URL Action Flags
The following list contains values associated with the actions that can be taken in a URL security zone. The possible URL policy values for each of the listed URL action flags can be found in About URL Security Zones.
| Constant/value | Description |
|---|---|
#define URLACTION_MIN 0x00001000 #define URLACTION_DOWNLOAD_MIN 0x00001000 #define URLACTION_DOWNLOAD_SIGNED_ACTIVEX 0x00001001 #define URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX 0x00001004 #define URLACTION_DOWNLOAD_CURR_MAX 0x00001004 #define URLACTION_DOWNLOAD_MAX 0x000011FF #define URLACTION_ACTIVEX_MIN 0x00001200 #define URLACTION_ACTIVEX_RUN 0x00001200 #define URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY 0x00001201 #define URLACTION_ACTIVEX_OVERRIDE_DATA_SAFETY 0x00001202 #define URLACTION_ACTIVEX_OVERRIDE_SCRIPT_SAFETY 0x00001203 #define URLACTION_SCRIPT_OVERRIDE_SAFETY 0x00001401 #define URLACTION_ACTIVEX_CONFIRM_NOOBJECTSAFETY 0x00001204 #define URLACTION_ACTIVEX_TREATASUNTRUSTED 0x00001205 #define URLACTION_ACTIVEX_NO_WEBOC_SCRIPT 0x00001206 #define URLACTION_ACTIVEX_OVERRIDE_REPURPOSEDETECTION 0x00001207 #define URLACTION_ACTIVEX_OVERRIDE_OPTIN 0x00001208 #define URLACTION_ACTIVEX_SCRIPTLET_RUN 0x00001209 #define URLACTION_ACTIVEX_DYNSRC_VIDEO_AND_ANIMATION 0x0000120A #define URLACTION_ACTIVEX_OVERRIDE_DOMAINLIST 0x0000120B #define URLACTION_ACTIVEX_CURR_MAX 0x0000120B #define URLACTION_ACTIVEX_MAX 0x000013ff #define URLACTION_SCRIPT_MIN 0x00001400 #define URLACTION_SCRIPT_RUN 0x00001400 #define URLACTION_SCRIPT_JAVA_USE 0x00001402 #define URLACTION_SCRIPT_SAFE_ACTIVEX 0x00001405 #define URLACTION_CROSS_DOMAIN_DATA 0x00001406 #define URLACTION_SCRIPT_PASTE 0x00001407 #define URLACTION_ALLOW_XDOMAIN_SUBFRAME_RESIZE 0x00001408 #define URLACTION_SCRIPT_XSSFILTER 0x00001409 #define URLACTION_SCRIPT_CURR_MAX 0x00001409 #define URLACTION_SCRIPT_MAX 0x000015ff #define URLACTION_HTML_MIN 0x00001600 #define URLACTION_HTML_SUBMIT_FORMS 0x00001601 #define URLACTION_HTML_SUBMIT_FORMS_FROM 0x00001602 #define URLACTION_HTML_SUBMIT_FORMS_TO 0x00001603 #define URLACTION_HTML_FONT_DOWNLOAD 0x00001604 #define URLACTION_HTML_JAVA_RUN 0x00001605 #define URLACTION_HTML_USERDATA_SAVE 0x00001606 #define URLACTION_HTML_SUBFRAME_NAVIGATE 0x00001607 #define URLACTION_HTML_META_REFRESH 0x00001608 #define URLACTION_HTML_MIXED_CONTENT 0x00001609 #define URLACTION_HTML_INCLUDE_FILE_PATH 0x0000160A #define URLACTION_HTML_MAX 0x000017ff #define URLACTION_SHELL_MIN 0x00001800 #define URLACTION_SHELL_INSTALL_DTITEMS 0x00001800 #define URLACTION_SHELL_MOVE_OR_COPY 0x00001802 #define URLACTION_SHELL_FILE_DOWNLOAD 0x00001803 #define URLACTION_SHELL_VERB 0x00001804 #define URLACTION_SHELL_WEBVIEW_VERB 0x00001805 #define URLACTION_SHELL_SHELLEXECUTE 0x00001806 #if (_WIN32_IE >= _WIN32_IE_IE60SP2) #define URLACTION_SHELL_EXECUTE_HIGHRISK 0x00001806 #define URLACTION_SHELL_EXECUTE_MODRISK 0x00001807 #define URLACTION_SHELL_EXECUTE_LOWRISK 0x00001808 #define URLACTION_SHELL_POPUPMGR 0x00001809 #define URLACTION_SHELL_RTF_OBJECTS_LOAD 0x0000180A #define URLACTION_SHELL_ENHANCED_DRAGDROP_SECURITY 0x0000180B #define URLACTION_SHELL_EXTENSIONSECURITY 0x0000180C #define URLACTION_SHELL_SECURE_DRAGSOURCE 0x0000180D #endif //(_WIN32_IE >= _WIN32_IE_IE60SP2) #if (_WIN32_IE >= _WIN32_IE_WIN7) #define URLACTION_SHELL_REMOTEQUERY 0x0000180E #define URLACTION_SHELL_PREVIEW 0x0000180F #endif //(_WIN32_IE >= _WIN32_IE_WIN7) #define URLACTION_SHELL_CURR_MAX 0x0000180F #define URLACTION_SHELL_MAX 0x000019ff #define URLACTION_NETWORK_MIN 0x00001A00 #define URLACTION_CREDENTIALS_USE 0x00001A00 #define URLACTION_AUTHENTICATE_CLIENT 0x00001A01 #define URLACTION_COOKIES 0x00001A02 #define URLACTION_COOKIES_SESSION 0x00001A03 #define URLACTION_CLIENT_CERT_PROMPT 0x00001A04 #define URLACTION_COOKIES_THIRD_PARTY 