Internet Explorer Local Machine Zone Lockdown

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Internet Explorer Local Machine Zone Lockdown

Viewing 0 reply threads
  • Author
    • #2204

      The Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as Microsoft Internet
      Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying morerestrictiveInternet
      Explorer security settings that disablescripts, ActiveX components,and file downloads for resources in theInternet security
      zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will not beas
      noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and Pop-up
      Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not using the
      enhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service Pack 2.
      What Does Local Machine Zone Lockdown do?
      When InternetExplorer opens a Web page, it places restrictions on what the pagecan do, based on the page’s InternetExplorer
      security zone.Thereareseveral possiblesecurity zones,each with different sets of restrictions.Thesecurity zonefor a pageis
      determined by its location.For example, pages thatarelocated on theInternet will normally bein the morerestrictiveInternet
      security zone.They might not beallowed to perform some operations, such as accessing thelocal hard drive. Pages thatare
      located on your corporate network would normally bein theIntranet security zone,and havefewer restrictions.The precise
      restrictions thatareassociated with most of thesezones can beconfigured by the user through Internet Options on the
      Tools menu.
      Prior to Windows XP Service Pack 2, thecontent on thelocal filesystem,asidefrom that cached by InternetExplorer, was
      considered to besecureand was assigned to theLocal Machinesecurity zone.This security zone normally allows content to
      run in InternetExplorer with relatively few restrictions. However,attackers often try to takeadvantage of theLocal Machine
      zoneto elevate privilegeand compromisea computer.
      Many of theexploits that involvetheLocal Machinezone were mitigated by other changes to InternetExplorer in Windows XP
      SP2.Thesechanges wereincorporated into InternetExplorer in Windows Server 2003 Service Pack 1. However,attackers may
      still beableto figure out ways to exploit theLocal Machinezone. Currently, InternetExplorer further protects the user by
      locking down theLocal Machinezone by default.Local HTML hosted in other applications will run under theless restrictive
      settings of theLocal Machinezone used in previous version of InternetExplorer unless thatapplication makes use of Local
      Machine ZoneLockdown.
      Administrators will beableto use Group Policy to manageLocal Machine ZoneLockdown and moreeasily apply it to groups
      of computers.
      Who does this feature apply to?
      All application developers should review this feature. Applications that host local HTML files in InternetExplorer arelikely to be
      affected. Developers of standaloneapplications that host InternetExplorer will want to modify their applications to make use of
      Local Machine ZoneLockdown.
      By default,Local Machine ZoneLockdown is only enabled for InternetExplorer. Developers will need to register their
      applications to takeadvantage of thechanges. Applications that do not usethis mitigation should independently review their
      applications for Local Machinezoneattack vectors.
      Software developers with applications that host InternetExplorer should usethis feature by adding their process nameto the
      registry as described later in this document. In thefuture, Microsoft might implement this feature using an “opt out” policy
      rather than an “opt in” policy. Applications that host InternetExplorer should betested to ensurethat they function properly
      with Local Machine ZoneLockdown enabled for their process.
      Network Administrators might havelocal scripts that will beaffected by theserestrictions. Administrators should review the
      availablesolutions to enabletheir local scripts without compromising thesecurity of their users’ client computers.
      Developers of Web sites thatare hosted on theInternet or Local Intranet zones should not beaffected by changes to theLocal
      Machinezone,except when loading thosefiles from thelocal machine during development.
      Users could beaffected by applications thatare not compatible with these morestringent restrictions.
      What existing functionality is changing in Windows Server 2003 Service Pack 1?
      Changes to Local Machine zone security settings
      Detailed description
      TheLocal Machinezoneis now morerestrictivethan theInternet zone. Any timethat contentattempts one of thefollowing
      actions in this zone, theInformation Bar will appear in InternetExplorer with thefollowing text:
      To help protect your security, InternetExplorer has restricted this file from showing active content that could
      access your computer. Click here for options…
      The user can click theInformation Bar to removethelockdown from therestricted content.
      Thesecurity settings that control the privileges thatare granted to content running in theLocal Machinezoneareknown as
      URL actions.When Local Machine ZoneLockdown is applied to a given process, it changes the behavior of URL actions from
      the previous Local Machinezonesetting ofEnabled to Disabled. As a result, scripts and ActiveX controls will not run.The
      default URL actions changed are:
      URLACTION_BEHAVIOR_RUN (to Administrator approved, not Disabled)
      URLACTION_FEATURE_ZONE_ELEVATION is set to Disabled in theLocal Machinezone with or without this feature.
      For Local Machine ZoneLockdown, thesesettings arestored under a separateregistry key:
      The default Local Machinezone URL action settings arefound under:
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
      Why is this change important?
      This change helps prevent content on a user’s computer from elevating privilege. Code with such elevated privilegecan then
      run any codethrough an ActiveX control or read information with a script.
      What works differently?
      If a Web page uses any of therestricted types of content that were previously listed, InternetExplorer displays theInformation
      Bar,as previously described.
      HTML files thatare hosted on theres: protocol on thelocal computer will automatically run under thesecurity settings for the
      Internet zone.For moreinformation about what thesetemplates allow, see”Introduction to URL Security Zones” on the MSDN
      Web siteat
      How do I resolve these issues?
      You can allow ActiveX and scripts to always run in Web pages thatarelaunched from a CD by clicking Yes when presented
      with thefollowing message:
      Active content can harm your computer or disclose personal information. Are you sure that you want to allow CDs
      to run active content on your computer?
      If your Web page needs to run ActiveX or scripting,you can add a Mark of the Web comment in the HTML code.This Internet
      Explorer featureallows the HTML files to beforced into a zone other than theLocal Machinezoneso that they can then run the
      script or ActiveX code based on thesecurity templatethat would beapplied to the URL identified in thecomment.For example,
      if the URL specified is and that URL is present in your Local Intranet sites list, the page uses thesecurity
      templatefor theLocal IntranetSites zone. However, if is listed in theTrusted Sites zone, the pageis treated
      as if it were part of theInternet zone.This is by design for security purposes in Windows XP Service Pack 2 and later.This
      setting works in InternetExplorer 4 and later.To inserta Mark of the Web comment into your HTML file,add one of the
      following comments:

