATURE_WINDOWS_RESTRICTIONS
URLACTION_AUTOMATIC_DOWNLOAD_UI
URLACTION_AUTOMATIC_ACTIVEX_UI
Note
URLACTION_FEATURE_ZONE_ELEVATION is set to Disabled in theLocal Machinezone with or without this feature.
For Local Machine ZoneLockdown, thesesettings arestored under a separateregistry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\0
The default Local Machinezone URL action settings arefound under:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Why is this change important?
This change helps prevent content on a user’s computer from elevating privilege. Code with such elevated privilegecan then
run any codethrough an ActiveX control or read information with a script.
What works differently?
If a Web page uses any of therestricted types of content that were previously listed, InternetExplorer displays theInformation
Bar,as previously described.
HTML files thatare hosted on theres: protocol on thelocal computer will automatically run under thesecurity settings for the
Internet zone.For moreinformation about what thesetemplates allow, see”Introduction to URL Security Zones” on the MSDN
Web siteat http://go.microsoft.com/fwlink/?LinkId=26003.
How do I resolve these issues?
You can allow ActiveX and scripts to always run in Web pages thatarelaunched from a CD by clicking Yes when presented
with thefollowing message:
Active content can harm your computer or disclose personal information. Are you sure that you want to allow CDs
to run active content on your computer?
If your Web page needs to run ActiveX or scripting,you can add a Mark of the Web comment in the HTML code.This Internet
Explorer featureallows the HTML files to beforced into a zone other than theLocal Machinezoneso that they can then run the
script or ActiveX code based on thesecurity templatethat would beapplied to the URL identified in thecomment.For example,
if the URL specified is http://www.contoso.com and that URL is present in your Local Intranet sites list, the page uses thesecurity
templatefor theLocal IntranetSites zone. However, if http://www.contoso.com is listed in theTrusted Sites zone, the pageis treated
as if it were part of theInternet zone.This is by design for security purposes in Windows XP Service Pack 2 and later.This
setting works in InternetExplorer 4 and later.To inserta Mark of the Web comment into your HTML file,add one of the
following comments:

Usethis comment when you areinserting a Mark of the Web into a page whose domain is identified, replacing
http://www.example.com with the URL of theInternet or intranet domain that the pageis hosted by. Includethelength of the
URL in parenthesis used for the Mark of the Web beforethe URL, for example(0022).
If you wantyour Web pageto always betreated as though it were part of theInternet zone,you can usethefollowing Mark of
the Web:

Usethis comment when you need to generically inserta Mark of the Web.The about:internet portion will placethe pagein
theInternet zone.
Beginning with Windows Server 2003 Service Pack 1 and Windows XP Service Pack 2, this HTML comment can also be used
with .mht files,known as multipart HTML or .xml files. Mark of the Web will beignored for .mht or .xml files in earlier versions
of InternetExplorer.
As another option,you can createa separateapplication that hosts the HTML content in theInternetExplorer Web Object
Control (WebOC).The HTML is then no longer bound by thesamerules thatapply to content run in InternetExplorer.When
the HTML content runs in the other process, it can havefull rights as defined by the developer or thezone policy for that
process.
An easy way to do this is to saveyour contentas an .hta (HTML application) fileand try to run thefileagain in theLocal
Machinezone. An .hta fileis hosted in a different process and thereforeis notaffected by the mitigation. However, .hta files run
with full privileges, so you should notallow codethat is not trusted to run in this manner.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
Developers should test their applications and enablethelockdown in order to offer enhanced levels of security. Developers of
standaloneapplications should plan to adopt thesechanges in their applications that host InternetExplorer.
Developers of ActiveX controls that previously allowed elevated privileges in theLocal Machinezoneshould not changetheir
controls to allow elevated privileges in another zone. Instead, thesecontrols should beconverted to run only from an HTML
application (.hta file) or a standaloneapplication that runs outside of Local Machine ZoneLockdown.
By default,Local Machine ZoneLockdown is notenabled for non-InternetExplorer processes. Developers mustexplicitly
register their applications to takeadvantage of thechanges. Application developers that do not usethis mitigation should
independently review their applications for Local Machinezoneattack vectors.To enableLocal Machine ZoneLockdown for
your application, go to thefollowing registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
Add a REG_DWORD valueto this key named for your application (for example, MyApplication.exe) and set it to 1. Any other
setting for this value will disableLocal Machine ZoneLockdown for theapplication.
To control whether Local Machine ZoneLockdown is applied to Web pages launched from a CD, go to thefollowing registry
key and value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK
Setting this valueto 1 disables this featurefor Web pages launched from a CD on the user’s computer.