IE Security Zones

Greetings. My name is Mike Friedman. I’m on the Internet Explorer Security Test Team. In IE, the different areas of the Web are partitioned into a set of security zones. The topic I would like to talk about is programmatically adding sites to those zones. Zones were introduced in IE4 as a way to give users and admins more control, to strike a balance between user experience and gradations of risk. If you have a high degree of trust in a site, placing it in a lower-security zone can reduce the number of warnings and prompts the user will encounter. Conversely, placing a site you are concerned about into a higher-security zone can provide additional protection. For security management or as part of a product installation, it’s sometimes useful to be able to add some sites to a security zone programmatically. Of course a website can't manipulate which sites are in which security zones; it can only be done by code running on the user's machine. I am going to show you how to write a C# application to place sites into security zones.

First, some background: IE, WebBrowser applications, and other participating applications use the Internet Security Manager to determine what zone an URL is in and what actions can be performed in that zone. The security zones are:

• Local Intranet Zone—content located on an organization's intranet. Because the servers and information is within an organization's firewall, a user or organization can assign a higher trust level to the content on the intranet.

• Trusted Sites Zone—content located on Web sites that are considered more reputable or trustworthy than other sites on the Internet. Users can use this zone to assign a higher trust level to these sites to minimize the number of authentication requests.

• Internet Zone—Web sites on the Internet that do not belong to another zone. This default setting causes IE to prompt the user whenever potentially unsafe content is ready to download. Web sites that are not mapped into other zones automatically fall into this zone.

• Restricted Sites Zone—Web sites that contain content that can cause, or may have previously caused, problems when downloaded. Users can use this zone to cause Internet Explorer to alert them whenever potentially unsafe content is about to download, or to prevent that content from downloading

• Local Machine Zone—The Local Machine zone is an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that IE caches on the local system, is treated with a high level of trust. However, in XPSP2 the Local Machine Zone Lockdown feature causes IE to apply additional security that is even more restrictive than the default Internet Zone settings.

Each zone is assigned an equal level of permissions and starts out with a default security level (template) of High, Medium, Medium-High, or Low. The user can change the security level of each zone through the Security tab of the Internet Options UI, available in Internet Explorer by selecting Tools | Internet Options and accessible from the Control Panel as well. Starting with IE5, a Medium-Low template is available as well. The user can also use the UI to customize zone security settings except for the Local Machine Zone. A user can assign Web sites to some of the security zones. Besides the Internet Options UI, sites can be added to zones using the Internet Explorer Administration Kit (IEAK).

When adding sites to a zone, the user specifies an URL pattern. An URL pattern can be a fully specified site URL like https://www.microsoft.com, or it can contain asterisks as wildcards, for example https://*.msn.com . While browsing, users can tell what security zone a site is in by looking at the bottom right-hand corner of the IE window.

Each zone has an associated set of URL action policies. An example of an URL action is "Access data sources across domains." The possible policies for this URL action are "Disable," "Enable," and "Prompt." Ultimately, each zone's URL patterns and URL action policies reside in the registry. Theoretically, an application can use the registry to query or manipulate the URL-to-zone mappings or the per-zone URL action policies. However, this is not a good idea, as the location and format of this information can change. The proper way to work with this information is through interfaces that the Internet Security Manager exposes. If you write your own control or web application, you'll want to make use of the Internet Security Manager to conform your software's security policies with IE's.

The IInternetSecurityManager interface enables client applications to modify the security settings. This interface is part of the URL Security Zones API, which allows developers to manage URL security zones and create custom URL security zone managers. If an application wants to place a pattern into a specified security zone, it would use the method IInternetSecurityManager::SetZoneMapping(). The syntax for the method looks like this:

HRESULT SetZoneMapping(DWORD dwZone, LPCWSTR lpszPattern, DWORD dwFlags)

The dwZone parameter specifies the security zone; lpszPattern specifies the pattern, and dwFlags indicates whether to create or delete the mapping.

For further information, see the MSDN reference for this method. (Note that in Windows Server 2003 and higher there is a regular and Enhanced Security Configuration version of each zone and you need to set a flag if you're addressing the Enhanced Security Configuration version.)

I have written a simple C# application that illustrates the use of SetZoneMapping(). Here is a screen shot of the application:

In the “Site Pattern” field you enter an URL containing possible wildcards. You choose one of the radio buttons to designate the zone you want to place the pattern into. Then you push the “Add” button. A message box will come up saying whether the pattern was successfully added to the zone or not. You can repeat this however many times you wish. Push the Close button to end the application.

The complete Visual C# project is available to download here: SetZoneMappingDemo.zip.

To see how the app works, let’s zero in on two code snippets that contain the meat of the program:

The constructor for the form creates the Internet Security Manager COM object and obtains a reference to the IInternetSecurityManager interface:

Type t = Type.GetTypeFromCLSID(CLSID_InternetSecurityManager);
_securityManager = Activator.CreateInstance(t);
_ism = (IInternetSecurityManager) _securityManager;

The handler for the Add button calls SetZoneMapping() and pronounces the result:

int result = _ism.SetZoneMapping((UInt32)_ctrl.Tag, txtPattern.Text, SZM_CREATE);
if (S_OK==result)
{
MessageBox.Show("Pattern ""+txtPattern.Text+"" successfully added to " + _ctrl.Text + " zone.");
}
else
{
MessageBox.Show("Could not add pattern ""+txtPattern.Text+"" to " + _ctrl.Text + " zone.");
}

An obvious extension to this application would be a Delete button. The handler for that button would look very similar, except you’d pass SZM_DELETE to SetZoneMapping() instead of SZM_CREATE.

Adding an URL pattern to a security zone is only effective for the particular user that runs the application. You can learn more about security zones and how to work with them programmatically in the MSDN topic URL Security Zones .

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included code samples is subject to the terms specified at https://www.microsoft.com/info/cpyright.htm .