Internet Explorer URL Action and Advanced Security Settings in Group Policy
Applies To: Windows Server 2003 with SP1
Note
The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Notification Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the Enhanced Security Configuration on your server, these features will function as they do in Windows XP Service Pack 2.
Windows XP Service Pack 2 introduced true policies for the configurable actions in the Internet Explorer Security tab settings. In addition to incorporating these policies into Internet Explorer in Windows Server 2003 Service Pack 1, additional policies were created for selected configurable actions in the Internet Explorer Advanced tab, as well as for URL action policies in Locked-Down zones used only by the Network Protocol Lockdown security feature. In this release, these security settings are managed using the Group Policy Management Console and, if set, can only be changed by a Group Policy object (GPO) or by an administrator.
An updated Inetres.adm file contains a list of settings as policies, including Advanced settings, which are also found in the Internet Explorer user interface as preferences. Administrators can manage the new feature control policies by using Group Policy objects (GPOs). When Internet Explorer is installed, the default HKEY_CURRENT_USER preferences settings for these settings are registered on the computer as they were in previous versions. The Administrator has to use the Group Policy Management Console (GPMC) to add these settings as policies.
Group Policy administrators can uniformly configure the new Internet Explorer Advanced setting policies, as well as policies for Locked-Down security zones, for the computers and users that they manage. It is important to inform the end-user which actions are controlled by policy, as these actions will override user preference settings.
Note
The Internet Options control panel will display policy settings when opened and users can interact with user interface and appear to change their preferences. However, these preferences will not actually override Group Policy settings, which may cause a confusing user experience. The administrator can also set a policy to disable the Advanced page user interface so that it is clearer to the user that these settings are not available to be changed. This is not an issue for the Locked-Down zones' settings as they are not accessible through the user interface.
The following definitions apply to Internet Explorer settings for Windows Server 2003 with Service Pack 1:
Security zones: Locked-Down Intranet Zone, Locked-Down Trusted Sites Zone, Locked-Down Internet Zone, and Locked-Down Restricted Sites zone.
Templates: Standard settings for all URL actions in these security zones. Templates can be applied in any zone, and settings will provide a range of choices from low security, medium-low, medium, and up to high security for the zone.
URL actions: Security settings in the registry that identify the action to take for that feature in the security zone where the URL resides. URL action settings include enable, disable, prompt, and others as appropriate.
URL action policies: URL action policies can be added individually by enabling the desired URL action policy, then selecting the setting for the policy registry key value. They can also be set by zone template.
Internet Explorer will look for a policy in the following order:
HKEY_LOCAL_MACHINE policy hive
HKEY_CURRENT_USER policy hive
HKEY_CURRENT_USER preference hive
HKEY_LOCAL_MACHINE preference hive
If Internet Explorer finds a policy in the HKEY_LOCAL_MACHINE policy hive, it stops and does not continue; that is the setting it respects. If Internet Explorer does not find a policy in HKEY_LOCAL_MACHINE policy hive, it looks in the HKEY_CURRENT_USER policy hive, and so on. The administrator can set a policy for one or more URL actions in one or more zones, and allow the end user to manage preferences for URL actions that do not require policy-level security management.
The new URL action policies have the same numeric values as their related preference keys. The following table provides a reference to these URL actions.
| URL action flag name | Security setting UI | Numeric name |
|---|---|---|
URLACTION_DOWNLOAD_SIGNED_ACTIVEX |
Download signed ActiveX controls |
1001 |
URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX |
Download unsigned ActiveX controls |
1004 |
URLACTION_ACTIVEX_RUN |
Run ActiveX controls and plugins |
1200 |
URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY |
Initialize and script ActiveX controls not marked as safe |
1201 |
URLACTION_SCRIPT_RUN |
Active scripting |
1400 |
URLACTION_SCRIPT_JAVA_USE |
Scripting of Java applets |
1402 |
URLACTION_SCRIPT_SAFE_ACTIVEX |
Script ActiveX controls marked safe for scripting |
1405 |
URLACTION_CROSS_DOMAIN_DATA |
Access data sources across domains |
1406 |
URLACTION_SCRIPT_PASTE |
Allow paste operations via script |
1407 |
URLACTION_HTML_SUBMIT_FORMS |
Submit non-encrypted form data |
1601 |
URLACTION_HTML_FONT_DOWNLOAD |
Font download |
1604 |
URLACTION_HTML_USERDATA_SAVE |
Userdata persistence |
1606 |
URLACTION_HTML_SUBFRAME_NAVIGATE |
Navigate sub-frames across different domains |
1607 |
URLACTION_HTML_META_REFRESH |
Allow META REFRESH |
1608 |
URLACTION_HTML_MIXED_CONTENT |
Display mixed content |
1609 |
URLACTION_SHELL_INSTALL_DTITEMS |
Installation of desktop items |
1800 |
URLACTION_SHELL_MOVE_OR_COPY |
Drag and drop or copy and paste files |
1802 |
URLACTION_SHELL_FILE_DOWNLOAD |
File download |
1803 |
URLACTION_SHELL_VERB |
Launching applications and files in an IFRAME |
1804 |
URLACTION_SHELL_POPUPMGR |
Use Pop-up blocker |
1809 |
URLACTION_NETWORK_MIN |
Logon |
1A00 |
URLACTION_CLIENT_CERT_PROMPT |
Don't prompt for client certificate selection when no certificates or only one certificate exists |
1A04 |
URLACTION_JAVA_PERMISSIONS |
Java permissions |
1C00 |
URLACTION_CHANNEL_SOFTDIST_PERMISSIONS |
Software channel permissions |
1E05 |
URLACTION_BEHAVIOR_RUN |
Script and Binary Behaviors |
2000 |
URLACTION_MANAGED_SIGNED |
Run .NET Framework-reliant components signed with Authenticode |
2001 |
URLACTION_MANAGED_UNSIGNED |
Run .NET Framework-reliant components not signed with Authenticode |
2004 |
URLACTION_FEATURE_MIME_SNIFFING |
Open files based on content, not file extension |
2100 |
URLACTION_FEATURE_ZONE_ELEVATION |
Web sites in less privileged Web content zones can navigate into this zone |
2101 |
URLACTION_FEATURE_WINDOW_RESTRICTIONS |
Allow script-initiated windows without size or position constraints |
2102 |
URLACTION_AUTOMATIC_DOWNLOAD_UI |
Automatic prompting for file downloads |
2200 |
URLACTION_AUTOMATIC_ACTIVEX_UI |
Automatic prompting for ActiveX controls |
2201 |
URLACTION_ALLOW_RESTRICTEDPROTOCOLS |
Allow active content over restricted protocols to access my computer |
2300 |
For more information about using URL action flags, see "URL Action Flags" on the MSDN Web site at https://go.microsoft.com/fwlink/?LinkId=32776.
