Here is the situation: we have to offer a customer with a web-based search engine that will make a search for a given string inside a list of documents whose paths are logged in a database. The supported documents are PDF, Word, Excel, TXT. You can then open that file (which is really XML) in a text editor to add new settings or edit existing ones. Warning!: If you use a text editor to make changes, you will then need to reboot the computer to have the changes take effect (since the OS caches the preferences). Here is the situation: we have to offer a customer with a web-based search engine that will make a search for a given string inside a list of documents whose paths are logged in a database. The supported documents are PDF, Word, Excel, TXT.
-->This article describes how and where Internet Explorer security zones and privacy settings are stored and managed in the registry. You can use Group Policy or the Microsoft Internet Explorer Administration Kit (IEAK) to set security zones and privacy settings.
Original product version: Internet Explorer 9, Internet Explorer 10
Original KB number: 182569
Privacy settings
Internet Explorer 6 and later versions added a Privacy tab to give users more control over cookies. This tab (selectTools, and then selectInternet options) provides flexibility for blocking or allowing cookies, based on the website that the cookie came from or the type of cookie. Types of cookies include first-party cookies, third-party cookies, and cookies that do not have a compact privacy policy. This tab also includes options to control website requests for physical location data, the ability to block pop-ups, and the ability to run toolbars and extensions when InPrivate browsing is enabled.
There are different levels of privacy on the Internet zone, and they are stored in the registry at the same location as the security zones.
You can also add a Web site to enable or to block cookies based on the Web site, regardless of the privacy policy on the Web site. Those registry keys are stored in the following registry subkey:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionInternet SettingsP3PHistory
Domains that have been added as a managed site are listed under this subkey. These domains can carry either of the following DWORD values:
0x00000005 - Always Block
0x00000001 - Always Allow
Security Zone settings
For each zone, users can control how Internet Explorer handles higher-risk items such as ActiveX controls, downloads, and scripts. Internet Explorer security zones settings are stored under the following registry subkeys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet Settings
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionInternet Settings
These registry keys contain the following keys:
- TemplatePolicies
- ZoneMap
- Zones
Note
By default, security zones settings are stored in the HKEY_CURRENT_USER
registry subtree. Because this subtree is dynamically loaded for each user, the settings for one user do not affect the settings for another.
If the Security Zones: Use only machine settings setting in Group Policy is enabled, or if the Security_HKLM_only
DWORD value is present and has a value of 1 in the following registry subkey, only local computer settings are used and all users have the same security settings:
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsCurrentVersionInternet Settings
With the Security_HKLM_only
policy enabled, HKLM values will be used by Internet Explorer. However, the HKCU values will still be displayed in the zone settings on the Security tab in Internet Explorer. In Internet Explorer 7, the Security tab of the Internet Options dialog box displays the following message to indicate that settings are managed by the system administrator:
Some settings are managed by your system administrator If the Security Zones: Use only machine settings setting is not enabled in Group Policy, or if the Security_HKLM_only
DWORD value does not exist or is set to 0, computer settings are used together with user settings. However, only user settings appear in the Internet Options. For example, when this DWORD value does not exist or is set to 0, HKEY_LOCAL_MACHINE
settings are read together with HKEY_CURRENT_USER
settings, but only HKEY_CURRENT_USER
settings appear in the Internet Options.
TemplatePolicies
The TemplatePolicies
key determines the settings of the default security zone levels. These levels are Low, Medium Low, Medium, and High. You can change the security level settings from the default settings. However, you cannot add more security levels. The keys contain values that determine the setting for the security zone. Each key contains a Description string value and a Display Name string value that determine the text that appears on the Security tab for each security level.
ZoneMap
The ZoneMap
key contains the following keys:
- Domains
- EscDomains
- ProtocolDefaults
- Ranges
The Domains
key contains domains and protocols that have been added to change their behavior from the default behavior. When a domain is added, a key is added to the Domains
key. Subdomains appear as keys under the domain where they belong. Each key that lists a domain contains a DWORD with a value name of the affected protocol. The value of the DWORD is the same as the numeric value of the security zone where the domain is added.
The EscDomains
key resembles the Domains key except that the EscDomains
key applies to those protocols that are affected by the Internet Explorer Enhanced Security Configuration (IE ESC). IE ESC is introduced in Microsoft Windows Server 2003 and applies to server operating systems only.
The ProtocolDefaults
key specifies the default security zone that is used for a particular protocol (ftp, http, https). To change the default setting, you can either add a protocol to a security zone by selecting Add Sites on the Security tab, or you can add a DWORD value under the Domains key. The name of the DWORD value must match the protocol name, and it must not contain any colons (:) or slashes (/).
The ProtocolDefaults
key also contains DWORD values that specify the default security zones where a protocol is used. You cannot use the controls on the Security tab to change these values. This setting is used when a particular Web site does not fall in a security zone.
The Ranges
key contains ranges of TCP/IP addresses. Each TCP/IP range that you specify appears in an arbitrarily named key. This key contains a :Range
string value that contains the specified TCP/IP range. For each protocol, a DWORD value is added that contains the numeric value of the security zone for the specified IP range.
