About URL Security Zones
URL security zones group URL namespaces according to their respective levels of trust. A URL policy setting for each URL action enforces these levels of trust. Administrators can customize the default URL security zones by changing the URL policy setting for each URL action, using the default URL security zone manager and URL security zone templates. Additionally, a supplied API provides developers with the tools to either interact with the default URL security zone manager or to create a custom URL security zone manager.
This topic contains the following sections.
- Security Zone Manager Extensibility
- Default URL Security Zones
- URL Actions and Policies
- Registry Keys
- Related topics
Here are terms used in the discussion of URL security zones.
- URL action. A browser action that can pose a security risk to the local computer.
- URL policy. A policy that determines which permission or trust level is set for a particular URL action.
- URL security zone. A group of URL namespaces that are assigned an equal level of permissions (or trust). Each URL action for the zone has an appropriate URL policy assigned to it that reflects the level of trust given to the URL namespaces in that zone.
- URL security zone template. A tool that allows users to specify levels of restriction using easy-to-understand terms: High, Medium-High, Medium, Medium-Low, and Low.
Applications can interact with either the default URL security zone manager or with a developer-supplied custom manager. See Implementing a Custom Security Manager. Functionality is exported by the URL monikers dynamic-link library (Urlmon.dll). For information about the other APIs exported by Urlmon.dll, see Asynchronous Pluggable Protocols and URL Monikers.
The following sections describe the default URL security zones.
Use the Local Intranet zone for content located on an organization's intranet. Because the servers and information are within an organization's firewall, it is reasonable to assign a higher trust level to content on the intranet.
Note As of Windows Internet Explorer 7, the availability of the Local Intranet zone depends on the network configuration of the computer viewing the Web page. For more information, see Internet Explorer Blog: Dude, Where's My Local Intranet Zone?.
Use the Trusted Sites zone for content located on Web sites that are considered more reputable or trustworthy than other sites on the Internet. Assigning a higher trust level to these sites minimizes the number of authentication requests. The user adds the URLs of these trusted Web sites to this zone.
By default, the Trusted Sites zone uses the Low Template.
Use the Internet zone for Web sites on the Internet that do not belong to another zone. This default setting causes Windows Internet Explorer to prompt the user whenever potentially unsafe content is about to download. Note: Web sites that are not mapped into other zones automatically fall into this zone.
By default, the Internet zone uses the Medium Template.
Use the Restricted Sites zone for Web sites that contain content that can cause (or have previously caused) problems when downloaded. Use this zone to cause Internet Explorer to alert that potentially-unsafe content is about to download, or to prevent that content from downloading. The user adds the URLs of these untrusted Web sites to this zone.
By default, the Restricted Sites zone uses the High Template.
The Local Machine zone is an implicit zone for content that exists on the local computer. The content found on the user's computer (except for content that Internet Explorer caches on the local system) is treated with a high level of trust.
Content that Internet Explorer caches is accessed through the URL of origin and is assigned to the appropriate zone for that URL.
The following table contains the default settings for the Local Machine zone.
Asynchronous pluggable protocols can specify how their URLs are assigned to a security zone. The IInternetProtocolInfo::ParseUrl method (using the PARSE_SECURITY_URL value) should return a URL that the security manager can use to make decisions.
Each URL security zone has a set of URL actions, with a URL policy assigned to each action. The URL actions cover all operations that have security implications. The URL policy assigned to each URL action determines how that URL action is handled. For example, URLACTION_JAVA_PERMISSIONS is checked for operations related to Java applets. To force all Java applets to run out of a sandbox (that is, prevent them from doing anything that would be a security risk to the local computer), the URL policy would be set to URLPOLICY_JAVA_HIGH.
Some URL actions are an aggregate of two or more URL actions. The user interface for the default URL security zone manager allows the user to set the aggregate value only (such as URLACTION_HTML_SUBMIT_FORMS). The browser calls the specific value (such as URLACTION_HTML_SUBMIT_FORMS_FROM) because it reacts to that particular action. If the browser's aggregate URL value has a URL policy set, then it uses that policy for the aggregate URL action and the specific URL actions it combines. You must design all security zone managers so that they can handle calls to the specific URL actions and know where to find the appropriate URL policy.
The following table contains the aggregate URL actions and their aggregates.
|URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY||URLACTION_ACTIVEX_CONFIRM_NOOBJECTSAFETY, URLACTION_ACTIVEX_OVERRIDE_DATA_SAFETY, URLACTION_ACTIVEX_OVERRIDE_SCRIPT_SAFETY, and URLACTION_SCRIPT_OVERRIDE_SAFETY|
|URLACTION_HTML_SUBMIT_FORMS||URLACTION_HTML_SUBMIT_FORMS_FROM and URLACTION_HTML_SUBMIT_FORMS_TO|
The following table contains the URL actions that the default URL security zone manager uses and the URL policies that you can assign to them. (URL actions that are new for Internet Explorer 7 appear at the bottom.)
Note This information is for reference only. You should not directly manipulate the registry because information stored in the registry might not always be stored in the same location.
The registry stores the URL security zone settings in the following key.
HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Internet Settings Zones
For Windows XP Service Pack 2 (SP2) and later, you can find the URL security lockdown zone settings in the registry in the following key.
HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Internet Settings Lockdown_Zones
You can determine the zones under which the Shell can open files (URLACTION_SHELL_EXECUTE_HIGHRISK) by checking the following registry values. These values correspond to the following zones, respectively: Local Machine zone, Local intranet, Trusted sites, Internet, Restricted sites.
HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion Internet Settings Zones 0 1806 1 1806 2 1806 3 1806 4 1806
If a URL policy value is
0x00, the action is allowed; if a value is
0x01, the user is prompted; and if a value is
0x03, the action is not allowed. For a list of possible URL policy values, see URL Policy Flags.
Security Warning: Setting these registry keys incorrectly can compromise the security of your application. The values for these registry keys are safe by default. By adjusting these values, you might put users at risk for an elevation of privilege attack. You should review Security Considerations: URL Security Zones API before continuing.