Internet Explorer URL Action and Advanced Security Settings in Group Policy

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Internet Explorer URL Action and Advanced Security Settings in Group Policy

Viewing 0 reply threads
  • Author
    • #2199

      The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
      Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
      restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
      Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
      not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
      Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
      using theEnhanced Security Configuration on your server, thesefeatures will function as they do in Windows XP Service
      Pack 2.
      What does InternetExplorer Settings in Group Policy do?
      Windows XP Service Pack 2 introduced true policies for theconfigurableactions in theInternetExplorer Security tab settings.
      In addition to incorporating these policies into InternetExplorer in Windows Server 2003 Service Pack 1,additional policies
      werecreated for selected configurableactions in theInternetExplorer Advanced tab,as well as for URL action policies in
      Locked-Down zones used only by the Network Protocol Lockdown security feature. In this release, thesesecurity settings are
      managed using the Group Policy Management Consoleand, if set,can only bechanged by a Group Policy object (GPO) or by
      an administrator.
      An updated Inetres.adm filecontains a list of settings as policies, including Advanced settings, which arealso found in the
      InternetExplorer user interfaceas preferences. Administrators can managethe new featurecontrol policies by using Group
      Policy objects (GPOs).When InternetExplorer is installed, the default HKEY_CURRENT_USER preferences settings for these
      settings areregistered on thecomputer as they werein previous versions.The Administrator has to usethe Group Policy
      Management Console(GPMC) to add thesesettings as policies.
      Who does this feature apply to?
      Group Policy administrators can uniformly configurethe new InternetExplorer Advanced setting policies,as well as policies for
      Locked-Down security zones, for thecomputers and users that they manage. It is important to inform theend-user which
      actions arecontrolled by policy,as theseactions will override user preferencesettings.
      TheInternet Options control panel will display policy settings when opened and users can interact with user interfaceand
      appear to changetheir preferences. However, these preferences will notactually override Group Policy settings, which may
      causea confusing user experience.Theadministrator can also seta policy to disablethe Advanced page user interfaceso
      that it is clearer to the user that thesesettings are notavailableto bechanged.This is notan issuefor theLocked-Down
      zones’ settings as they are notaccessiblethrough the user interface.
      What existing functionality is changing in Windows Server 2003 Service Pack 1?
      Group Policy InternetExplorer advanced settings
      Detailed description
      Thefollowing definitions apply to InternetExplorer settings for Windows Server 2003 with Service Pack 1:
      Security zones:Locked-Down Intranet Zone,Locked-Down Trusted Sites Zone,Locked-Down Internet Zone,and LockedDown
      Restricted Sites zone.
      Templates:Standard settings for all URL actions in thesesecurity zones.Templates can beapplied in any zone,and
      settings will providea range of choices from low security, medium-low, medium,and up to high security for thezone.
      URL actions:Security settings in theregistry that identify theaction to takefor that featurein thesecurity zone wherethe
      URL resides. URL action settings includeenable, disable, prompt,and others as appropriate.
      URL action policies: URL action policies can beadded individually by enabling the desired URL action policy, then
      selecting thesetting for the policy registry key value.They can also beset by zonetemplate.
      InternetExplorer will look for a policy in thefollowing order:
      HKEY_LOCAL_MACHINE policy hive
      HKEY_CURRENT_USER policy hive
      HKEY_CURRENT_USER preference hive
      HKEY_LOCAL_MACHINE preference hive
      If InternetExplorer finds a policy in the HKEY_LOCAL_MACHINE policy hive, it stops and does not continue; that is thesetting it
      respects. If InternetExplorer does not find a policy in HKEY_LOCAL_MACHINE policy hive, it looks in the HKEY_CURRENT_USER
      policy hive,and so on.Theadministrator can seta policy for one or more URL actions in one or morezones,and allow theend
      user to manage preferences for URL actions that do not require policy-level security management.
      Policy values for URL action
      The new URL action policies havethesame numeric values as their related preferencekeys.Thefollowing table provides a
      referenceto these URL actions.