0x00001A05 #define URLACTION_COOKIES_SESSION_THIRD_PARTY 0x00001A06 #define URLACTION_COOKIES_ENABLED 0x00001A10 #define URLACTION_NETWORK_CURR_MAX 0x00001A10 #define URLACTION_NETWORK_MAX 0x00001Bff #define URLACTION_JAVA_MIN 0x00001C00 #define URLACTION_JAVA_PERMISSIONS 0x00001C00 #define URLACTION_JAVA_CURR_MAX 0x00001C00 #define URLACTION_JAVA_MAX 0x00001Cff #define URLACTION_INFODELIVERY_MIN 0x00001D00 #define URLACTION_INFODELIVERY_NO_ADDING_CHANNELS 0x00001D00 #define URLACTION_INFODELIVERY_NO_EDITING_CHANNELS 0x00001D01 #define URLACTION_INFODELIVERY_NO_REMOVING_CHANNELS 0x00001D02 #define URLACTION_INFODELIVERY_NO_ADDING_SUBSCRIPTIONS 0x00001D03 #define URLACTION_INFODELIVERY_NO_EDITING_SUBSCRIPTIONS 0x00001D04 #define URLACTION_INFODELIVERY_NO_REMOVING_SUBSCRIPTIONS 0x00001D05 #define URLACTION_INFODELIVERY_NO_CHANNEL_LOGGING 0x00001D06 #define URLACTION_INFODELIVERY_CURR_MAX 0x00001D06 #define URLACTION_INFODELIVERY_MAX 0x00001Dff #define URLACTION_CHANNEL_SOFTDIST_MIN 0x00001E00 #define URLACTION_CHANNEL_SOFTDIST_PERMISSIONS 0x00001E05 #define URLACTION_CHANNEL_SOFTDIST_MAX 0x00001Eff #if (_WIN32_IE >= _WIN32_IE_IE80) #define URLACTION_DOTNET_USERCONTROLS 0x00002005 #endif //(_WIN32_IE >= _WIN32_IE_IE80) #if (_WIN32_IE >= _WIN32_IE_IE60SP2) #define URLACTION_BEHAVIOR_MIN 0x00002000 #define URLACTION_BEHAVIOR_RUN 0x00002000 #define URLACTION_FEATURE_MIN 0x00002100 #define URLACTION_FEATURE_MIME_SNIFFING 0x00002100 #define URLACTION_FEATURE_ZONE_ELEVATION 0x00002101 #define URLACTION_FEATURE_WINDOW_RESTRICTIONS 0x00002102 #define URLACTION_FEATURE_SCRIPT_STATUS_BAR 0x00002103 #define URLACTION_FEATURE_FORCE_ADDR_AND_STATUS 0x00002104 #define URLACTION_FEATURE_BLOCK_INPUT_PROMPTS 0x00002105 #define URLACTION_FEATURE_DATA_BINDING 0x00002106 #define URLACTION_FEATURE_CROSSDOMAIN_FOCUS_CHANGE 0x00002107 #define URLACTION_AUTOMATIC_DOWNLOAD_UI_MIN 0x00002200 #define URLACTION_AUTOMATIC_DOWNLOAD_UI 0x00002200 #define URLACTION_AUTOMATIC_ACTIVEX_UI 0x00002201 #define URLACTION_ALLOW_RESTRICTEDPROTOCOLS 0x00002300 #endif //(_WIN32_IE >= _WIN32_IE_IE60SP2) #if (_WIN32_IE >= _WIN32_IE_IE70) #define URLACTION_ALLOW_APEVALUATION 0x00002301 #define URLACTION_WINDOWS_BROWSER_APPLICATIONS 0x00002400 #define URLACTION_XPS_DOCUMENTS 0x00002401 #define URLACTION_LOOSE_XAML 0x00002402 #define URLACTION_LOWRIGHTS 0x00002500 #define URLACTION_WINFX_SETUP 0x00002600 #define URLACTION_INPRIVATE_BLOCKING 0x00002700 #endif //(_WIN32_IE >= _WIN32_IE_IE70) #define URLACTION_ALLOW_AUDIO_VIDEO 0x00002701 #define URLACTION_ALLOW_ACTIVEX_FILTERING 0x00002702 #define URLACTION_ALLOW_STRUCTURED_STORAGE_SNIFFING 0x00002703 | |
|
User can decide whether to load and script a ActiveX control that is not safe. |
|
Current maximum value of the URL action ActiveX flags. |
|
Internet Explorer 7. Determines whether to allow native playback of video and animation in Web pages that specify media files in the DYNSRC attribute of the IMG element. Users may still be able to view non-native video and animation because animation and video can be created in the context of an external player application using the OBJECT tag. As of Internet Explorer 8, this setting also applies to HTML+TIME elements. |
|
Maximum value of the URL action ActiveX flags. |
|
Minimum value of the URL action ActiveX flags. |
|
Controls the ability to script the Web browser ActiveX control. |
|
Determines whether ActiveX safety for untrusted data can be overridden. |
|
Determines whether the ActiveX control object safety is overridden or enforced for pages in the URL security zone. Object safety should be overridden only if all ActiveX Controls and scripts that might interact with them on pages in the zone can be trusted not to breach security. This is an aggregate of URLACTION_ACTIVEX_OVERRIDE_DATA_SAFETY, URLACTION_ACTIVEX_OVERRIDE_SCRIPT_SAFETY, URLACTION_ACTIVEX_CONFIRM_NOOBJECTSAFETY, and URLACTION_SCRIPT_OVERRIDE_SAFETY. |
