About URL Security Zones

URL security zones group URL namespaces according to their respective levels of trust. A URL policy setting for each URL action enforces these levels of trust. Administrators can customize the default URL security zones by changing the URL policy setting for each URL action, using the default URL security zone manager and URL security zone templates. Additionally, a supplied API provides developers with the tools to either interact with the default URL security zone manager or to create a custom URL security zone manager.

This topic contains the following sections.

Terms

Here are terms used in the discussion of URL security zones.

  • URL action. A browser action that can pose a security risk to the local computer.
  • URL policy. A policy that determines which permission or trust level is set for a particular URL action.
  • URL security zone. A group of URL namespaces that are assigned an equal level of permissions (or trust). Each URL action for the zone has an appropriate URL policy assigned to it that reflects the level of trust given to the URL namespaces in that zone.
  • URL security zone template. A tool that allows users to specify levels of restriction using easy-to-understand terms: High, Medium-High, Medium, Medium-Low, and Low.

Security Zone Manager Extensibility

Applications can interact with either the default URL security zone manager or with a developer-supplied custom manager. See Implementing a Custom Security Manager. Functionality is exported by the URL monikers dynamic-link library (Urlmon.dll). For information about the other APIs exported by Urlmon.dll, see Asynchronous Pluggable Protocols and URL Monikers.

Default URL Security Zones

The following sections describe the default URL security zones.

Local Intranet Zone

Use the Local Intranet zone for content located on an organization's intranet. Because the servers and information are within an organization's firewall, it is reasonable to assign a higher trust level to content on the intranet.

Note  As of Windows Internet Explorer 7, the availability of the Local Intranet zone depends on the network configuration of the computer viewing the Web page. For more information, see Internet Explorer Blog: Dude, Where's My Local Intranet Zone?.

By default, the Local Intranet zone uses the Medium-Low Template. Note: Microsoft Internet Explorer 4.0 Local Intranet zone uses the Medium Template.

In addition to the settings that the default template defines, there is a hidden setting, URLACTION_SHELL_WEBVIEW_VERB, which is set to URLPOLICY_ALLOW.

Trusted Sites Zone

Use the Trusted Sites zone for content located on Web sites that are considered more reputable or trustworthy than other sites on the Internet. Assigning a higher trust level to these sites minimizes the number of authentication requests. The user adds the URLs of these trusted Web sites to this zone.

By default, the Trusted Sites zone uses the Low Template.

Besides the settings that the default template defines, there is a hidden setting, URLACTION_SHELL_WEBVIEW_VERB, which is set to URLPOLICY_ALLOW.

Internet Zone

Use the Internet zone for Web sites on the Internet that do not belong to another zone. This default setting causes Windows Internet Explorer to prompt the user whenever potentially unsafe content is about to download. Note: Web sites that are not mapped into other zones automatically fall into this zone.

By default, the Internet zone uses the Medium Template.

In addition to the settings that the default template defines, there is a hidden setting, URLACTION_SHELL_WEBVIEW_VERB, which is set to URLPOLICY_ALLOW.

Restricted Sites Zone

Use the Restricted Sites zone for Web sites that contain content that can cause (or have previously caused) problems when downloaded. Use this zone to cause Internet Explorer to alert that potentially-unsafe content is about to download, or to prevent that content from downloading. The user adds the URLs of these untrusted Web sites to this zone.

By default, the Restricted Sites zone uses the High Template.

In addition to the settings that the default template defines, there is a hidden setting, URLACTION_SHELL_WEBVIEW_VERB, which is set to URLPOLICY_ALLOW.

Local Machine Zone

The Local Machine zone is an implicit zone for content that exists on the local computer. The content found on the user's computer (except for content that Internet Explorer caches on the local system) is treated with a high level of trust.

Content that Internet Explorer caches is accessed through the URL of origin and is assigned to the appropriate zone for that URL.

The following table contains the default settings for the Local Machine zone.

