Export (0) Print
Expand All
Expand Minimize

Event 1024 - Binary Behaviors Restrictions

Published: June 11, 2010

Updated: June 11, 2010

Applies To: Windows 7, Windows Vista

Internet Explorer® contains dynamic binary behaviors: components attached to HTML elements, which encapsulate specific functionality. Internet Explorer security settings do not control binary behaviors, so the components can work on Web pages in the Restricted Sites zone. The Binary Behavior Restriction security feature disables the binary behavior in the Restricted Sites zone by default. In combination with the Local Machine Lockdown security feature, you require administrative approval for binary behaviors to run in the Local Machine zone by default.

noteNote
Binary behaviors differ from attached behaviors and element behaviors, which are written in script. For more information, see the Introduction to DHTML Behaviors and About Element Behaviors topics.

When Is This Event Logged?

This event is logged when a binary behavior is triggered in the Restricted Sites zone.

noteNote
For more information and examples, see the Event 1024-Binary Behaviors Restrictions topic from Internet Explorer Application Compatibility.

Remediation

After the security feature control is enabled for a process, the value of the URL action flag URLACTION_BEHAVIOR_RUN determines whether binary behaviors are allowed to run. This flag can be set differently for each security zone. The default value for this flag is URLPOLICY_ALLOW for all zones except the Restricted Sites zone. In the Restricted Sites zone, the default value is URLPOLICY_DISALLOW.

The following table shows the new settings for turning on or off the existing binary behavior's functionality.

 

Setting name Location Previous default Default value Possible values

*

HKCU{LM}\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BINARY_BEHAVIOR_LOCKDOWN

None

1

0 (Off)

1 (On)

2000

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

None

3 (Disabled for Restricted zone)

0 (Enabled for all other zones)

3 (Disabled)

0 (Enabled)

noteNote
The asterisk (*) is used to indicate that all processes are enabled for this feature control setting by default. You can also modify the binary behaviors setting through Group Policy as part of the Internet Explorer Security Zones and Content Ratings setting.

Applications that host the WebBrowser control and use Internet Explorer functionality in the Restricted Sites zone might be affected. For example, e-mail applications that use a binary behavior to render HTML e-mail in the Restricted Sites zone might require modification.

You manage the restrictions through a security feature-control registry key (FEATURE_BEHAVIORS). Internet Explorer (Iexplore.exe) and Windows® Explorer (Explorer.exe) are enabled by default. The following shows where to add the registry keys:

  • HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS\iexplore.exe= 0x00000001

  • HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS\explorer.exe= 0x00000001

  • HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS\process name.exe=0x00000001

Applications that host the WebBrowser control can also take advantage of the security feature control by adding their process to the same registry locations. You can do this programmatically by using the CoInternetSetFeatureEnabled function.

noteNote
If an application does not run under this security feature control, the WebBrowser control behaves the same as previous versions of Internet Explorer.

Binary Behavior Restriction Setting

The Binary Behavior Restriction security feature creates a new URL action setting, Binary and Script Behaviors, in each Internet Explorer security zone. The default value for this setting is Enable for all zones except the Restricted Sites zone and the Locked-Down Local Machine zone. In the Restricted Sites zone, the default value is Disable. In the Locked-Down Local Machine zone, the default value is Administrator-approved.

Automatic Download Blocking and the Registry

Applications that host the WebBrowser control and use Internet Explorer functionality in the Restricted Sites zone might be affected. For example, e-mail applications that use a binary behavior to render HTML e-mail in the Restricted Sites zone might require modification.

How Can I Work Around This Problem?

To use binary behaviors from the Restricted Sites zone, an application can also implement a custom security manager. For more information about URL security zones, see the About URL Security Zones topic on MSDN.

What Happens If I Disable This Security Feature?

This setting helps prevent attacks from malicious binary behaviors and allows the user to control the use of binary behaviors on a per-zone basis. Disabling this feature should only be used as a temporary measure during troubleshooting, to compare the behavior of the application when the feature is enabled and when it is disabled. It is not recommended that this feature be left disabled on an ongoing basis.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft