Internet Explorer URL Action and Advanced Security Settings in Group Policy

The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
using theEnhanced Security Configuration on your server, thesefeatures will function as they do in Windows XP Service
Pack 2.
What does InternetExplorer Settings in Group Policy do?
Windows XP Service Pack 2 introduced true policies for theconfigurableactions in theInternetExplorer Security tab settings.
In addition to incorporating these policies into InternetExplorer in Windows Server 2003 Service Pack 1,additional policies
werecreated for selected configurableactions in theInternetExplorer Advanced tab,as well as for URL action policies in
Locked-Down zones used only by the Network Protocol Lockdown security feature. In this release, thesesecurity settings are
managed using the Group Policy Management Consoleand, if set,can only bechanged by a Group Policy object (GPO) or by
an administrator.
An updated Inetres.adm filecontains a list of settings as policies, including Advanced settings, which arealso found in the
InternetExplorer user interfaceas preferences. Administrators can managethe new featurecontrol policies by using Group
Policy objects (GPOs).When InternetExplorer is installed, the default HKEY_CURRENT_USER preferences settings for these
settings areregistered on thecomputer as they werein previous versions.The Administrator has to usethe Group Policy
Management Console(GPMC) to add thesesettings as policies.
Who does this feature apply to?
Group Policy administrators can uniformly configurethe new InternetExplorer Advanced setting policies,as well as policies for
Locked-Down security zones, for thecomputers and users that they manage. It is important to inform theend-user which
actions arecontrolled by policy,as theseactions will override user preferencesettings.
Note
TheInternet Options control panel will display policy settings when opened and users can interact with user interfaceand
appear to changetheir preferences. However, these preferences will notactually override Group Policy settings, which may
causea confusing user experience.Theadministrator can also seta policy to disablethe Advanced page user interfaceso
that it is clearer to the user that thesesettings are notavailableto bechanged.This is notan issuefor theLocked-Down
zones’ settings as they are notaccessiblethrough the user interface.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Group Policy InternetExplorer advanced settings
Detailed description
Thefollowing definitions apply to InternetExplorer settings for Windows Server 2003 with Service Pack 1:
Security zones:Locked-Down Intranet Zone,Locked-Down Trusted Sites Zone,Locked-Down Internet Zone,and LockedDown
Restricted Sites zone.
Templates:Standard settings for all URL actions in thesesecurity zones.Templates can beapplied in any zone,and
settings will providea range of choices from low security, medium-low, medium,and up to high security for thezone.
URL actions:Security settings in theregistry that identify theaction to takefor that featurein thesecurity zone wherethe
URL resides. URL action settings includeenable, disable, prompt,and others as appropriate.
URL action policies: URL action policies can beadded individually by enabling the desired URL action policy, then
selecting thesetting for the policy registry key value.They can also beset by zonetemplate.
InternetExplorer will look for a policy in thefollowing order:
HKEY_LOCAL_MACHINE policy hive
HKEY_CURRENT_USER policy hive
HKEY_CURRENT_USER preference hive
HKEY_LOCAL_MACHINE preference hive
If InternetExplorer finds a policy in the HKEY_LOCAL_MACHINE policy hive, it stops and does not continue; that is thesetting it
respects. If InternetExplorer does not find a policy in HKEY_LOCAL_MACHINE policy hive, it looks in the HKEY_CURRENT_USER
policy hive,and so on.Theadministrator can seta policy for one or more URL actions in one or morezones,and allow theend
user to manage preferences for URL actions that do not require policy-level security management.
Policy values for URL action
The new URL action policies havethesame numeric values as their related preferencekeys.Thefollowing table provides a
referenceto these URL actions.
