IE Security Zones


Greetings. My name is Mike Friedman. I’m on the Internet Explorer Security Test Team. In IE, the different areas of the Web are partitioned into a set of security zones. The topic I would like to talk about is programmatically adding sites to those zones. Zones were introduced in IE4 as a way to give users and admins more control, to strike a balance between user experience and gradations of risk. If you have a high degree of trust in a site, placing it in a lower-security zone can reduce the number of warnings and prompts the user will encounter. Conversely, placing a site you are concerned about into a higher-security zone can provide additional protection.  For security management or as part of a product installation, it’s sometimes useful to be able to add some sites to a security zone programmatically. Of course a website can’t manipulate which sites are in which security zones; it can only be done by code running on the user’s machine. I am going to show you how to write a C# application to place sites into security zones.

First, some background: IE, WebBrowser applications, and other participating applications use the Internet Security Manager to determine what zone an URL is in and what actions can be performed in that zone. The security zones are:

  • Local Intranet Zone—content located on an organization’s intranet. Because the servers and information is within an organization’s firewall, a user or organization can assign a higher trust level to the content on the intranet.
     

  • Trusted Sites Zone—content located on Web sites that are considered more reputable or trustworthy than other sites on the Internet. Users can use this zone to assign a higher trust level to these sites to minimize the number of authentication requests.
     

  • Internet Zone—Web sites on the Internet that do not belong to another zone. This default setting causes IE to prompt the user whenever potentially unsafe content is ready to download. Web sites that are not mapped into other zones automatically fall into this zone.
     

  • Restricted Sites Zone—Web sites that contain content that can cause, or may have previously caused, problems when downloaded. Users can use this zone to cause Internet Explorer to alert them whenever potentially unsafe content is about to download, or to prevent that content from downloading
     

  • Local Machine Zone—The Local Machine zone is an implicit zone for content that exists on the local computer. The content found on the user’s computer, except for content that IE caches on the local system, is treated with a high level of trust. However, in XPSP2 the Local Machine Zone Lockdown feature causes IE to apply additional security that is even more restrictive than the default Internet Zone settings.

Each zone is assigned an equal level of permissions and starts out with a default security level (template) of High, Medium, Medium-High, or Low. The user can change the security level of each zone through the Security tab of the Internet Options UI, available in Internet Explorer by selecting Tools | Internet Options and accessible from the Control Panel as well. Starting with IE5, a Medium-Low template is available as well. The user can also use the UI to customize zone security settings except for the Local Machine Zone. A user can assign Web sites to some of the security zones. Besides the Internet Options UI, sites can be added to zones using the Internet Explorer Administration Kit (IEAK).

When adding sites to a zone, the user specifies an URL pattern. An URL pattern can be a fully specified site URL like http://www.microsoft.com, or it can contain asterisks as wildcards, for example http://*.msn.com . While browsing, users can tell what security zone a site is in by looking at the bottom right-hand corner of the IE window.

Each zone has an associated set of URL action policies. An example of an URL action is “Access data sources across domains.” The possible policies for this URL action are “Disable,” “Enable,” and “Prompt.” Ultimately, each zone’s URL patterns and URL action policies reside in the registry. Theoretically, an application can use the registry to query or manipulate the URL-to-zone mappings or the per-zone URL action policies. However, this is not a good idea, as the location and format of this information can change.  The proper way to work with this information is through interfaces that the Internet Security Manager exposes. If you write your own control or web application, you’ll want to make use of the Internet Security Manager to conform your software’s security policies with IE’s.

The IInternetSecurityManager interface enables client applications to modify the security settings. This interface is part of the URL Security Zones API, which allows developers to manage URL security zones and create custom URL security zone managers. If an application wants to place a pattern into a specified security zone, it would use the method IInternetSecurityManager::SetZoneMapping(). The syntax for the method looks like this:

HRESULT SetZoneMapping(DWORD dwZone, LPCWSTR lpszPattern, DWORD dwFlags)

The dwZone parameter specifies the security zone; lpszPattern specifies the pattern, and dwFlags indicates whether to create or delete the mapping.

For further information, see the MSDN reference for this method. (Note that in Windows Server 2003 and higher there is a regular and Enhanced Security Configuration version of each zone and you need to set a flag if you’re addressing the Enhanced Security Configuration version.)

I have written a simple C# application that illustrates the use of SetZoneMapping(). Here is a screen shot of the application:

 

In the “Site Pattern” field you enter an URL containing possible wildcards. You choose one of the radio buttons to designate the zone you want to place the pattern into. Then you push the “Add” button. A message box will come up saying whether the pattern was successfully added to the zone or not. You can repeat this however many times you wish. Push the Close button to end the application.

The complete Visual C# project is available to download here: SetZoneMappingDemo.zip.

To see how the app works, let’s zero in on two code snippets that contain the meat of the program:

The constructor for the form creates the Internet Security Manager COM object and obtains a reference to the IInternetSecurityManager interface:

    Type t = Type.GetTypeFromCLSID(CLSID_InternetSecurityManager);
   
_securityManager = Activator.CreateInstance(t);
   
_ism = (IInternetSecurityManager) _securityManager;

The handler for the Add button calls SetZoneMapping() and pronounces the result:

   int result = _ism.SetZoneMapping((UInt32)_ctrl.Tag, txtPattern.Text, SZM_CREATE);
    if
(S_OK==result)
   
{
        MessageBox.Show(“Pattern “”+txtPattern.Text+”” successfully added to ” + _ctrl.Text + ” zone.”);
    }
    else
   
{

       
MessageBox.Show(“Could not add pattern “”+txtPattern.Text+”” to ” + _ctrl.Text + ” zone.”);
    }

An obvious extension to this application would be a Delete button. The handler for that button would look very similar, except you’d pass SZM_DELETE to SetZoneMapping() instead of  SZM_CREATE.

Adding an URL pattern to a security zone is only effective for the particular user that runs the application. You can learn more about security zones and how to work with them programmatically in the MSDN topic URL Security Zones .

This posting is provided “AS IS” with no warranties, and confers no rights.  Use of included code samples is subject to the terms specified at http://www.microsoft.com/info/cpyright.htm .

Comments (23)

  1. Anonymous says:

    bullshit

    >Of course a website can’t manipulate which >sites are in which security zones; it can >only be done by code running on the user’s >machine.

    http://secunia.com/advisories/11830/

    "bitlance winter has reported a vulnerability in Internet Explorer (IE), allowing malicious people to bypass security zones or conduct phishing attacks.

    The vulnerability is caused due to an error within the handling of URLs, which may cause IE to view a web site in context of another less secure security zone than intended.

    Example:

    http://[trusted_site]%2F%20%20%20.[malicious_site]/

    Successful exploitation may allow a web page to be displayed in context of another domain e.g. in the "Trusted sites" or "Local intranet" security zones."

  2. Anonymous says:

    That’s not really the same thing. You’re describing a zone elevation attack.

  3. Anonymous says:

    Nonsense. You could spoof the intranet zone. That is place an aribitray website in the intranet zone.

    http://12345%2F[/]%20%20%20.www.attacker.com

    IE would read http://12345/ as an intranet zone, yet the content would be http://www.attacker.com

    Precisely the opposite of the claim that a website cannot manipulate which sites are in which security zones.

    Check all the demo exploits out there.

  4. Anonymous says:

    Let me add, similarly, if you have microsoft.com in the trusted zone, the same would appply i.e.:

    http://www.microsoft.com%2F%%20.www.attacker.com

    IE would think its pointing to microsoft.com and put http://www.attacker.com in the trusted zone.

    This is old news and verifiable with dozens of demos out there on the sec.lists. (patched now methinks) but older or non patched should still work.

  5. Anonymous says:

    Will the next version of IE allow users to define additional custom zones?

  6. Anonymous says:

    Bruce, you can pick up your jaw, we know you are speechless.

    Sorry we had to "pwn" you, but we had to shut you up.

  7. Anonymous says:

    (this coming from a power user)

    Perhaps we could, for sites that we frequent, set them in a ‘Custom Zone’ where we can set those websites to whatever permission we want.

    Say for example, I frequently visit a website but it’s very spammy/popup-ish. Add this website to my ‘custom zone’, and I have thus made visiting my site easier. Say I need just ActiveX or just java disabled???

    Though of course, this invites exploits so it would be flawed at first almost definately.

  8. Anonymous says:

    LOL, Kitsune. The additional posts from Artist have nothing to respond to; he’s still talking about zone elevation attacks. Further, he talks about "patched now methinks" and unpatched systems.

  9. Anonymous says:

    > The additional posts from Artist have nothing to respond to; he’s still talking about zone elevation attacks.