When the Urlmon.dll file uses the MapUrlToZone public function to resolve a particular URL to a security zone, it uses one of the following methods:
If the URL contains a fully qualified domain name (FQDN), the Domains key is processed.
In this method, an exact site match overrides a random match.
If the URL contains an IP address, the
Ranges
key is processed. The IP address of the URL is compared to the:Range
value that is contained in the arbitrarily named keys under theRanges
key.
Note
B Series Intranet Search Add Settings Download Windows 7
Because arbitrarily named keys are processed in the order that they were added to the registry, this method may find a random match before it finds a match. If this method does find a random match first, the URL may be executed in a different security zone than the zone where it is typically assigned. This behavior is by design.
Zones
The Zones
key contains keys that represent each security zone that is defined for the computer. By default, the following five zones are defined (numbered zero through four):
Note
By default, My Computer does not appear in the Zone box on the Security tab as it is locked down to help improve security.
Each of these keys contains the following DWORD values that represent corresponding settings on the custom Security tab.
Note
Unless stated otherwise, each DWORD value is equal to zero, one, or three. Typically, a setting of zero sets a specific action as permitted, a setting of one causes a prompt to appear, and a setting of three prohibits the specific action.
Notes about 1200, 1A00, 1A10, 1E05, 1C00, and 2000
The following two registry entries affect whether you can run ActiveX controls in a particular zone:
Yahoo Search Add Url
- 1200 This registry entry affects whether you can run ActiveX controls or plug-ins.
- 2000 This registry entry controls binary behavior and script behavior for ActiveX controls or plug-ins.
B Series Intranet Search Add Settings Download Windows 7
Notes about 1A02, 1A03, 1A05, and 1A06
The following four registry entries take only effect if the following keys are present:
- {AEBA21FA-782A-4A90-978D-B72164C80120} First Party Cookie *
- {A8A88C49-5EB2-4990-A1A2-0876022C854F} Third-Party Cookie *
Registry entries
- 1A02 Allow persistent cookies that are stored on your computer #
- 1A03 Allow per-session cookies (not stored) #
- 1A05 Allow third party persistent cookies *
- 1A06 Allow third party session cookies *
These registry entries are located in the following registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones<ZoneNumber>
In this registry subkey, <ZoneNumber> is a zone such as 0 (zero). The 1200
registry entry and the 2000
registry entry each contain a setting that is named Administrator approved. When this setting is enabled, the value for the particular registry entry is set to 00010000. When the Administrator approved setting is enabled, Windows examines the following registry subkey to locate a list of approved controls:
HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsAllowedControls
Logon setting (1A00) may have any one of the following values (hexadecimal):
Privacy Settings (1A10) is used by the Privacy tab slider. The DWORD values are as follows:
Block All Cookies: 00000003
High: 00000001
Medium High: 00000001
Medium: 00000001
Low: 00000001
Accept all Cookies: 00000000
Based on the settings in the slider, it will also modify the values in {A8A88C49-5EB2-4990-A1A2-0876022C854F}, {AEBA21Fa-782A-4A90-978D-B72164C80120}, or both.
The Java Permissions setting (1C00) has the following five possible values (binary):
If Custom is selected, it uses {7839DA25-F5FE-11D0-883B-0080C726DCBB} (that is located in the same registry location) to store the custom information in a binary.
Each security zone contains the Description string value and the Display Name string value. The text of these values appears on the Security tab when you select a zone in the Zone box. There is also an Icon string value that sets the icon that appears for each zone. Except for the My Computer zone, each zone contains a CurrentLevel
, MinLevel
, and RecommendedLevel
DWORD value. The MinLevel
value sets the lowest setting that can be used before you receive a warning message, CurrentLevel
is the current setting for the zone, and RecommendedLevel
is the recommended level for the zone.
B Series Intranet Search Add Settings Download Windows 10
What values for Minlevel
, RecommendedLevel
, and CurrentLevel
mean the following:
The Flags
DWORD value determines the ability of the user to modify the security zone's properties. To determine the Flags
value, add the numbers of the appropriate settings together. The following Flags
values are available (decimal):
If you add settings to both the HKEY_LOCAL_MACHIN
E and the HKEY_CURRENT_USER
subtrees, the settings are additive. If you add Web sites to both subtrees, only those Web sites in the HKEY_CURRENT_USER
are visible. The Web sites in the HKEY_LOCAL_MACHINE
subtree are still enforced according to their settings. However, they are not available, and you cannot modify them. This situation can be confusing because a Web site may be listed in only one security zone for each protocol.
References
For more information about changes to functionality in Microsoft Windows XP Service Pack 2 (SP2), visit the following Microsoft Web site:
For more information about URL security zones, visit the following Microsoft Web site:
For more information about how to change Internet Explorer security settings, visit the following Microsoft Web site:
For more information about Internet Explorer Local Machine Zone Lockdown, visit the following Microsoft Web site:
For more information about values associated with the actions that can be taken in a URL security zone, see URL Action Flags.