URL action flag name Security setting UI Numeric
name
URLACTION_DOWNLOAD_SIGNED_ACTIVEX Download signed ActiveX controls 1001
URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX Download unsigned ActiveX controls 1004
URLACTION_ACTIVEX_RUN Run ActiveX controls and plugins 1200
URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY Initializeand script ActiveX controls not marked as safe 1201
URLACTION_SCRIPT_RUN Activescripting 1400
URLACTION_SCRIPT_JAVA_USE Scripting of Java applets 1402
URLACTION_SCRIPT_SAFE_ACTIVEX Script ActiveX controls marked safefor scripting 1405
URLACTION_CROSS_DOMAIN_DATA Access data sources across domains 1406
URLACTION_SCRIPT_PASTE Allow paste operations via script 1407
URLACTION_HTML_SUBMIT_FORMS Submit non-encrypted form data 1601
URLACTION_HTML_FONT_DOWNLOAD Font download 1604
URLACTION_HTML_USERDATA_SAVE Userdata persistence 1606
URLACTION_HTML_SUBFRAME_NAVIGATE Navigatesub-frames across different domains 1607
URLACTION_HTML_META_REFRESH Allow META REFRESH 1608
URLACTION_HTML_MIXED_CONTENT Display mixed content 1609
URLACTION_SHELL_INSTALL_DTITEMS Installation of desktop items 1800
URLACTION_SHELL_MOVE_OR_COPY Drag and drop or copy and pastefiles 1802
URLACTION_SHELL_FILE_DOWNLOAD File download 1803
URLACTION_SHELL_VERB Launching applications and files in an IFRAME 1804
URLACTION_SHELL_POPUPMGR Use Pop-up blocker 1809
URLACTION_NETWORK_MIN Logon 1A00
URLACTION_CLIENT_CERT_PROMPT Don’t prompt for client certificateselection when no certificates
or only onecertificateexists
1A04
URLACTION_JAVA_PERMISSIONS Java permissions 1C00
URLACTION_CHANNEL_SOFTDIST_PERMISSIONS Softwarechannel permissions 1E05
URLACTION_BEHAVIOR_RUN Scriptand Binary Behaviors 2000
URLACTION_MANAGED_SIGNED Run .NETFramework-reliant components signed with
Authenticode
2001
URLACTION_MANAGED_UNSIGNED Run .NETFramework-reliant components not signed with
Authenticode
2004
URLACTION_FEATURE_MIME_SNIFFING Open files based on content, not fileextension 2100
URLACTION_FEATURE_ZONE_ELEVATION Web sites in less privileged Web content zones can navigate
into this zone
2101
URLACTION_FEATURE_WINDOW_RESTRICTIONS Allow script-initiated windows without size or position
constraints
2102
URLACTION_AUTOMATIC_DOWNLOAD_UI Automatic prompting for file downloads 2200
URLACTION_AUTOMATIC_ACTIVEX_UI Automatic prompting for ActiveX controls 2201
URLACTION_ALLOW_RESTRICTEDPROTOCOLS Allow activecontent over restricted protocols to access my
computer
2300
For moreinformation about using URL action flags, see”URL Action Flags” on the MSDN Web siteat
http://go.microsoft.com/fwlink/?LinkId=32776.
Thefollowing table provides a referenceto thesetting options availablefor each URL action.
Numeric Name URL Action Policy Setting Options
1001 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
1004 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
1200 “Administrator approved”=0x00010000
“Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
1201 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
1400 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
1402 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
1405 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
1406 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
1407 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
1601 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
1604 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
1606 “Enable”=0x00000000
“Disable”=0x00000003
1607 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
1608 “Enable”=0x00000000
“Disable”=0x00000003
1609 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
1800 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
1802 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
1803 “Enable”=0x00000000
“Disable”=0x00000003
1804 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
1809 “Enable”=0x00000000
“Disable”=0x00000003
1A00 “Anonymous logon”=0x00030000
“Automatic logon only in Intranet zone”=0x00020000
“Automatic logon with current user nameand password”=0x00000000
“Prompt for user nameand password”=0x00010000
1A04 “Enable”=0x00000000
“Disable”=0x00000003
1C00 “High safety”=0x00010000
“Medium safety”=0x00020000
“Low safety”=0x00030000
“Custom”=0x00800000
“DisableJava”=0x00000000
1E05 “High Safety”=0x00010000
“Medium Safety”=0x00020000
“Low Safety”=0x00030000
2000 “Enable”=0x00000000
“Administrator approved”=0x00010000
“Disable”=0x00000003
2001 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
2004 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
2100 “Enable”=0x00000000
“Disable”=0x00000003
2101 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
2102 “Enable”=0x00000000
“Disable”=0x00000003
2200 “Enable”=0x00000000
“Disable”=0x00000003
2201 “Enable”=0x00000000
“Disable”=0x00000003
2300 “Enable”=0x00000000
“Disable”=0x00000003
“Prompt”=0x00000001
Key for numeric translation of URL policy settings
Value DWORD Setting
0 0x00000000 Enable
1 0x00000001 Prompt
3 0x00000003 Disable
65536 0x00010000 High Safety
131072 0x00020000 Medium Safety
196608 0x00030000 Low Safety
For descriptions for each of the URL policy settings, see”URL Action Flags” on the MSDN Web siteat
http://go.microsoft.com/fwlink/?LinkId=32777.
Default settings for each URL action in zones and templates
Each URL action has a default that is set in each zoneand set when a specified templateis applied.The default settings for each
zoneare described in thefollowing table.
