Description of Internet Explorer Security Zones Registry Entries

Last reviewed: March 17, 1998
Article ID: Q182569
The information in this article applies to:
  • Microsoft Internet Explorer versions 4.0, 4.01 for Windows NT 4.0
  • Microsoft Internet Explorer versions 4.0, 4.01 for Windows 95

SUMMARY

This document describes how Internet Explorer security zones settings are stored and managed in the registry.

MORE INFORMATION

Internet Explorer security zones settings are stored under the following registry keys:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      Internet Settings

   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
      Internet Settings

Both of these registry keys contain the following keys:
  • TemplatePolicies
  • ZoneMap
  • Zones

NOTE: Security zones settings are stored in the HKEY_CURRENT_USER registry key. Since this key is dynamically loaded for each user, the settings for one user do not effect the settings of another. If you manually add these settings to the HKEY_LOCAL_MACHINE key, everyone who logs on to the computer uses the same security zones settings. This could affect any system policies that are set on the computer.

TemplatePolicies

The TemplatePolicies key determines the settings of the default security zone levels (Low, Medium, and High). While the security level settings can be changed from the default settings, there is no way to add additional security levels. The Low, Medium, and High keys contain values that determine the setting for the security zone. Each key contains a Description and Display Name string value that determines the text displayed on the Security tab for each security level.

ZoneMap

The ZoneMap key contains the following keys:

  • Domains
  • ProtocolDefaults
  • Ranges

The ProtocolDefaults key specifies the default security zone used for a given protocol (ftp, http, https, etc). The default setting can be changed by either adding a protocol to a security zone by clicking Add Sites on the Security tab, or by adding a DWORD value under the Domains key. The DWORD value name should be the protocol name and should not contain any colons (:) or slashes (/).

The ProtocolDefaults key also contains DWORD values that specify the default security zones in which a protocol is used. You cannot change these values using the Security tab. This setting is used when a particular Web site does not fall within a security zone.

The Domains key contains domains and protocols that have been added to change their behavior from the default behavior. When a domain is added, a key is added to the Domains key. Subdomains appear as keys under the domain to which they belong. Each key that lists a domain contains a DWORD with a value name of the affected protocol. The value of the DWORD is the same as the numerical value of the security zone to which the domain is added.

The Ranges key contains ranges of Transmission Control Protocol/Internet Protocol (TCP/IP) addresses. Each TCP/IP range you specify appears in an arbitrarily named key. This key contains a string value (:Range) that specifies the TCP/IP range affected. DWORD values with the name of the security zone the range should fall within are added for each protocol.

Zones

The Zones key contains keys representing each security zone defined for the computer. By default, the following five zones are defined (numbered zero through four):

   Vaule    Setting
   ------------------------------

   0        My Computer
   1        Local Intranet Zone
   2        Trusted sites Zone
   3        Internet Zone
   4        Restricted Sites Zone

NOTE: My Computer does not appear in the Zone box on the Security tab.

Each of these keys contains the following DWORD values representing corresponding settings on the Security tab:

NOTE: Unless noted otherwise, each DWORD value is equal to zero, one, or three. A setting of zero normally sets a given action as being allowed, a setting of one causes a prompt to appear, and a setting of three prohibits the given action.

   Value    Setting
   -----------------------------------------------------------------------

   1001     Download signed ActiveX controls
   1004     Download unsigned ActiveX controls
   1200     Run ActiveX controls and plug-ins
   1201     Initialize and run ActiveX controls and plug-ins not marked as
            safe
   1400     Active scripting
   1402     Scripting of Java programs
   1405     Script ActiveX controls marked as safe for scripting
   1601     Submit non-encrypted form data
   1604     Font download
   1605     Unknown
   1800     Installation of desktop items
   1802     Drag and drop or copy and paste of files
   1803     File Download
   1804     Load applications and files in an IFRAME
   1805     Unknown
   1A00     Logon
   1C00     Java permissions
   1E05     Software channel permissions

There is no prompt setting for File Download (1803) because it is either allowed or not allowed.

The Logon setting has the following four possible values (decimal):

   Value    Setting
   ---------------------------------------------------------------

   0        Automatically logon with current username and password
   65536    Prompt for user name and password
   131072   Automatic logon only in the Intranet zone
   196608   Anonymous logon

The Java Permissions setting has the following five possible values (decimal):

   Value    Setting
   -----------------------

   0         Disable Java
   65536     High safety
   131072    Medium safety
   196608    Low safety
   8388608   Custom

Each security zone contains the Description and Display Name string values. The text of these values is displayed on the Security tab when you click a zone in the Zone box. There is also an Icon string value that sets the icon displayed for each zone. With the exception of the My Computer zone, each zone contains a CurrentLevel, MinLevel, and RecommendedLevel DWORD value. The MinLevel value sets the lowest setting that can be used before you receive a warning message, CurrentLevel is the current setting for the zone, and RecomendedLevel is the recommended level for the zone.

The Flags DWORD value determines the ability of the user to modify the security zone's properties. To determine the Flags value, add the numbers of the desired settings together. The following Flags values are available (decimal):

   Value    Setting
   ------------------------------------------------------------------

   1        Allow changes to custom settings
   2        Allow users to add Web sites to this zone
   4        Require verified Web sites (https protocol)
   8        Include Web sites that bypass the proxy server
   16       Include Web sites not listed in other zones
   32       Do not show security zone in Internet Properties (default
            setting for My Computer)
   64       Show the Requires Server Verification dialog box
   128      Treat Universal Naming Connections (UNCs) as intranet
            connections

If you add settings to both the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER keys, the settings are additive. If you add Web sites to both keys, only those Web sites in the HKEY_CURRENT_USER key can be seen. The Web sites in the HKEY_LOCAL_MACHINE key are still enforced according to their settings, but they cannot be seen or modified. This can be confusing because a Web site may be listed in only one security zone for each protocol.

Keywords          : kbenv msient msiew95
Version           : WINDOWS:4.0,4.01
Platform          : WINDOWS
Issue type        : kbinfo


================================================================================


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: March 17, 1998
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.