URL actionURL policy
URLACTION_ACTIVEX_DYNSRC_VIDEO_AND_ANIMATION URLPOLICY_ALLOW
URLACTION_ACTIVEX_NO_WEBOC_SCRIPT URLPOLICY_ALLOW
URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY URLPOLICY_QUERY
URLACTION_ACTIVEX_OVERRIDE_OPTIN URLPOLICY_ALLOW
URLACTION_ACTIVEX_OVERRIDE_REPURPOSEDETECTION URLPOLICY_ALLOW
URLACTION_ACTIVEX_RUN URLPOLICY_ALLOW
URLACTION_ACTIVEX_SCRIPTLET_RUN URLPOLICY_ALLOW
URLACTION_ALLOW_APEVALUATION URLPOLICY_DISALLOW
URLACTION_ALLOW_RESTRICTEDPROTOCOLS URLPOLICY_QUERY
URLACTION_AUTOMATIC_ACTIVEX_UI URLPOLICY_ALLOW
URLACTION_AUTOMATIC_DOWNLOAD_UI URLPOLICY_ALLOW
URLACTION_BEHAVIOR_RUN URLPOLICY_ALLOW
URLACTION_CHANNEL_SOFTDIST_PERMISSIONS URLPOLICY_CHANNEL_SOFTDIST_AUTOINSTALL
URLACTION_CLIENT_CERT_PROMPT URLPOLICY_ALLOW
URLACTION_COOKIES URLPOLICY_ALLOW
URLACTION_COOKIES_ENABLED URLPOLICY_ALLOW
URLACTION_COOKIES_SESSION URLPOLICY_ALLOW
URLACTION_COOKIES_SESSION_THIRD_PARTY URLPOLICY_ALLOW
URLACTION_COOKIES_THIRD_PARTY URLPOLICY_ALLOW
URLACTION_CREDENTIALS_USE URLPOLICY_CREDENTIALS_SILENT_LOGON_OK
URLACTION_CROSS_DOMAIN_DATA URLPOLICY_ALLOW
URLACTION_DOTNET_USERCONTROLS URLPOLICY_ALLOW
URLACTION_DOWNLOAD_SIGNED_ACTIVEX URLPOLICY_ALLOW
URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX URLPOLICY_ALLOW
URLACTION_FEATURE_FORCE_ADDR_AND_STATUS URLPOLICY_ALLOW
URLACTION_FEATURE_DATA_BINDING URLPOLICY_DISALLOW
URLACTION_FEATURE_MIME_SNIFFING URLPOLICY_ALLOW
URLACTION_FEATURE_SCRIPT_STATUS_BAR URLPOLICY_ALLOW
URLACTION_FEATURE_WINDOW_RESTRICTIONS URLPOLICY_ALLOW
URLACTION_FEATURE_ZONE_ELEVATION URLPOLICY_DISALLOW
URLACTION_HTML_FONT_DOWNLOAD URLPOLICY_ALLOW
URLACTION_HTML_INCLUDE_FILE_PATH URLPOLICY_DISALLOW
URLACTION_HTML_JAVA_RUN URLPOLICY_ALLOW
URLACTION_HTML_META_REFRESH URLPOLICY_ALLOW
URLACTION_HTML_MIXED_CONTENT URLPOLICY_QUERY
URLACTION_HTML_SUBFRAME_NAVIGATE URLPOLICY_ALLOW
URLACTION_HTML_SUBMIT_FORMS URLPOLICY_ALLOW
URLACTION_HTML_USERDATA_SAVE URLPOLICY_ALLOW
URLACTION_JAVA_PERMISSIONS URLPOLICY_JAVA_MEDIUM
URLACTION_LOOSE_XAML URLPOLICY_ALLOW
URLACTION_SCRIPT_JAVA_USE URLPOLICY_ALLOW
URLACTION_SCRIPT_PASTE URLPOLICY_ALLOW
URLACTION_SCRIPT_RUN URLPOLICY_ALLOW
URLACTION_SCRIPT_SAFE_ACTIVEX URLPOLICY_ALLOW
URLACTION_SHELL_EXECUTE_HIGHRISK URLPOLICY_ALLOW
URLACTION_SHELL_EXECUTE_LOWRISK URLPOLICY_ALLOW
URLACTION_SHELL_EXECUTE_MODRISK URLPOLICY_ALLOW
URLACTION_SHELL_FILE_DOWNLOAD URLPOLICY_ALLOW
URLACTION_SHELL_INSTALL_DTITEMS URLPOLICY_ALLOW
URLACTION_SHELL_MOVE_OR_COPY URLPOLICY_ALLOW
URLACTION_SHELL_POPUPMGR URLPOLICY_DISALLOW
URLACTION_SHELL_RTF_OBJECTS_LOAD URLPOLICY_ALLOW
URLACTION_SHELL_SHELLEXECUTE URLPOLICY_ALLOW
URLACTION_SHELL_VERB URLPOLICY_ALLOW
URLACTION_SHELL_WEBVIEW_VERB URLPOLICY_ALLOW
URLACTION_WINDOWS_BROWSER_APPLICATIONS URLPOLICY_ALLOW
URLACTION_WINFX_SETUP URLPOLICY_ALLOW
URLACTION_XPS_DOCUMENTS URLPOLICY_ALLOW