      Usethis comment when you areinserting a Mark of the Web into a page whose domain is identified, replacing with the URL of theInternet or intranet domain that the pageis hosted by. Includethelength of the
      URL in parenthesis used for the Mark of the Web beforethe URL, for example(0022).
      If you wantyour Web pageto always betreated as though it were part of theInternet zone,you can usethefollowing Mark of
      the Web:

      Usethis comment when you need to generically inserta Mark of the Web.The about:internet portion will placethe pagein
      theInternet zone.
      Beginning with Windows Server 2003 Service Pack 1 and Windows XP Service Pack 2, this HTML comment can also be used
      with .mht files,known as multipart HTML or .xml files. Mark of the Web will beignored for .mht or .xml files in earlier versions
      of InternetExplorer.
      As another option,you can createa separateapplication that hosts the HTML content in theInternetExplorer Web Object
      Control (WebOC).The HTML is then no longer bound by thesamerules thatapply to content run in InternetExplorer.When
      the HTML content runs in the other process, it can havefull rights as defined by the developer or thezone policy for that
      An easy way to do this is to saveyour contentas an .hta (HTML application) fileand try to run thefileagain in theLocal
      Machinezone. An .hta fileis hosted in a different process and thereforeis notaffected by the mitigation. However, .hta files run
      with full privileges, so you should notallow codethat is not trusted to run in this manner.
      Do I need to change my code to work with Windows Server 2003 Service Pack 1?
      Developers should test their applications and enablethelockdown in order to offer enhanced levels of security. Developers of
      standaloneapplications should plan to adopt thesechanges in their applications that host InternetExplorer.
      Developers of ActiveX controls that previously allowed elevated privileges in theLocal Machinezoneshould not changetheir
      controls to allow elevated privileges in another zone. Instead, thesecontrols should beconverted to run only from an HTML
      application (.hta file) or a standaloneapplication that runs outside of Local Machine ZoneLockdown.
      By default,Local Machine ZoneLockdown is notenabled for non-InternetExplorer processes. Developers mustexplicitly
      register their applications to takeadvantage of thechanges. Application developers that do not usethis mitigation should
      independently review their applications for Local Machinezoneattack vectors.To enableLocal Machine ZoneLockdown for
      your application, go to thefollowing registry key:
      Add a REG_DWORD valueto this key named for your application (for example, MyApplication.exe) and set it to 1. Any other
      setting for this value will disableLocal Machine ZoneLockdown for theapplication.
      To control whether Local Machine ZoneLockdown is applied to Web pages launched from a CD, go to thefollowing registry
      key and value:
      Setting this valueto 1 disables this featurefor Web pages launched from a CD on the user’s computer.

Viewing 0 reply threads
  • You must be logged in to reply to this topic.