Hacking IE Security Zones

Warning : This entry contains information about editing the registry. Editing the registry could mess up your machine. Also , the changes described here will cause some web sites (and possibly even some local applications) to stop working correctly. That's the whole point ;-)

Bonus Warning : I don't work on the IE team, and I've hacked this stuff on my own machine with no apparent ill effects, but what I'm telling you to do here could really hork your system. It might not even have the desired results. And as Raymond would love to tell you, don't rely on these registry keys as being set in stone; they're implementation details and could change at any point in time.

SuperBonusWarningEx2 : Custom zones are not guaranteed to work in the future, and they might (for example) cause problems should you ever upgrade IE or Windows in the future, possibly even for Service Pack 2. The . NET security system does not work with custom zones, so you will be unable to run managed code from any sites in a custom zone. 3rd party applications (especially security-related applications or browser plug-ins) may also fail in custom zones. In short, back everything up before you start, and do this at your own risk!

A while ago I talked about some of the things I did to lock down my machine, and at the time I mentioned that I'd one day tell you about how to hack IE zones. Michael Howard also had a couple of blogs about this topic. So here we go.

Note that you should definitely read the Description of Internet Explorer Security Zones Registry Entries KB article as a guide to better understand how IE uses the registry.

Anyway, as Michael mentions, the best way to browse the web in IE is to set all your security zones to "High" except for the Trusted Sites Zone, which you can set to "Medium." That's a good start, but we can do much better than that. There are at least three things you can do to make the situation better:

· Create one or more Partially Trusted Zone(s)

· Ratchet down the My Computer Zone

· Change the defaults and minimum levels for all the zones

Let There Be Six!

The first thing to do is to crack open regedit and navigate to the following key:

HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Internet Settings Zones

This is where IE stores information about security zones (duh). You should see five subkeys numbered 0 through 4 that represent (in order) the My Computer Zone, Local Intranet Zone, Trusted Sites Zone, Internet Zone, and Restricted Sites Zone (basically in decreasing order of trust). What we're going to do is add a sixth (and possibly seventh, etc.) zone to that list.

But first of all, right-click on the Zones key and export it to a file such as originalzones.reg in a "safe place" so that you can restore the key should you royally mess up your system.

Now, assuming that you have the Internet Zone set to "High" mode (which it should be at; go back to IE and change it if not), right-click on the "3" subkey and export it to something like internetzone.reg. Now open up that file in Notepad and make the following changes:

· Change the key name (inside the square brackets) from "3" to "5". This makes sure we'll create a new zone

· Change the DisplayName to "Partial Trust" or something similar

· Change the Description to "This zone allows basic scripting, downloads, and refreshes" or something similar

· Change the Icon to "inetcpl.cpl#00004480" (Trusted Sites icon) or another icon of your choice

· Change the CurrentLevel and RecommendedLevel to 00012000. This makes "High" the default setting

· Change the MinLevel to 00011000. This will warn you if you ever try to set the zone to less than "Medium"

· Change the Flags to 3. This will allow you to add sites to the zone and to change its settings

OK, now save the file as something like partialzone.reg, and import it into the registry. Congratulations! You've added a security zone (and probably voided your warranty to boot).

A couple of notes: The reason we clone the Internet Zone instead of Trusted Sites is because of the cookie settings (those two GUID keys with large blobs of binary data). I don't really understand how these work, and the values 1A02, 1A03, 1A05, 1A06 and 1A10 mentioned in the KB article don't seem to make a difference. Suffice to say that if you don't have these GUIDs present, cookies don't seem to work, and that (generally) means that web sites don't work either.

Also note that although you give the zone a name and description, IE won't actually use them in the Options dialog (it puts random text there instead), although it will use them in the status bar when you browse to a site. I've also had problems getting custom icons to load; YMMV.

Now you should be able to go to IE, open the Options dialog, go to the Security tab, and see you new zone at the end of the list. As I mentioned above, it will probably have some random name (like "Your Computer") rather than the name you gave it in the registry (like "Partial Trust") but we'll ignore that. Click the zone's icon, then click the Custom Level button.

