Internet Explorer Using Feature Control Registry Settings with Security Zone Settings
Applies To: Windows Server 2003 with SP1
|The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Notification Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the enhanced security configuration on your server, these features will function as they do in Windows XP Service Pack 2.|
What do Feature Control Registry Settings and Security Zone Settings do?
Feature Control registry settings are provided for Internet Explorer so that a specific process can be configured to opt-in to a particular security feature. Each security feature has a corresponding registry key that you can use to opt-in or opt-out of the security feature.
When a process has been configured to use a security feature, the security feature is running. Once the feature is running, there might be corresponding security zone settings that can be applied for more precision. Some security features do not have additional security zone settings.
In the Security Settings tab of Internet Options, the user can adjust these settings for many of the new feature controls. If you select Enable, it lowers the security settings and allows the behavior to run less securely, or in the same manner as it did in previous version of Internet Explorer. The feature control can be applied again by setting the security zone setting to Disable, which blocks the less-secure behavior while the feature control is enabled for that process.
Each of the Feature Controls is discussed in more detail in this document. For more information about URL action settings and how they relate to security zones, see "About URL Security Zones Templates" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=26001.
Using security zone settings for a feature provides additional precision in control for security features in Internet Explorer and can help manage application compatibility for organizational intranet applications. A user or administrator can select different behaviors based on risk.
Who does this feature apply to?
Web application developers need to be aware that the Internet Explorer security settings are dependent on the zone in which an application is run. Therefore, you should assign security zones carefully; this should be a part of your information security considerations. The security zones that you use should also be considered when assessing application compatibility.
Administrators of Group Policy may want to adjust the default values for each zone to suit the particular environments in their organization.
Unless prevented by policies in Group Policy, users can manage the values for these security zone settings (or URL actions) for each zone through Internet Options in Control Panel. Note that the Local Machine zone is not available through Control Panel. To access the security settings for a zone, click Start, click Control Panel, click Internet Options, click the Security tab, click a Web security zone, and then click Custom Level.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Feature control registry settings
Windows Server 2003 Service Pack 1 introduces new feature control registry settings.
For many of these features, when the registry setting is on, users can configure the security settings (also known as URL action flags) to fine tune the feature control in each individual security zone
If you choose Enable as the action to take for an Internet Explorer feature control, the zone is secured as it was for the previous version of Internet Explorer. Relevant security control features will not apply in this zone; the security zone will run without the added layer of security provided by this feature.
If you choose to disable the security zone setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.
Security settings are often applied to a zone by a URL security zone template. The default values for the security settings and the settings by zone template are listed in the section Internet Explorer URL Action and Advanced Security Settings in Group Policy.
Why is this change important? What threats does it help mitigate?
As originally envisioned, each feature control setting would either be on or off for all security zones. Customer feedback indicated that more precise tuning with the settings was necessary for some features. For example, the internal workflow of some organizations depends on intranet applications. A feature control that protects users in the Internet zone may cause an intranet application to stop working. Because of this, Microsoft has incorporated the ability to control many security settings by zone.
What works differently?
Adding security settings by zone provides more flexibility in applying the new security features. This flexibility will provide a more manageable implementation of this new security feature, particularly in intranet scenarios.
How do I resolve these issues?
If the feature control setting is suspected of causing problems for an application, changing the feature control setting in the zone where the application is running to Enable allows the administrator or user to return to the previous behavior in that zone for that specific feature while maintaining the more secure behavior in other security zones. For some security settings, additional configuration options such as Prompt and Admin-approved are available, as well as Enable and Disable.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
If the code uses the default URLmon security manager, the developer must call
CoInternetIsFeatureEnabledForURL to check the security settings for a particular zone.