 

Asynchronous pluggable protocols can specify how their URLs are assigned to a security zone. The IInternetProtocolInfo::ParseUrl method (using the PARSE_SECURITY_URL value) should return a URL that the security manager can use to make decisions.

URL Actions and Policies

Each URL security zone has a set of URL actions, with a URL policy assigned to each action. The URL actions cover all operations that have security implications. The URL policy assigned to each URL action determines how that URL action is handled. For example, URLACTION_JAVA_PERMISSIONS is checked for operations related to Java applets. To force all Java applets to run out of a sandbox (that is, prevent them from doing anything that would be a security risk to the local computer), the URL policy would be set to URLPOLICY_JAVA_HIGH.

Some URL actions are an aggregate of two or more URL actions. The user interface for the default URL security zone manager allows the user to set the aggregate value only (such as URLACTION_HTML_SUBMIT_FORMS). The browser calls the specific value (such as URLACTION_HTML_SUBMIT_FORMS_FROM) because it reacts to that particular action. If the browser's aggregate URL value has a URL policy set, then it uses that policy for the aggregate URL action and the specific URL actions it combines. You must design all security zone managers so that they can handle calls to the specific URL actions and know where to find the appropriate URL policy.

Aggregate URL Actions

The following table contains the aggregate URL actions and their aggregates.

URL actionAggregates
URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY URLACTION_ACTIVEX_CONFIRM_NOOBJECTSAFETY, URLACTION_ACTIVEX_OVERRIDE_DATA_SAFETY, URLACTION_ACTIVEX_OVERRIDE_SCRIPT_SAFETY, and URLACTION_SCRIPT_OVERRIDE_SAFETY
URLACTION_HTML_SUBMIT_FORMS URLACTION_HTML_SUBMIT_FORMS_FROM and URLACTION_HTML_SUBMIT_FORMS_TO

 

URL Actions and Valid Policies

The following table contains the URL actions that the default URL security zone manager uses and the URL policies that you can assign to them. (URL actions that are new for Internet Explorer 7 appear at the bottom.)

