Event 1030 - Local Machine Zone Lockdown (LMZL)

Article
10/13/2015

Logged Message
What Is It?
When Is This Event Logged?
Example
Remediation
Related topics

Logged Message

Local Machine Zone Lockdown (LMZL) secures the Local Machine zone by tightening restrictions on several URL actions. Any time a restricted URL action is attempted the Information Bar appears. Clicking the Information Bar removes the lock on the restricted content.

What Is It?

The Local Machine zone is an implicit zone for content that exists on the local computer. The content found on the user's computer (except for content that Windows Internet Explorer caches on the local system) is treated with a high level of trust.

Content that Internet Explorer caches is accessed through the URL of origin and is assigned to the appropriate zone for that URL.

The following table shows the seven URL actions that are more restrictive in the Lockdown zone than in the Local Machine zone.

URL Action	URL Policy
URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY	URLPOLICY_DISALLOW
URLACTION_ACTIVEX_RUN	URLPOLICY_DISALLOW
URLACTION_BEHAVIOR_RUN	URLPOLICY_DISALLOW
URLACTION_CLIENT_CERT_PROMPT	URLPOLICY_DISALLOW
URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX	URLPOLICY_DISALLOW
URLACTION_JAVA_PERMISSIONS	URLPOLICY_JAVA_PROHIBIT
URLACTION_SCRIPT_RUN	URLPOLICY_DISALLOW

Note For more information on URL actions and pointers to what they mean, see the About URL Security Zones topic on MSDN.

When Is This Event Logged?

This event is logged any time a restricted URL action is attempted.

Example

Perform the following steps to see this event logged in the compatibility tool:

Create a webpage with the following content. For this example call it 1030.html. The file can be placed anywhere. For this example, the file is located on the desktop.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd">
<html>
<head>
    <meta http-equiv="X-UA-Compatible" content="IE=8" >
    <title>AJAX MAP</title>
</head>
<script type="text/javascript" src="http://dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=6"></script>
<script type="text/javascript">
    var oMap = null;
    var iZoomLevel = 0;

    function GetMap()
    {
        oMap = new VEMap('myMap');
        oMap.LoadMap();

        oMap.AttachEvent("onendzoom", ZoomHandler);
        iZoomLevel = oMap.GetZoomLevel();
        window.location.hash = iZoomLevel;
    }

    function ZoomHandler(e)
    {
        iZoomLevel = oMap.GetZoomLevel();
        window.location.hash = iZoomLevel;
    }

    function HashChangeHandler()
    {
        var hash = window.location.hash;
        var iNewZoomLevel = hash.substr(1);

        if (iNewZoomLevel != iZoomLevel)
        {
            iZoomLevel = iNewZoomLevel;
            oMap.SetZoomLevel(iNewZoomLevel);
        }
    }
</script>
<body style='overflow: scroll; heigth:100%' onload="GetMap();" onhashchange="HashChangeHandler();">
    <div id='myMap' style='position: relative; width: 500px; height: 500px; valign: center'></div>
</body>
</html>

Open a browser and navigate to the webpage. For example: C:\Users\Contoso\Desktop\1030.html

This opens the page in the local machine zone. Since the page includes script, the Local Machine Zone Lockdown event is logged to the compatibility tool. The user is also prompted with the following message:

To help protect your security, Internet Explorer has restricted this webpage 
from running scripts or ActiveX controls that could access your computer. Click here for options...

The prompt in the information bar is generated because Windows Internet Explorer is restricting the URLACTION_SCRIPT_RUN URL action.

Remediation

If your webpage runs a Microsoft ActiveX control or script, you can add a Mark of the Web comment to the HTML of the page. Mark of the Web is an Internet Explorer feature that forces the HTML file into the security zone of the specified URL. This enables the webpage to run the script or ActiveX control in a less restrictive zone. This only works for Microsoft Internet Explorer 4.0 and later.

Use the following comment to insert a Mark of the Web comment into a page with an identified domain, replacing http://www.fabrikam.com with the URL of the Internet or intranet domain where the page is hosted.

Use the following comment when you need to insert a generic Mark of the Web.

With Microsoft Internet Explorer 6 and later, you can use the Mark of the Web comment with multipart HTML (.mht) files.

Note You host HTML application (.hta) files in a different process; therefore, they are not impacted by the Local Machine zone lockdown.

The user can also configure the restrictions associated with the zones, through Internet Options on the Tools menu.

Security Warning:

This setting prevents content on a user's computer from elevating privilege. Code with elevated privilege can then run any code through an ActiveX control or read information with a script. It's not recommended that this option be used, or if necessary only as a last resort.

Disabling the feature should only be used as a temporary measure during troubleshooting-to compare behavior of the application when the feature is enabled or not. It is not recommended that the feature be left disabled on an on-going basis.

You may also control this feature through feature control keys.

You manage the Local Machine zone lockdown restrictions through a security feature control registry key (FEATURE_LOCALMACHINE_LOCKDOWN). Internet Explorer (Iexplore.exe) needs to run under this feature control to disable the feature and this can be achieved by setting the following registry key:

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
   SOFTWARE
      Microsoft
         Internet Explorer
            Main
               FeatureControl
                  FEATURE_LOCALMACHINE_LOCKDOWN
                     iexplore.exe = 0x0000000

This feature can also be controlled by the following Group Policy settings:

GPO Policy Path	GPO Policy Setting Name	GPO Settings
Administrative Templates\Windows Components\Internet Explorer\Security Features\Local Machine Zone Lockdown Security	Internet Explorer Processes	If you enable this policy setting, the Local Machine zone security applies to all local files and content processed by Internet Explorer. If you disable this policy setting, Local Machine zone security is not applied to local files or content processed by Internet Explorer. If you do not configure this policy setting, the Local Machine zone security applies to all local files and content processed by Internet Explorer.

Administrative Templates\Windows Components\Internet Explorer\Security Features\Local Machine Zone Lockdown Security

Internet Explorer Processes

If you enable this policy setting, the Local Machine zone security applies to all local files and content processed by Internet Explorer.

If you disable this policy setting, Local Machine zone security is not applied to local files or content processed by Internet Explorer.

If you do not configure this policy setting, the Local Machine zone security applies to all local files and content processed by Internet Explorer.

Applications that host the WebBrowser control can also take advantage of the security feature control, by adding their process to the same registry locations. You can do this programmatically, by using the CoInternetSetFeatureEnabled function.

Note If an application does not run under this security feature control, the WebBrowser control behaves the same as previous versions of Internet Explorer.

Internet Explorer Application Compatibility

Events 1030 through 1037