Control Registry Settings with Security Zone Settings In IE: Windows Server 2003

The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
Pack 2.
What do Feature Control Registry Settings and Security Zone Settings do?
Feature Control registry settings are provided for InternetExplorer so thata specific process can beconfigured to opt-in to a
particular security feature.Each security feature has a corresponding registry key thatyou can useto opt-in or opt-out of the
security feature.
When a process has been configured to usea security feature, thesecurity featureis running. Oncethefeatureis running,
there might becorresponding security zonesettings that can beapplied for more precision.Somesecurity features do not
haveadditional security zonesettings.
In the Security Settings tab of Internet Options, the user can adjust thesesettings for many of the new featurecontrols. If
you selectEnable, it lowers thesecurity settings and allows the behavior to run less securely, or in thesame manner as it did
in previous version of InternetExplorer.Thefeaturecontrol can beapplied again by setting thesecurity zonesetting to
Disable, which blocks theless-secure behavior whilethefeaturecontrol is enabled for that process.
Each of theFeature Controls is discussed in more detail in this document.For moreinformation about URL action settings and
how they relateto security zones, see”About URL Security Zones Templates” on the Microsoft Web siteat
http://go.microsoft.com/fwlink/?LinkId=26001.
Using security zonesettings for a feature provides additional precision in control for security features in InternetExplorer and
can help manageapplication compatibility for organizational intranetapplications. A user or administrator can select different
behaviors based on risk.
Who does this feature apply to?
Web application developers need to beawarethat theInternetExplorer security settings are dependent on thezonein which
an application is run.Therefore,you should assign security zones carefully; this should bea part of your information security
considerations.Thesecurity zones thatyou useshould also beconsidered when assessing application compatibility.
Administrators of Group Policy may want to adjust the defaultvalues for each zoneto suit the particular environments in their
organization.
Unless prevented by policies in Group Policy, users can managethevalues for thesesecurity zonesettings (or URL actions) for
each zonethrough Internet Options in Control Panel. Notethat theLocal Machinezoneis notavailablethrough Control
Panel.To access thesecurity settings for a zone,click Start,click Control Panel,click Internet Options,click the Security tab,
click a Web security zone,and then click Custom Level.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Feature control registry settings
Detailed description
Windows Server 2003 Service Pack 1 introduces new featurecontrol registry settings.
For many of thesefeatures, when theregistry setting is on, users can configurethesecurity settings (also known as URL action
flags) to finetunethefeaturecontrol in each individual security zone
If you chooseEnable as theaction to takefor an InternetExplorer featurecontrol, thezoneis secured as it was for the previous
version of InternetExplorer. Relevant security control features will notapply in this zone; thesecurity zone will run without the
added layer of security provided by this feature.
If you chooseto disablethesecurity zonesetting, theactions that may be harmful cannot run; this InternetExplorer security
feature will beturned on in this zone,as dictated by thefeaturecontrol setting for the process.
Security settings are often applied to a zone by a URL security zonetemplate.The defaultvalues for thesecurity settings and
thesettings by zonetemplatearelisted in thesection InternetExplorer URL Action and Advanced Security Settings in Group
Policy.
Why is this change important? What threats does it help mitigate?
As originally envisioned,each featurecontrol setting would either be on or off for all security zones. Customer feedback
indicated that more precisetuning with thesettings was necessary for somefeatures.For example, theinternal workflow of
some organizations depends on intranetapplications. A featurecontrol that protects users in theInternet zone may causean
intranetapplication to stop working. Because of this, Microsoft has incorporated theability to control many security settings by
zone.
What works differently?
Adding security settings by zone provides moreflexibility in applying the new security features.This flexibility will providea
more manageableimplementation of this new security feature, particularly in intranet scenarios.
How do I resolve these issues?
If thefeaturecontrol setting is suspected of causing problems for an application,changing thefeaturecontrol setting in the
zone wheretheapplication is running to Enable allows theadministrator or user to return to the previous behavior in that
zonefor that specific feature while maintaining the moresecure behavior in other security zones.For somesecurity settings,
additional configuration options such as Promptand Admin-approved areavailable,as well as Enable and Disable.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
If thecode uses the default URLmon security manager, the developer must call CoInternetIsFeatureEnabledForURL to check
thesecurity settings for a particular zone.