URL actionValid URL policies for the URL action
URLACTION_ACTIVEX_NO_WEBOC_SCRIPT URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_ACTIVEX_OVERRIDE_REPURPOSEDETECTION URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_ACTIVEX_RUN URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW, URLPOLICY_ACTIVEX_CHECK_LIST
URLACTION_ACTIVEX_TREATASUNTRUSTED URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_ALLOW_RESTRICTEDPROTOCOLS URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_AUTOMATIC_ACTIVEX_UI URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_AUTOMATIC_DOWNLOAD_UI URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_BEHAVIOR_RUN URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW, URLPOLICY_BEHAVIOR_CHECK_LIST
URLACTION_CHANNEL_SOFTDIST_PERMISSIONS URLPOLICY_CHANNEL_SOFTDIST_PROHIBIT, URLPOLICY_CHANNEL_SOFTDIST_PRECACHE, URLPOLICY_CHANNEL_SOFTDIST_AUTOINSTALL
URLACTION_CLIENT_CERT_PROMPT URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_COOKIES URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_COOKIES_ENABLED URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_COOKIES_SESSION URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_COOKIES_SESSION_THIRD_PARTY URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_COOKIES_THIRD_PARTY URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_CREDENTIALS_USE URLPOLICY_CREDENTIALS_SILENT_LOGON_OK, URLPOLICY_CREDENTIALS_MUST_PROMPT_USER, URLPOLICY_CREDENTIALS_CONDITIONAL_PROMPT, URLPOLICY_CREDENTIALS_ANONYMOUS_ONLY
URLACTION_CROSS_DOMAIN_DATA URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_DOWNLOAD_SIGNED_ACTIVEX URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_FEATURE_MIME_SNIFFING URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_FEATURE_WINDOW_RESTRICTIONS URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_FEATURE_ZONE_ELEVATION URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_HTML_FONT_DOWNLOAD URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_HTML_INCLUDE_FILE_PATH URLPOLICY_ALLOW, URLPOLICY_DISALLOW
URLACTION_HTML_JAVA_RUN URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_HTML_META_REFRESH URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_HTML_MIXED_CONTENT URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_HTML_SUBFRAME_NAVIGATE URLPOLICY_ALLOW, URLPOLICY_DISALLOW
URLACTION_HTML_SUBMIT_FORMS URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_HTML_USERDATA_SAVE URLPOLICY_ALLOW, URLPOLICY_DISALLOW
URLACTION_JAVA_PERMISSIONS URLPOLICY_JAVA_PROHIBIT, URLPOLICY_JAVA_HIGH, URLPOLICY_JAVA_MEDIUM, URLPOLICY_JAVA_LOW, URLPOLICY_JAVA_CUSTOM
URLACTION_SCRIPT_JAVA_USE URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_SCRIPT_PASTE URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_SCRIPT_RUN URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_SCRIPT_SAFE_ACTIVEX URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_SHELL_ENHANCED_DRAGDROP_SECURITY URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_SHELL_EXECUTE_HIGHRISK URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_SHELL_EXECUTE_LOWRISK URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_SHELL_EXECUTE_MODRISK URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_SHELL_FILE_DOWNLOAD URLPOLICY_ALLOW, URLPOLICY_DISALLOW
URLACTION_SHELL_INSTALL_DTITEMS URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_SHELL_MOVE_OR_COPY URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_SHELL_POPUPMGR URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_SHELL_RTF_OBJECTS_LOAD URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_SHELL_SHELLEXECUTE URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_SHELL_VERB URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_SHELL_WEBVIEW_VERB URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
New for Internet Explorer 7
URLACTION_ACTIVEX_DYNSRC_VIDEO_AND_ANIMATION URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_ACTIVEX_OVERRIDE_OPTIN URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_ACTIVEX_SCRIPTLET_RUN URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_ALLOW_APEVALUATION URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_FEATURE_FORCE_ADDR_AND_STATUS URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_FEATURE_SCRIPT_STATUS_BAR URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_LOOSE_XAML URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_LOWRIGHTS URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_SHELL_EXTENSIONSECURITY URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_WINDOWS_BROWSER_APPLICATIONS URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_WINFX_SETUP URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_XPS_DOCUMENTS URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
New for Windows Internet Explorer 8
URLACTION_DOTNET_USERCONTROLS URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW
URLACTION_FEATURE_DATA_BINDING URLPOLICY_ALLOW, URLPOLICY_QUERY, URLPOLICY_DISALLOW

 

Registry Keys

Note  This information is for reference only. You should not directly manipulate the registry because information stored in the registry might not always be stored in the same location.

The registry stores the URL security zone settings in the following key.

HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
   Software
      Microsoft
         Windows
            CurrentVersion
               Internet Settings
                  Zones

For Windows XP Service Pack 2 (SP2) and later, you can find the URL security lockdown zone settings in the registry in the following key.

HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
   Software
      Microsoft
         Windows
            CurrentVersion
               Internet Settings
                  Lockdown_Zones

You can determine the zones under which the Shell can open files (URLACTION_SHELL_EXECUTE_HIGHRISK) by checking the following registry values. These values correspond to the following zones, respectively: Local Machine zone, Local intranet, Trusted sites, Internet, Restricted sites.

HKEY_LOCAL_MACHINE
   Software
      Microsoft
         Windows
            CurrentVersion
               Internet Settings
                  Zones
                     0
                        1806
                     1
                        1806
                     2
                        1806
                     3
                        1806
                     4
                        1806

If a URL policy value is 0x00, the action is allowed; if a value is 0x01, the user is prompted; and if a value is 0x03, the action is not allowed. For a list of possible URL policy values, see URL Policy Flags.

Security Warning:  Setting these registry keys incorrectly can compromise the security of your application. The values for these registry keys are safe by default. By adjusting these values, you might put users at risk for an elevation of privilege attack. You should review Security Considerations: URL Security Zones API before continuing.

Related topics

Conceptual
About URL Security Zones Templates
Implementing a Custom Security Manager

 

 

Show:
© 2014 Microsoft. All rights reserved.