|
Internet Explorer 7. Applications can opt in to bypass the ActiveX prompt mode to prevent security prompts from appearing out of context. This action determines whether to override this setting. |
|
Internet Explorer 6 for Windows XP SP2 and later. Determines whether to perform ActiveX repurpose detection, which tests if the control is safe to be hosted. Internet Explorer checks for the IObjectSafety interface on ActiveX controls in the Internet zone to identify how the author intends for the control to be reused. (See KB909738 for more information.) The default policy for this action is set by security update and should not be modified. Requires that the feature control FEATURE_ACTIVEX_REPURPOSEDETECTION is enabled. |
|
Determines whether ActiveX safety for scripting is overridden. |
|
Manages the execution of ActiveX Controls and plug-ins from HTML pages in the zone. |
|
Internet Explorer 7. Determines whether scriptlets are allowed to run. This action has no effect if URLACTION_ACTIVEX_RUN is disabled. |
|
Not implemented. |
|
Internet Explorer 8. When enabled, allows ActiveX controls to run without prompting in approved domains. The Per-Site ActiveX feature can be enabled and disabled under Internet Options; to do so, click the Security tab, select a security zone, click the Custom Level button, and then select one of the option buttons under "Only allow approved domains to use ActiveX without prompt." |
|
Internet Explorer 9. Determines whether ActiveX Filtering is allowed for the security zone. No filtering occurs until the user enables ActiveX Filtering on the Safety menu. ActiveX Filtering is disabled by default in the Local intranet zone. |
|
Internet Explorer 7 and later. Determine whether Phishing Filter evaluation is enabled. |
|
Internet Explorer 9. Determines whether media elements (audio and video) are allowed. For the element to appear, both the security zone of the host webpage and the media source must allow media. By default, this URLAction permits playback of resources from all zones except the Restricted Sites zone. This means that pages in the restricted zone cannot play media from anywhere, and that pages in other zones do not permit media that is loaded from restricted sites. |
|
Internet Explorer 6 for Windows XP SP2 and later. Determines whether content loaded over a particular protocol should be restricted. Requires that the feature control FEATURE_PROTOCOL_LOCKDOWN is enabled. |
|
Internet Explorer 9. Determines whether to return the CLSID from a structured storage file when calling GetClassFileOrMime. Enabled by default in the Local intranet and Trusted sites security zone. To disallow sniffing across all zones, enable the |
|
Internet Explorer 7. Prevents content from an different domain from executing a resize command on a subframe (frame/iframe). The following methods are blocked: window.IHTMLWindow2::moveTo(x,y), window.IHTMLWindow2::moveBy(x,y), window.IHTMLWindow2::resizeTo(x,y), window.IHTMLWindow2::resizeBy(x,y). There is no UI to modify this behavior. |
|
Not currently used. |
|
Internet Explorer 6 for Windows XP SP2 and later. Determines whether to display the Information Bar for ActiveX control installations rather than the ActiveX control prompt. Requires that the feature control FEATURE_RESTRICT_ACTIVEXINSTALL for code downloads is enabled. |
|
Internet Explorer 6 for Windows XP SP2 and later. Determines whether to display the file download dialogs or the Information Bar for downloads that are not initiated by the user. Requires that the feature control FEATURE_RESTRICT_FILEDOWNLOAD for file downloads is enabled. |
|
Internet Explorer 6 for Windows XP SP2 and later. Minimum value of the URL action download UI flags. |
