Event 1030 - Local Machine Zone Lockdown (LMZL)
Local Machine Zone Lockdown (LMZL) secures the Local Machine zone by tightening restrictions on several URL actions. Any time a restricted URL action is attempted the Information Bar appears. Clicking the Information Bar removes the lock on the restricted content.
The Local Machine zone is an implicit zone for content that exists on the local computer. The content found on the user's computer (except for content that Windows Internet Explorer caches on the local system) is treated with a high level of trust.
Content that Internet Explorer caches is accessed through the URL of origin and is assigned to the appropriate zone for that URL.
The following table shows the seven URL actions that are more restrictive in the Lockdown zone than in the Local Machine zone.
|URL Action||URL Policy|
Note For more information on URL actions and pointers to what they mean, see the About URL Security Zones topic on MSDN.
This event is logged any time a restricted URL action is attempted.
Perform the following steps to see this event logged in the compatibility tool:
- Create a webpage with the following content. For this example call it 1030.html. The file can be placed anywhere. For this example, the file is located on the desktop.
- Open a browser and navigate to the webpage. For example: C:\Users\Contoso\Desktop\1030.html
This opens the page in the local machine zone. Since the page includes script, the Local Machine Zone Lockdown event is logged to the compatibility tool. The user is also prompted with the following message:
To help protect your security, Internet Explorer has restricted this webpage from running scripts or ActiveX controls that could access your computer. Click here for options...
The prompt in the information bar is generated because Windows Internet Explorer is restricting the URLACTION_SCRIPT_RUN URL action.
If your webpage runs a Microsoft ActiveX control or script, you can add a Mark of the Web comment to the HTML of the page. Mark of the Web is an Internet Explorer feature that forces the HTML file into the security zone of the specified URL. This enables the webpage to run the script or ActiveX control in a less restrictive zone. This only works for Microsoft Internet Explorer 4.0 and later.
Use the following comment to insert a Mark of the Web comment into a page with an identified domain, replacing http://www.fabrikam.com with the URL of the Internet or intranet domain where the page is hosted.
<!--saved from url= <http://www.fabrikam.com> -->
Use the following comment when you need to insert a generic Mark of the Web.
<!--saved from <url=about:internet>-->
With Microsoft Internet Explorer 6 and later, you can use the Mark of the Web comment with multipart HTML (.mht) files.
Note You host HTML application (.hta) files in a different process; therefore, they are not impacted by the Local Machine zone lockdown.
The user can also configure the restrictions associated with the zones, through Internet Options on the Tools menu.
This setting prevents content on a user's computer from elevating privilege. Code with elevated privilege can then run any code through an ActiveX control or read information with a script. It's not recommended that this option be used, or if necessary only as a last resort.
Disabling the feature should only be used as a temporary measure during troubleshooting-to compare behavior of the application when the feature is enabled or not. It is not recommended that the feature be left disabled on an on-going basis.
You may also control this feature through feature control keys.
You manage the Local Machine zone lockdown restrictions through a security feature control registry key (FEATURE_LOCALMACHINE_LOCKDOWN). Internet Explorer (Iexplore.exe) needs to run under this feature control to disable the feature and this can be achieved by setting the following registry key:
HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER) SOFTWARE Microsoft Internet Explorer Main FeatureControl FEATURE_LOCALMACHINE_LOCKDOWN iexplore.exe = 0x0000000
This feature can also be controlled by the following Group Policy settings:
|GPO Policy Path||GPO Policy Setting Name||GPO Settings|
|Administrative Templates\Windows Components\Internet Explorer\Security Features\Local Machine Zone Lockdown Security||Internet Explorer Processes||
If you enable this policy setting, the Local Machine zone security applies to all local files and content processed by Internet Explorer.
If you disable this policy setting, Local Machine zone security is not applied to local files or content processed by Internet Explorer.
If you do not configure this policy setting, the Local Machine zone security applies to all local files and content processed by Internet Explorer.
Applications that host the WebBrowser control can also take advantage of the security feature control, by adding their process to the same registry locations. You can do this programmatically, by using the CoInternetSetFeatureEnabled function.
Note If an application does not run under this security feature control, the WebBrowser control behaves the same as previous versions of Internet Explorer.