      URL action flag name Security setting UI Numeric
      URLACTION_DOWNLOAD_SIGNED_ACTIVEX Download signed ActiveX controls 1001
      URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX Download unsigned ActiveX controls 1004
      URLACTION_ACTIVEX_RUN Run ActiveX controls and plugins 1200
      URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY Initializeand script ActiveX controls not marked as safe 1201
      URLACTION_SCRIPT_RUN Activescripting 1400
      URLACTION_SCRIPT_JAVA_USE Scripting of Java applets 1402
      URLACTION_SCRIPT_SAFE_ACTIVEX Script ActiveX controls marked safefor scripting 1405
      URLACTION_CROSS_DOMAIN_DATA Access data sources across domains 1406
      URLACTION_SCRIPT_PASTE Allow paste operations via script 1407
      URLACTION_HTML_SUBMIT_FORMS Submit non-encrypted form data 1601
      URLACTION_HTML_FONT_DOWNLOAD Font download 1604
      URLACTION_HTML_USERDATA_SAVE Userdata persistence 1606
      URLACTION_HTML_SUBFRAME_NAVIGATE Navigatesub-frames across different domains 1607
      URLACTION_HTML_MIXED_CONTENT Display mixed content 1609
      URLACTION_SHELL_INSTALL_DTITEMS Installation of desktop items 1800
      URLACTION_SHELL_MOVE_OR_COPY Drag and drop or copy and pastefiles 1802
      URLACTION_SHELL_FILE_DOWNLOAD File download 1803
      URLACTION_SHELL_VERB Launching applications and files in an IFRAME 1804
      URLACTION_SHELL_POPUPMGR Use Pop-up blocker 1809
      URLACTION_CLIENT_CERT_PROMPT Don’t prompt for client certificateselection when no certificates
      or only onecertificateexists
      URLACTION_JAVA_PERMISSIONS Java permissions 1C00
      URLACTION_CHANNEL_SOFTDIST_PERMISSIONS Softwarechannel permissions 1E05
      URLACTION_BEHAVIOR_RUN Scriptand Binary Behaviors 2000
      URLACTION_MANAGED_SIGNED Run .NETFramework-reliant components signed with
      URLACTION_MANAGED_UNSIGNED Run .NETFramework-reliant components not signed with
      URLACTION_FEATURE_MIME_SNIFFING Open files based on content, not fileextension 2100
      URLACTION_FEATURE_ZONE_ELEVATION Web sites in less privileged Web content zones can navigate
      into this zone
      URLACTION_FEATURE_WINDOW_RESTRICTIONS Allow script-initiated windows without size or position
      URLACTION_AUTOMATIC_DOWNLOAD_UI Automatic prompting for file downloads 2200
      URLACTION_AUTOMATIC_ACTIVEX_UI Automatic prompting for ActiveX controls 2201
      URLACTION_ALLOW_RESTRICTEDPROTOCOLS Allow activecontent over restricted protocols to access my
      For moreinformation about using URL action flags, see”URL Action Flags” on the MSDN Web siteat
      Thefollowing table provides a referenceto thesetting options availablefor each URL action.
      Numeric Name URL Action Policy Setting Options
      1001 “Enable”=0x00000000
      1004 “Enable”=0x00000000
      1200 “Administrator approved”=0x00010000
      1201 “Enable”=0x00000000
      1400 “Enable”=0x00000000
      1402 “Enable”=0x00000000
      1405 “Enable”=0x00000000
      1406 “Enable”=0x00000000
      1407 “Enable”=0x00000000
      1601 “Enable”=0x00000000
      1604 “Enable”=0x00000000
      1606 “Enable”=0x00000000
      1607 “Enable”=0x00000000
      1608 “Enable”=0x00000000
      1609 “Enable”=0x00000000
      1800 “Enable”=0x00000000
      1802 “Enable”=0x00000000
      1803 “Enable”=0x00000000
      1804 “Enable”=0x00000000
      1809 “Enable”=0x00000000
      1A00 “Anonymous logon”=0x00030000
      “Automatic logon only in Intranet zone”=0x00020000
      “Automatic logon with current user nameand password”=0x00000000
      “Prompt for user nameand password”=0x00010000
      1A04 “Enable”=0x00000000
      1C00 “High safety”=0x00010000
      “Medium safety”=0x00020000
      “Low safety”=0x00030000
      1E05 “High Safety”=0x00010000
      “Medium Safety”=0x00020000
      “Low Safety”=0x00030000
      2000 “Enable”=0x00000000
      “Administrator approved”=0x00010000
      2001 “Enable”=0x00000000
      2004 “Enable”=0x00000000
      2100 “Enable”=0x00000000
      2101 “Enable”=0x00000000
      2102 “Enable”=0x00000000
      2200 “Enable”=0x00000000
      2201 “Enable”=0x00000000
      2300 “Enable”=0x00000000
      Key for numeric translation of URL policy settings
      Value DWORD Setting
      0 0x00000000 Enable
      1 0x00000001 Prompt
      3 0x00000003 Disable
      65536 0x00010000 High Safety
      131072 0x00020000 Medium Safety
      196608 0x00030000 Low Safety
      For descriptions for each of the URL policy settings, see”URL Action Flags” on the MSDN Web siteat
      Default settings for each URL action in zones and templates
      Each URL action has a default that is set in each zoneand set when a specified templateis applied.The default settings for each
      zoneare described in thefollowing table.