|
Internet Explorer 6 for Windows XP SP2 and later. Minimum value of the URL action behavior flags. |
|
Internet Explorer 6 for Windows XP SP2 and later. Determines whether to allow DHTML behaviors and binary behaviors to run securely. Requires that the feature control FEATURE_BEHAVIORS is enabled. |
|
Maximum value for a URL action Software Update Channel flag. |
|
Minimum value for a URL action Software Update Channel flag. |
|
Determines the level of trust placed on Software Update Channels. |
|
Internet Explorer 6 and later. Determines whether to suppress the authentication dialog that prompts the user to select a client certificate when no certificate or only one certificate is already installed. |
|
Determines whether HTTP persistent cookies are allowed. |
|
Internet Explorer 6 and later. Determines whether HTTP cookies can be set and retrieved. |
|
Determines whether HTTP session cookies are allowed. |
|
Internet Explorer 6 and later. Determines whether third-party HTTP session cookies are allowed. |
|
Internet Explorer 6 and later. Determines whether third-party HTTP persistent cookies are allowed. |
|
Determines how the user's credentials are used over the network. |
|
Determines whether the resource is allowed to access data sources across domains. |
|
Internet Explorer 8. Determines whether to load a .NET user control on a Web page. Note that the applicable security zone is that of the control (based on URL), not that of the hosting page. This URL Action can only be set in the registry; no user interface is provided in the Internet Options dialog box. To configure this option with Group Policy, a custom administrative template (ADMX) must be deployed. |
|
Maximum value for the URL action download flags. |
|
Maximum value of a URL action download flag. |
|
Minimum value of a URL action download flag. |
|
Manages the download of signed ActiveX Controls from the URL zone of the HTML page that contains the control. |
|
Manages the download of unsigned ActiveX Controls from the URL zone of the HTML page that contains the control. |
|
Internet Explorer 7. Determines whether to allow the popup blocker to show input prompt dialogs. Used to mitigate the risk of spoofing. |
|
Internet Explorer 9. Determines whether a caller is allowed to steal input focus from a different top-level parent. Normally, only windows with the same top-level parent are allowed to steal input focus from each other. |
|
Internet Explorer 8. Determines whether databinding is supported. By default, this feature is disabled in the Restricted zone, and in the High security template. |
|
Internet Explorer 7. Determines whether to allow sites to open windows without address or status bar. Overrides the setting of FEATURE_FORCE_ADDR_AND_STATUS. This flag also overrides the attempt of a script to hide the status and address bar. |
|
Internet Explorer 6 for Windows XP SP2 and later. Allows Internet Explorer to determine a file's type by examining its bit signature. Internet Explorer uses this information to determine how to render the file. Requires that the feature control FEATURE_MIME_SNIFFING is enabled. |
|
Internet Explorer 6 for Windows XP SP2 and later. Minimum value of the URL action feature control flags. |
|
Internet Explorer 7. Determines whether scripts can update the text of the status bar. |
|
Internet Explorer 6 for Windows XP SP2 and later. Determines whether a window should be constrained to the viewable desktop area and forced to have a status bar. Also, pop-up windows without chrome should be restricted in size and position so that they cannot overlay important information on their parent windows and cannot overlay system dialog box information. Requires that the feature control FEATURE_WINDOW_RESTRICTIONS is enabled. |