URL action default settings
URL action numeric
name
Locked-Down Restricted
zone
Locked-Down Internet
zone
Locked-Down Intranet
zone
Locked-Down Trusted
zone
1001 3 1 1 0
1004 3 3 3 3
1200 3 3 3 3
1201 3 3 3 3
1400 3 3 3 3
1402 3 0 0 0
1405 3 0 0 0
1406 3 3 1 0
1407 3 0 0 0
1601 1 1 0 0
1604 1 0 0 0
1606 3 0 0 0
1607 3 0 0 0
1608 3 0 0 0
1609 1 1 1 1
1800 3 1 1 0
1802 1 0 0 0
1803 3 0 0 0
1804 3 1 1 0
1809 0 0 3 3
1A00 65536 131072 131072 0
1A04 3 3 3 3
1C00 0 0 0 0
1E05 65536 131072 131072 196608
2000 3 65536 65536 65536
2001 3 3 3 3
2004 3 3 3 3
2100 3 3 3 3
2101 3 3 3 3
2102 3 3 3 3
2200 3 3 3 3
2201 3 3 3 3
2300 3 1 1 1
Group Policy Settings Paths
These paths locatetheavailable Advanced settings in the Group Policy Management Console:
HKEY_LOCAL_MACHINE policies for Advanced settings:
\Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control
Panel\Advanced Page
HKEY_CURRENT_USER policies for Advanced settings:
\User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control
Panel\Advanced Page
These paths locatethesecurity zonesettings in the Group Policy Management Console:
HKEY_LOCAL_MACHINE policies by security zonefor URL actions:
\Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control
Panel\Security Page
HKEY_CURRENT_USER policies by security zonefor URL actions:
\User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control
Panel\Security Page
These paths locatethe Advanced settings in policy and in preferencein the Windows registry (in either
HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER):
Advanced setting
UI
Preference key name Policy key name
Install on Demand
(InternetExplorer)
HKCU \Software\Microsoft\InternetExplorer\Main
\NoJITSetup
Software\Policies\Microsoft\Internet
Explorer\Main\NoJITSetup
Install on Demand
(Other)
HKCU\Software\Microsoft\InternetExplorer\Main
\NoWebJITSetup
Software\Policies\Microsoft\Internet
Explorer\Main\NoWebJITSetup
Third-party Browser
Extensions
HKCU\Software\Microsoft\Internet
Explorer\Main\Enable Browser Extensions
Software\Policies \Microsoft\Internet
Explorer\Main\Enable Browser Extensions
Automatically check
for IE Updates
HKCU\Software\Microsoft\InternetExplorer\Main
\NoUpdateCheck
Software\Policies \Microsoft\InternetExplorer\Main
\NoUpdateCheck
Play Animations in
Web Pages
HKCU\Software\Microsoft\InternetExplorer\Main
\Play_Animations
Software\Policies \Microsoft\InternetExplorer\Main
\Play_Animations
Play Sounds in Web
Pages
HKCU\Software\Microsoft\InternetExplorer\Main
\Play_Background_Sounds
Software\Policies \Microsoft\InternetExplorer\Main
\Play_Background_Sounds
Play Videos in Web
Pages
HKCU\Software\Microsoft\Internet
Explorer\Main\Display Inline Videos
Software\Policies \Microsoft\Internet
Explorer\Main\Display Inline Videos
Allow softwareto run
or install even if the
signatureis invalid
HKCU\Software\Microsoft\Internet
Explorer\Download \RunInvalidSignatures
Software\Policies \Microsoft\Internet
Explorer\Download \RunInvalidSignatures
Allow activecontent
from CDs to run on
user machines
HKCU\Software\Microsoft\InternetExplorer\Main
\FeatureControl
\FEATURE_LOCALMACHINE_LOCKDOWN
\Settings \LocalMachine_CD_Unlock
\Software\Policies \Microsoft\Internet
Explorer\Main \FeatureControl
\FEATURE_LOCALMACHINE_LOCKDOWN \Settings
\LocalMachine_CD_Unlock
Check for Server
Certificate Revocation
HKCU\Software\Microsoft\Internet
Explorer\Download \CertificateRevocation
Software\Policies \Microsoft\Windows
\CurrentVersion \InternetSettings
\CertificateRevocation
Check for Signatures
on Downloaded
Programs
HKCU\Software\Microsoft\InternetExplorer\Main\
CheckExeSignatures
Software\Policies \Microsoft\Internet
Explorer\Main\ CheckExeSignatures
Do NotSave
Encrypted Pages to
Disk
HKCU\Software\Microsoft\Windows
\CurrentVersion \InternetSettings
\DisableCachingOfSSLPages
Software\Policies \Microsoft\Windows
\CurrentVersion \InternetSettings
\DisableCachingOfSSLPages
Empty Temporary
InternetFiles Folder
When Browser is
Closed
HKCU\Software\Microsoft\Internet
Explorer\Cache\Persistent
Software\Policies \Microsoft\Windows
\CurrentVersion \InternetSettings\Cache\Persistent
These paths locatethesecurity zonesettings in policy and in preferencein the Windows registry (in either
HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER):
Location of Locked-Down Intranet zone policy values:
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
Location of Locked-Down Trusted Sites policy:
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
Location of Locked-Down Internet zone policy values:
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
Location of Locked-Down Restricted Sites policy values:
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
Location of Locked-Down Intranet zonetemplate:
Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Lockdown Settings
Location of Locked-Down Trusted Sites template:
Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Lockdown Settings
Location of Locked-Down Internet zonetemplate:
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Lockdown Settings
Location of Locked-Down Restricted Sites template:
Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Lockdown Settings
Configuring policies and preferences
Group Policy is therecommended tool for managing InternetExplorer for client computers on a corporate network. Internet
Explorer supports Group Policy management for all new InternetExplorer Feature Controls in Windows Server 2003 Service
Pack 1,and for Security pagesettings or URL actions. Administrators of Group Policy can managethese new policy settings in
the AdministrativeTemplates extension of the Group Policy Management Console.
