Event 1030 - Local Machine Zone Lockdown (LMZL)

Applies To: Windows 7, Windows Vista

Local Machine Zone Lockdown secures the Local Machine zone, by tightening restrictions on several URL actions. Any time one of these URL actions is attempted, a new security user interface (UI) element, called the Information Bar, appears. The user can click the Information Bar to remove the lockdown from the restricted content.

The following table shows the seven URL actions that are more restrictive in the Lockdown zone than in the Local Machine zone.

URL ACTION URL POLICY

URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY

URLPOLICY_DISALLOW

URLACTION_ACTIVEX_RUN

URLPOLICY_DISALLOW

URLACTION_BEHAVIOR_RUN

URLPOLICY_DISALLOW

URLACTION_CLIENT_CERT_PROMPT

URLPOLICY_DISALLOW

URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX

URLPOLICY_DISALLOW

URLACTION_JAVA_PERMISSIONS

URLPOLICY_JAVA_PROHIBIT

URLACTION_SCRIPT_RUN

URLPOLICY_DISALLOW

Note

For more information on URL actions and pointers to what they mean, see the Introduction to URL Security Zones topic on MSDN.

When Is This Event Logged?

This event is logged any time a Web page attempts to perform a restricted URL action.

Note

For more information and examples, see the Event 1030-Local Machine Zone Lockdown (LMZL) topic from Internet Explorer Application Compatibility.

Remediation

If your Web page runs a Microsoft® ActiveX® control or script, you can add a Mark of the Web comment to the HTML of the page. Mark of the Web is a Windows® Internet Explorer® feature that forces the HTML file into the security zone of the specified URL. This enables the Web page to run the script or ActiveX control in a less restrictive zone. This only works for Internet Explorer 4.0 and later.

Use the following comment to insert a Mark of the Web comment into a page with an identified domain, replacing http://www.fabrikam.com with the URL of the Internet or intranet domain where the page is hosted.

<!--saved from url= <http://www.fabrikam.com> -->

Use the following comment when you need to insert a generic Mark of the Web.

<!--saved from <url=about:internet>-->

With Microsoft Internet Explorer 6 and later, you can use the Mark of the Web comment with multipart HTML (.mht) files.

Note

You host HTML application (.hta) files in a different process; therefore, they are not impacted by the Local Machine zone lockdown.

Local Machine Zone Lockdown and the Registry

You manage the Local Machine zone lockdown restrictions through a security feature-control registry key (FEATURE_LOCALMACHINE_LOCKDOWN). Internet Explorer (Iexplore.exe) and Windows Explorer (Explorer.exe) run under this feature control by default. The following shows the registry keys and the enabled processes:

  • HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe= 0x00000001

  • HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\explorer.exe= 0x00000001

  • HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\process name.exe=0x00000001

How Can I Work Around This Problem?

The user can also configure the restrictions associated with the zones, through Internet Options on the Tools menu.

What Happens If I Disable This Security Feature?

This setting prevents content on a user's computer from elevating privilege. Code with elevated privilege can then run any code through an ActiveX control or read information with a script.

See Also

Concepts

Known Internet Explorer Security Feature Issues
Internet Explorer Compatibility Test Tool