      URL action default settings
      URL action numeric
      Locked-Down Restricted
      Locked-Down Internet
      Locked-Down Intranet
      Locked-Down Trusted
      1001 3 1 1 0
      1004 3 3 3 3
      1200 3 3 3 3
      1201 3 3 3 3
      1400 3 3 3 3
      1402 3 0 0 0
      1405 3 0 0 0
      1406 3 3 1 0
      1407 3 0 0 0
      1601 1 1 0 0
      1604 1 0 0 0
      1606 3 0 0 0
      1607 3 0 0 0
      1608 3 0 0 0
      1609 1 1 1 1
      1800 3 1 1 0
      1802 1 0 0 0
      1803 3 0 0 0
      1804 3 1 1 0
      1809 0 0 3 3
      1A00 65536 131072 131072 0
      1A04 3 3 3 3
      1C00 0 0 0 0
      1E05 65536 131072 131072 196608
      2000 3 65536 65536 65536
      2001 3 3 3 3
      2004 3 3 3 3
      2100 3 3 3 3
      2101 3 3 3 3
      2102 3 3 3 3
      2200 3 3 3 3
      2201 3 3 3 3
      2300 3 1 1 1
      Group Policy Settings Paths
      These paths locatetheavailable Advanced settings in the Group Policy Management Console:
      HKEY_LOCAL_MACHINE policies for Advanced settings:
      \Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control
      Panel\Advanced Page
      HKEY_CURRENT_USER policies for Advanced settings:
      \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control
      Panel\Advanced Page
      These paths locatethesecurity zonesettings in the Group Policy Management Console:
      HKEY_LOCAL_MACHINE policies by security zonefor URL actions:
      \Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control
      Panel\Security Page
      HKEY_CURRENT_USER policies by security zonefor URL actions:
      \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control
      Panel\Security Page
      These paths locatethe Advanced settings in policy and in preferencein the Windows registry (in either
      Advanced setting
      Preference key name Policy key name
      Install on Demand
      HKCU \Software\Microsoft\InternetExplorer\Main
      Install on Demand
      Third-party Browser
      Explorer\Main\Enable Browser Extensions
      Software\Policies \Microsoft\Internet
      Explorer\Main\Enable Browser Extensions
      Automatically check
      for IE Updates
      Software\Policies \Microsoft\InternetExplorer\Main
      Play Animations in
      Web Pages
      Software\Policies \Microsoft\InternetExplorer\Main
      Play Sounds in Web
      Software\Policies \Microsoft\InternetExplorer\Main
      Play Videos in Web
      Explorer\Main\Display Inline Videos
      Software\Policies \Microsoft\Internet
      Explorer\Main\Display Inline Videos
      Allow softwareto run
      or install even if the
      signatureis invalid
      Explorer\Download \RunInvalidSignatures
      Software\Policies \Microsoft\Internet
      Explorer\Download \RunInvalidSignatures
      Allow activecontent
      from CDs to run on
      user machines
      \Settings \LocalMachine_CD_Unlock
      \Software\Policies \Microsoft\Internet
      Explorer\Main \FeatureControl
      Check for Server
      Certificate Revocation
      Explorer\Download \CertificateRevocation
      Software\Policies \Microsoft\Windows
      \CurrentVersion \InternetSettings
      Check for Signatures
      on Downloaded
      Software\Policies \Microsoft\Internet
      Explorer\Main\ CheckExeSignatures
      Do NotSave
      Encrypted Pages to
      \CurrentVersion \InternetSettings
      Software\Policies \Microsoft\Windows
      \CurrentVersion \InternetSettings
      Empty Temporary
      InternetFiles Folder
      When Browser is
      Software\Policies \Microsoft\Windows
      \CurrentVersion \InternetSettings\Cache\Persistent
      These paths locatethesecurity zonesettings in policy and in preferencein the Windows registry (in either
      Location of Locked-Down Intranet zone policy values:
      Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
      Location of Locked-Down Trusted Sites policy:
      Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
      Location of Locked-Down Internet zone policy values:
      Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
      Location of Locked-Down Restricted Sites policy values:
      Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
      Location of Locked-Down Intranet zonetemplate:
      Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Lockdown Settings
      Location of Locked-Down Trusted Sites template:
      Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Lockdown Settings
      Location of Locked-Down Internet zonetemplate:
      Software\Policies\Microsoft\Windows\CurrentVersion\Internet Lockdown Settings
      Location of Locked-Down Restricted Sites template:
      Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Lockdown Settings
      Configuring policies and preferences
      Group Policy is therecommended tool for managing InternetExplorer for client computers on a corporate network. Internet
      Explorer supports Group Policy management for all new InternetExplorer Feature Controls in Windows Server 2003 Service
      Pack 1,and for Security pagesettings or URL actions. Administrators of Group Policy can managethese new policy settings in
      the AdministrativeTemplates extension of the Group Policy Management Console.
      When implementing policy settings, it is recommended thatyou configuretemplate policy settings in one Group Policy object
      (GPO) and configureany related individual policy settings in a separate GPO. You can then use Group Policy management
      features (for example, precedence, inheritance, or enforce) to apply individual settings to specific client computers.
      Policies can beread by users but can only bechanged by via Group Policy management or by an administrator. Preference
      settings can bechanged programmatically, by editing theregistry, or in thecase of URL actions, by using InternetExplorer.
      Settings specified by Group Policy take precedence over settings specified using preferences.
      Why is this change important?
      By adding the new Advanced setting policies and Locked-Down security policies to Group Policy,administrators can manage
      thesetrue policies to establish standard settings for all thecomputers that they configure.Theadministrator can control these
      settings in such a way that they cannot bechanged except through Group Policy or by a user with administrator privileges,
      thus ensuring that security and certain Advanced settings are not set by end users.
      Do I need to change my code to work with Windows Server 2003 Service Pack 1?
      Windows Server 2003 Service Pack 1 adds new policies to Group Policy but does not change how policies are managed.
      Developers need to beaware of how each Feature Control and URL action setting or setting combination affects securityrelated
      behavior for their applications in each security zone.
      For greater security, theadministrator should enable policies for all zones, so that thereis a known configuration set by policy
      rather than an unknown setting read from HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER preferencesettings not set by
      policy. If theadministrator sets policies for all zones, werecommend that the policy to disablethe Security page beenabled,
      which will makethe user interfacein InternetExplorer unavailable.
      Feature Control Policies
      Theadministrator should also understand theFeature Control policy settings.Some of the URL action settings will not bevalid
      unless thecorresponding Feature Control policy is enabled. InternetExplorer checks to see whether thefeatureis enabled,and
      if it is, then looks for thesetting for theaction based on thesecurity zone of the URL.
      Zone Map Policies
      The method for adding Zone Map keys to policy is as follows:
      1. To set computer policy, go to \Computer Configuration\AdministrativeTemplates\Windows Components\Internet
      Explorer\Internet Control Panel\Security Page within Group Policy.To set user policy, go to \User
      Configuration\AdministrativeTemplates\Windows Components\InternetExplorer\Internet Control Panel\Security Page
      within Group Policy.
      2. Select the Site to Zone AssignmentList policy.
      3. SelectEnabled and click Show…
      4. For each siteyou would liketo map:
      a. Click Add…
      b. Enter the name, IP address, or IP range of thesiteyou want to map (for example,,,,
      c. Enter thevalueidentifying thezoneto which this siteshould be mapped.Thechoices are(1) Intranet zone, (2)
      Trusted Sites zone, (3) Internet zone, (4) Restricted Sites zone.
      d. Click OK.
      e. Thesite nameand valueshould appear in thelist.
      5. Click OK in the Show Contents window.
      6. Click OK again to closethe Site to Zone AssignmentList Properties window.
      Policies created by following theseinstructions areignored by computers with the Windows Server 2003 Internet
      Explorer Enhanced Security Configuration component installed.To set zone map policy on a computer with Windows
      Server 2003 InternetExplorer Enhanced Security Configuration component installed, usetheInternetExplorer
      Maintenance(IEM) snap-in to Group Policy.When using theIEM to createa Group Policy object to apply to a computer
      with the Windows Server 2003 InternetExplorer Enhanced Security Configuration component installed,you must be
      using a computer with the Windows Server 2003 InternetExplorer Enhanced Security Configuration component
      For moreinformation about using Group Policy, see”Implementing Registry-based Group Policy” on the Microsoft Web site
      at moreinformation about using InternetExplorer security zoneand
      privacy settings, see”Description of InternetExplorer Security Zones Registry Entries” on the Microsoft Knowledge Base Web

Viewing 0 reply threads
  • You must be logged in to reply to this topic.