|
Internet Explorer 6 for Windows XP SP2 and later. Determines whether to prevent non-user-initiated navigation between a page in a lower security zone to a page in a higher security zone. Requires that the feature control FEATURE_ZONE_ELEVATION is enabled. |
|
Deprecated. Use URLACTION_HTML_MAX instead. |
|
Determines whether HTML font downloads are allowed. |
|
Internet Explorer 7. Controls whether file pathnames are submitted during a file upload. |
|
Determines whether Java applets are allowed to run. |
|
Maximum value of the URL action HTML flags. |
|
Internet Explorer 6 and later. Determines whether an HTML page can refresh in the security zone where the page is hosted. |
|
Minimum value of the URL action HTML flags. |
|
Internet Explorer 6 and later. Indicates that a secure HTTPS document contains unsecure elements, such as frames, HTTP image sources, and so forth. |
|
Internet Explorer 5 and later. Determines whether subframes are allowed to navigate across different domains. |
|
Determines whether HTML forms on pages in the URL security zone, or submitted to servers in the zone, are allowed. Aggregate of the URLACTION_HTML_SUBMIT_FORMS_FROM and URLACTION_HTML_SUBMIT_FORMS_TO flags. |
|
Determines whether form submissions from pages in the security zone are allowed. This flag is part of the URLACTION_HTML_SUBMIT_FORMS aggregate flag. |
|
Determines whether form submissions to a server in the security zone are allowed. This flag is part of the URLACTION_HTML_SUBMIT_FORMS aggregate flag. |
|
Internet Explorer 5 and later. Determines whether user data persistence is enabled. |
|
Reserved. |
|
Reserved. |
|
Reserved. |
|
Reserved. |
|
Reserved. |
|
Reserved. |
|
Reserved. |
|
Reserved. |
|
Reserved. |
|
Reserved. |
|
Internet Explorer 8. Enables third-party URL tracking in the security zone, also known as InPrivate Browsing. |
|
Current maximum value of the URL action Java flags. |
|
Maximum value for URL action Java flags. |
|
Minimum value for URL action Java flags. |
|
Determines the Java permissions for the zone. |
|
Windows XP SP2 and later. Determines whether to run Framework-reliant components that have been signed with Authenticode. This constant is not defined in Urlmon.h nor is it used directly by Internet Explorer; it is created by the CLR. |
|
Windows XP SP2 and later. Determines whether to run Framework-reliant components that have not been signed with Authenticode. This constant is not defined in Urlmon.h nor is it used directly by Internet Explorer; it is created by the CLR. |
|
Internet Explorer 7. Determines whether to process Loose XAML files, which are markup-only files that are not compiled into a browser application. See also URLACTION_WINDOWS_BROWSER_APPLICATIONS. |
|
Internet Explorer 7. Determines whether Protected Mode is enabled in the security zone. Available on Windows Vista only. |
|
The minimum value of URLACTIONS. |
|
Current maximum value for URL action network flags. |
|
Maximum value for URL action network flags. |
|
Minimum value for URL action network flags. |
|
Current maximum value for a URL action script flag. |
|
Determines whether script code on HTML pages in the URL security zone is allowed to use Java applets if the properties, methods, and events of the applet are exposed to scripts. |
|
Maximum value for a URL action script flag. |
|
Minimum value for a URL action script flag. |
|
Do not use ActiveX safety for objects created by scripts. |
|
Internet Explorer 5 and later. Determines whether scripts can do paste operations. |
|
Determines whether script code on the pages in the URL security zone is run. |
|
Determines whether scripting of safe ActiveX Controls is allowed. |
|
Internet Explorer 8. Enables or disables cross-site scripting (XSS) filter. This security setting determines the default behavior of the browser if the |