Just to be sure, reset the zone to "High" (using the Reset custom settings controls at the bottom of the dialog) and then make the following three changes:

· Enable Downloads -> File Downloads

· Enable Miscellaneous -> Allow META REFRESH

· Enable Scripting -> Active Scripting

Now you have a zone to which you can add all sorts of sites (like Amazon, Expedia, or even this website) to enable them to work reasonably well without having to put up with annoying Flash adverts and without overly exposing yourself to any security problems with these sites (such as cross-site scripting bugs).

You might also consider adding a seventh zone (with the brilliantly creative key name of... drum roll please... "6") that is somewhere between Partial Trust and Trusted Sites -- for example, you might allow the running and scripting of "safe" ActiveX controls, but not the downloading of new controls. You could then add sites that use (eg) Flash or MSXML to this zone, again without overly exposing yourself to potential problems on these sites.

Lock Down My Computer

The next thing to do is lock down the My Computer zone, just as I recommend doing with .NET security policy. This is likely to break any applications you have that show HTML UI from the local machine, so you may want to experiment with this for a bit. Make sure you back up this key before hand (as instructed above)!

The main reason you would want to lock down My Computer is that most of the recent exploits for IE have relied on the fact that you can either "trick" the browser into thinking it is loading content off the local machine when really it is just reading cached content from the web, or you can overwrite a file in a well-known location and get the browser to load it. Basically this means that someone can send you to a webpage that downloads malicious code to your local machine and then re-directs IE to the downloaded version, and gets it to run with elevated privileges because it's considered to be on the (trusted) local machine rather than the (untrusted) internet.

Anyway, a few changes in regedit should stop these attacks from working. Navigate to the same key as before, and open up subkey "0". Make the following changes:

· Change the RecommendedLevel to 12000. This makes "High" the default setting

· Change the MinLevel to 11000. This will warn you if you ever try to set the zone to less than "Medium"

· Change the Flags to 1. This will make the zone show up in the Security dialog and allow you to change its settings

Now go to IE, open up the Options dialog and the Security tab, and you should see that My Computer now appears in the list. Click it, click the Custom Level button, and reset the zone to "High." Now you should be safe from most cross-zone scripting attacks in IE, although as previously mentioned this could break legitimate content on your machine. Just change the zone to "Medium" (or some other level) if one of your apps breaks. For example, some Visual Studio wizards (like the VSTO New Project Wizard :-) ) won't work correctly in the "High" mode because they use HTML dialogs with script and ActiveX controls.

Secure By Default

The next change is just to make sure that if you ever click the Default Level button on a zone, all your hard work isn't for naught. It also makes sure that you are sufficiently warned if you try and set a security setting too low. Basically, for each zone in the registry, set the RecommendedLevel to 12000 (for "High") and the MinLevel to 11000 (for "Medium"), except for the Restricted Sites zone, which should have a MinLevel of 12000 ("High"). You might also want to set the RecommendedLevel of TrustedSites to only 11000 ("Medium"), but that's a matter of taste.

As a bonus, you could even make the Restricted Sites Zone hidden from the UI so that you can't accidentally change it. Of course this will mean you can't add any sites to it without hacking the registry, but it will still do its job for e-mail and other programs that use the zone by default. And besides, you're already cruising the Internet Zone in "High" mode so the Restricted Sites can't really do anything more for you :-). You can hide the zone from the Security tab by setting the Flags value to 32.

Odd Bits

Also note that you should ensure that in the Advanced tab of the IE options dialog, you have "Check for signatures on downloaded programs" enabled. The default is unchecked, but I believe this may change in Windows XP SP 2 (at last!). Quite why this option is not part of the normal security settings is beyond me; the Advanced tab seems like a weird place to have put it.

Also, if you want to see which URLs are in which zone, you can look at the following registry key:

HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Internet Settings ZoneMap Domains

Basically the keys represent domain names, and the keys have a DWORD value with the name of an individual protocol (http, https, etc.) or an asterisk (*, meaning all protocols) and a value of the zone's number (0-n). In general, for large sites like Microsoft that have many site names (support, msdn, etc) you probably want to add "*.microsoft.com" in the "Add site to zone" dialog box so that you don't have to add each sub-domain separately. Obviously this increases risk if someone manages to spoof a bogus name like h4x0rz.microsoft.com, but that's a risk I'm willing to take.

Anyway, that's it for today. Thanks to the guys in SWI and IE for giving it this a once-over (they basically said "It looks OK but hacking zones is not supported and may break so we don't recommend anyone does it en masse").