URL Security Zones

URL security zones enable administrators to divide URL namespaces according to their respective levels of trust and to manage each level with an appropriate URL policy. A supplied API enables developers to interact with the default URL security zone manager, or to create a custom URL security zone manager.

Overviews/Tutorials

Topic Contents
About URL Security Zones Templates

Templates provide an easy way for users to set the level of security they want for a particular URL security zone. For more information on URL security zones, see About URL Security Zones.

About URL Security Zones

URL security zones group URL namespaces according to their respective levels of trust. A URL policy setting for each URL action enforces these levels of trust. Administrators can customize the default URL security zones by changing the URL policy setting for each URL action, using the default URL security zone manager and URL security zone templates. Additionally, a supplied API provides developers with the tools to either interact with the default URL security zone manager or to create a custom URL security zone manager.

About Zone Elevation

Zone elevation occurs when a Web page loaded in one URL security zone loads a page from a less restrictive zone in a frame or a new window.

Adding Sites to the Enhanced Security Configuration Zones

This topic describes how to add sites to security zones in the enhanced security configuration.

Enhanced Security Configuration for Internet Explorer

This topic explains the changes made to Windows Internet Explorer and Microsoft Outlook Express in Windows Server 2003. These changes reduce the surface of attack that a hacker could use to compromise the security of your server.

Implementing a Custom Security Manager

Applications can manage the default URL security zone settings by using the IInternetZoneManager interface; however, any changes made with IInternetZoneManager are not static, because the user can override them. In most cases, applications that need to control the URL security zone settings should host the WebBrowser Control or MSHTML, and should implement their own security manager.

Introduction to Feature Controls

Feature Controls are new additions to Internet Explorer in Windows XP Service Pack 2 (SP2). A Feature Control enables administrators and developers to turn certain security restrictions on or off.

 

Objects

Topic Contents
Internet Security Manager

The Internet Security Manager is an object that manages security in Internet Explorer and WebBrowser applications by determining in which security zone a particular URL belongs and which actions Web pages in that zone can perform.

Internet Zone Manager

The Internet Zone Manager is an object that manages zones.

Persistent Zone Identifier

The Persistent Zone Identifier object enables access to zone information that is persisted with local files. The Attachment Execution Services (see IAttachmentExecute) set the zone information, which the Internet Security Manager Object (see IInternetSecurityManager) consumes. Use IPersistFile to attach the object to the target file and IZoneIdentifier to examine or to manipulate the zone ID.

 

Interfaces

Topic Contents
IInternetHostSecurityManager

Provides methods for components to use to manage security.

IInternetSecurityManager

Enables client applications to determine the security of the browser components.

IInternetSecurityManagerEx

Extends the IInternetSecurityManager interface.

IInternetSecurityManagerEx2

Exposes methods that enable client applications to determine the security of the browser components.

IInternetSecurityMgrSite

Exposes methods that enable components to manage the user interface of the security manager.

IInternetZoneManager

Exposes methods that are used by a host to control the security zone infrastructure.

IInternetZoneManagerEx

Extends the IInternetZoneManager interface.

IInternetZoneManagerEx2

Extends the IInternetZoneManagerEx interface.

IZoneIdentifier

Provides methods for getting and setting the security zone for a file.

IZoneIdentifier2

Provides methods for including metadata about which Store app was the last to write to a file, as well as a hint provided by the app as to what the trust level should be.

 

Functions

Topic Contents
CoInternetCreateSecurityManager

Creates an IInternetSecurityManager interface.

CoInternetCreateZoneManager

Creates an IInternetZoneManager interface.

CoInternetGetSecurityUrl

Gets the security URL for the specified URL.

CoInternetGetSecurityUrlEx

Gets the security URL for the Uniform Resource Identifier (URI) in the specified IUri.

CoInternetIsFeatureEnabled

Determines whether the specified feature control is enabled.

CoInternetIsFeatureEnabledForIUri

Determines whether the specified feature control is enabled for the security zone of the specified IUri.

CoInternetIsFeatureEnabledForUrl

Determines whether the specified feature control is enabled for the security zone of the specified URL.

CoInternetIsFeatureZoneElevationEnabled

Determines the URL policy for URLACTION_FEATURE_ZONE_ELEVATION for the specified URL. When the policy is URLPOLICY_QUERY, this function displays a dialog that allows the user to decide whether to allow the zone elevation.

CoInternetSetFeatureEnabled

Enables or disables a specified feature control.

 

Structures

Topic Contents
ZONEATTRIBUTES

Contains the attributes of a particular zone.

 

Enumerations

Topic Contents
INTERNETFEATURELIST

Contains the Feature Controls for Internet Explorer.

PSUACTION

Contains the flags passed into the CoInternetGetSecurityUrl function.

PUAF

Contains the flags passed into the IInternetSecurityManager::ProcessUrlAction method.

PUAFOUT

Contains the flags passed out of the IInternetSecurityManagerEx::ProcessUrlActionEx method.

SZM_FLAGS

Contains the flag values used for creating and enumerating security zone mappings.

URLTEMPLATE

Contains the security level templates.

URLZONE

Contains all the predefined zones used by Internet Explorer.

URLZONEREG

Contains the registry location values.

ZAFLAGS

Contains the zone attribute flags.

 

Constants

Topic Contents
MapUrlToZone Flags

Values that control the action of IInternetSecurityManager::MapUrlToZone and IInternetSecurityManagerEx2::MapUrlToZoneEx2.

URL Action Flags

The following list contains values associated with the actions that can be taken in a URL security zone. The possible URL policy values for each of the listed URL action flags can be found in About URL Security Zones.

URL Policy Flags

The following list contains the values associated with the policies used with the URL action flags.