|
Current maximum value for a URL action Shell flag. |
|
Internet Explorer 6 for Windows XP SP2 and later. Determines whether to allow drag-and-drop operations that originate from Internet Explorer. |
|
Internet Explorer 6 for Windows XP SP2 and later. Determines whether launching dangerous files (file types known to be used by viruses and other malicious code) is permitted from the URL security zone. |
|
Internet Explorer 6 for Windows XP SP2 and later. Determines whether launching typically safe files (data only) is permitted from the URL security zone. |
|
Internet Explorer 6 for Windows XP SP2 and later. Determines whether launching ambiguous files (file types that could be used by viruses or other malicious code) is permitted from the URL security zone. |
|
Internet Explorer 7. Determines whether extensions to the shell are allowed to load. Blocked extensions are never loaded. Approved shell extensions are not affected by this action. |
|
Determines whether file downloads are permitted from the URL security zone of the HTML page with the link that is causing the download. |
|
Determines whether desktop items can be installed. |
|
Maximum value for a URL action Shell flag. |
|
Minimum value for a URL action Shell flag. |
|
Determines whether Move or Copy operations are allowed. |
|
Internet Explorer 6 for Windows XP SP2 and later. Determines whether to apply pop-up window management to Internet Explorer. |
|
Windows 7. Determines whether a URL can be rendered as a preview for a federated search query in Windows Explorer. |
|
Windows 7. Determines whether a URL can be used as a federated search query source in Windows Explorer. If denied, the remote server cannot be searched. |
|
Internet Explorer 6 for Windows XP SP2 and later. Determines whether OLE objects are allowed to load in WordPad. |
|
Internet Explorer 7 and later. Determines whether files can be moved or copied to and from the specified location. |
|
Internet Explorer 6 for Windows XP SP2 and later. See URLACTION_SHELL_EXECUTE_HIGHRISK. |
|
Determines whether launching of applications and files is permitted from the URL security zone. |
|
Determines whether executable files and HTML pages can be launched from WebView. There is no user interface that affects this URL action. |
|
Internet Explorer 7. Determines whether to launch .NET Framework 3.0 browser applications, which are built on the .NET Framework 3.0 platform. |
|
Internet Explorer 7. Determines whether .NET Framework 3.0 Runtime Components Setup is allowed. |
|
Internet Explorer 7. Determines whether to allow XPS Documents, which are files that are designed to provide users with a consistent document appearance regardless of where and how the document is viewed or printed. |
Remarks
The .NET Framework 3.5 installs an additional value that is not yet included in the standard list of URL Action Flags. The URLACTION value is equal to 0x00002007, and maps to "Permissions for .NET Framework-reliant components with manifests" in the Security Settings for the selected zone. This setting allows you to add a ClickOnce-style manifest to a control in the browser. It does not apply to ClickOnce applications.
The following two policy values are supported by components with manifests:
- High Safety (0x00010000) - manifested controls can run with the permissions it requests, but only if those permissions are a subset of the permissions it would have been granted by CAS policy or if the manifests are signed by a trusted publisher.
- Disabled (0x03) - manifested controls may not run at all. This is the default behavior for unrecognized URL Policy Flags.
Requirements
|
Minimum supported client |
Windows XP |
|---|---|
|
Minimum supported server |
Windows 2000 Server |
|
Product |
Internet Explorer 4.0 |