    What’s your point? Mike said: "Of course a website can’t manipulate which sites are in which security zones". That’s practically the definition of a zone elevation attack.

  10. Anonymous says:

    The article is discussing to the ability to add or delete URLs and patterns from the various zones.

    Taken in that context, the sentence you quoted, Jim, isn’t referring to zone elevation attacks.

    Nor is the ability to "manipulate which sites are in which security zones" the definition of a zone elevation atack. Bypassing those lists and navigating to a less restricted zone is a better definition of a zone elevation attack.

  11. Anonymous says:

    asd — I believe you can programmatically create your own zones, but not via IE itself…

  12. Anonymous says:

    I just tried the examples of the flaw with real URLs and couldn’t get the effect you describe; if this flaw is not present in the current version of IE then why bring it up at all?

    I really don’t understand the level of anger directed at IE and it’s developers by some Firefox users. Surely if you feel you have a superior product there is no need for such constant bitter attacks?

    Finally, it’s nice to see some content, that isn’t available elsewhere, starting to come through on the IE blog – this was a more valid complaint against previous posts.

  13. Anonymous says:

    > Nor is the ability to "manipulate which sites are in which security zones" the definition of a zone elevation atack. Bypassing those lists and navigating to a less restricted zone is a better definition of a zone elevation attack.

    That’s splitting hairs, IMHO.

    > I really don’t understand the level of anger directed at IE and it’s developers by some Firefox users.

    Artist didn’t say that he was a Firefox user. Why the finger-pointing at Firefox people?

    > Finally, it’s nice to see some content, that isn’t available elsewhere, starting to come through on the IE blog – this was a more valid complaint against previous posts.

    I agree.

  14. Anonymous says:

    asd, deadBird, you can already create your own custom security zones if you’re comfortable with regedit or programming tools. These custom zones do not show up in the IE user interface. Those with CompuServe’s more recent clients installed will find one or perhaps two custom security zones.

    The remainder of this documents settings on an a US Windows 98/IE4 test system and may not reflect current locations in more recent OS or browser versions. I’m sure the audience here can update as necessary.

    To use such a zone, first create a new numbered Zone in HKEY_CURRENT_USERS Software Microsoft Windows CurrentVersion Internet Settings Zones . Say 5, 6 or 7 if you don’t have any custom zones at present.

    Once you have such a zone you can use it in HKEY_CURRENT_USERS Software Microsoft Windows CurrentVersion Internet Settings ZoneMap Domains just like the normal zones. To put a while site in custom zone 6, add say msdn.com and as a new dword within named http use the value 6. If you want blogs.msdn.com to have a different value, create a new key blogs below the msdn.com key and put say a dword value 7 there.

    If you are doing this programatically you might want to be sure to use the user’s current settings and modify those as required, rather than using the IE defaults. A security-conscious end user who notices you not respecting their security needs is unlikely to appreciate unnecessary compromises of their security.

    I’m not a Microsoft employee, so don’t blame Microsoft for any errors in this post. Note also that this is not using the API described in the post which started this, so remember that nothing here is guaranteed to stay working (or even work today…:)).

  15. Anonymous says:

    Hmmm…free antispyware, new IE? Nice bit of news.

  16. Anonymous says:

    Thank you I am learning of new things all day! And it is good to know of my RSS already work. I think I need add button of RSS to make this thing clear.

    But more work to do!

  17. Anonymous says:

    Do modifications to the security zones via IInternetSecurityManager and related interfaces happen in realtime? Or do I have to restart IE?

  18. Anonymous says:

    Thanks James for the post! However I can make an app that’ll do that, I’m just gonna hope it’s in IE7.

    Perhaps tinker with my own settings for a while, unless someone knows of an app that already does this.

  19. Anonymous says:

    Thanks for this post. After reading it, and the comments, I’m now more convinced than ever that the zone concept in IE is not adequate for IE7’s brave new world. The issue is that you can not really divide all sites up into a few neat categories. On the internet, there are a variety of sites I trust fully, some I trust a lot (but not fully), oters I trust a bit, while most I dont’ trust at all. Some of the ones I partly or fully trust I’ll want to allow popups, but others even though I fully trust I don’t want popups.

    The .NET team did a great job with this – you can in effect define sub-zones, and sub-zones of sub-zones, each with different levels of security.

    I’d like to see IE7 adopt something similar, with a configuration editor (to manage configuraions) plus a simple wizard or two.

    I’m really looking forward to IE7!