When implementing policy settings, it is recommended thatyou configuretemplate policy settings in one Group Policy object
(GPO) and configureany related individual policy settings in a separate GPO. You can then use Group Policy management
features (for example, precedence, inheritance, or enforce) to apply individual settings to specific client computers.
Policies can beread by users but can only bechanged by via Group Policy management or by an administrator. Preference
settings can bechanged programmatically, by editing theregistry, or in thecase of URL actions, by using InternetExplorer.
Settings specified by Group Policy take precedence over settings specified using preferences.
Why is this change important?
By adding the new Advanced setting policies and Locked-Down security policies to Group Policy,administrators can manage
thesetrue policies to establish standard settings for all thecomputers that they configure.Theadministrator can control these
settings in such a way that they cannot bechanged except through Group Policy or by a user with administrator privileges,
thus ensuring that security and certain Advanced settings are not set by end users.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
Windows Server 2003 Service Pack 1 adds new policies to Group Policy but does not change how policies are managed.
Developers need to beaware of how each Feature Control and URL action setting or setting combination affects securityrelated
behavior for their applications in each security zone.
For greater security, theadministrator should enable policies for all zones, so that thereis a known configuration set by policy
rather than an unknown setting read from HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER preferencesettings not set by
policy. If theadministrator sets policies for all zones, werecommend that the policy to disablethe Security page beenabled,
which will makethe user interfacein InternetExplorer unavailable.
Feature Control Policies
Theadministrator should also understand theFeature Control policy settings.Some of the URL action settings will not bevalid
unless thecorresponding Feature Control policy is enabled. InternetExplorer checks to see whether thefeatureis enabled,and
if it is, then looks for thesetting for theaction based on thesecurity zone of the URL.
Zone Map Policies
The method for adding Zone Map keys to policy is as follows:
1. To set computer policy, go to \Computer Configuration\AdministrativeTemplates\Windows Components\Internet
Explorer\Internet Control Panel\Security Page within Group Policy.To set user policy, go to \User
Configuration\AdministrativeTemplates\Windows Components\InternetExplorer\Internet Control Panel\Security Page
within Group Policy.
2. Select the Site to Zone AssignmentList policy.
3. SelectEnabled and click Show…
4. For each siteyou would liketo map:
a. Click Add…
b. Enter the name, IP address, or IP range of thesiteyou want to map (for example, http://www.contoso.com,
http://www.contoso.com, 127.0.0.1, 127.0.0.1-10)
c. Enter thevalueidentifying thezoneto which this siteshould be mapped.Thechoices are(1) Intranet zone, (2)
Trusted Sites zone, (3) Internet zone, (4) Restricted Sites zone.
d. Click OK.
e. Thesite nameand valueshould appear in thelist.
5. Click OK in the Show Contents window.
6. Click OK again to closethe Site to Zone AssignmentList Properties window.
Note
Policies created by following theseinstructions areignored by computers with the Windows Server 2003 Internet
Explorer Enhanced Security Configuration component installed.To set zone map policy on a computer with Windows
Server 2003 InternetExplorer Enhanced Security Configuration component installed, usetheInternetExplorer
Maintenance(IEM) snap-in to Group Policy.When using theIEM to createa Group Policy object to apply to a computer
with the Windows Server 2003 InternetExplorer Enhanced Security Configuration component installed,you must be
using a computer with the Windows Server 2003 InternetExplorer Enhanced Security Configuration component
installed.
Note
For moreinformation about using Group Policy, see”Implementing Registry-based Group Policy” on the Microsoft Web site
at http://go.microsoft.com/fwlink/?LinkId=28188.For moreinformation about using InternetExplorer security zoneand
privacy settings, see”Description of InternetExplorer Security Zones Registry Entries” on the Microsoft Knowledge Base Web
siteat http://go.microsoft.com/fwlink/?LinkId=28195.