The following table provides a reference to the setting options available for each URL action.
| Numeric Name | URL Action Policy Setting Options |
|---|---|
1001 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
1004 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
1200 |
"Administrator approved"=0x00010000 "Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
1201 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
1400 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
1402 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
1405 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
1406 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
1407 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
1601 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
1604 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
1606 |
"Enable"=0x00000000 "Disable"=0x00000003 |
1607 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
1608 |
"Enable"=0x00000000 "Disable"=0x00000003 |
1609 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
1800 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
1802 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
1803 |
"Enable"=0x00000000 "Disable"=0x00000003 |
1804 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
1809 |
"Enable"=0x00000000 "Disable"=0x00000003 |
1A00 |
"Anonymous logon"=0x00030000 "Automatic logon only in Intranet zone"=0x00020000 "Automatic logon with current user name and password"=0x00000000 "Prompt for user name and password"=0x00010000 |
1A04 |
"Enable"=0x00000000 "Disable"=0x00000003 |
1C00 |
"High safety"=0x00010000 "Medium safety"=0x00020000 "Low safety"=0x00030000 "Custom"=0x00800000 "Disable Java"=0x00000000 |
1E05 |
"High Safety"=0x00010000 "Medium Safety"=0x00020000 "Low Safety"=0x00030000 |
2000 |
"Enable"=0x00000000 "Administrator approved"=0x00010000 "Disable"=0x00000003 |
2001 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
2004 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
2100 |
"Enable"=0x00000000 "Disable"=0x00000003 |
2101 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
2102 |
"Enable"=0x00000000 "Disable"=0x00000003 |
2200 |
"Enable"=0x00000000 "Disable"=0x00000003 |
2201 |
"Enable"=0x00000000 "Disable"=0x00000003 |
2300 |
"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001 |
| Value | DWORD | Setting |
|---|---|---|
0 |
0x00000000 |
Enable |
1 |
0x00000001 |
Prompt |
3 |
0x00000003 |
Disable |
65536 |
0x00010000 |
High Safety |
131072 |
0x00020000 |
Medium Safety |
196608 |
0x00030000 |
Low Safety |
For descriptions for each of the URL policy settings, see "URL Action Flags" on the MSDN Web site at https://go.microsoft.com/fwlink/?LinkId=32777.
Each URL action has a default that is set in each zone and set when a specified template is applied. The default settings for each zone are described in the following table.
| URL action numeric name | Locked-Down Restricted zone | Locked-Down Internet zone | Locked-Down Intranet zone | Locked-Down Trusted zone |
|---|---|---|---|---|
1001 |
3 |
1 |
1 |
0 |
1004 |
3 |
3 |
3 |
3 |
1200 |
3 |
3 |
3 |
3 |
1201 |
3 |
3 |
3 |
3 |
1400 |
3 |
3 |
3 |
3 |
1402 |
3 |
0 |
0 |
0 |
1405 |
3 |
0 |
0 |
0 |
1406 |
3 |
3 |
1 |
0 |
1407 |
3 |
0 |
0 |
0 |
1601 |
1 |
1 |
0 |
0 |
1604 |
1 |
0 |
0 |
0 |
1606 |
3 |
0 |
0 |
0 |
1607 |
3 |
0 |
0 |
0 |
1608 |
3 |
0 |
0 |
0 |
1609 |
1 |
1 |
1 |
1 |
1800 |
3 |
1 |
1 |
0 |
1802 |
1 |
0 |
0 |
0 |
1803 |
3 |
0 |
0 |
0 |
1804 |
3 |
1 |
1 |
0 |
1809 |
0 |
0 |
3 |
3 |
1A00 |
65536 |
131072 |
131072 |
0 |
1A04 |
3 |
3 |
3 |
3 |
1C00 |
0 |
0 |
0 |
0 |
1E05 |
65536 |
131072 |
131072 |
196608 |
2000 |
3 |
65536 |
65536 |
65536 |
2001 |
3 |
3 |
3 |
3 |
2004 |
3 |
3 |
3 |
3 |
2100 |
3 |
3 |
3 |
3 |
2101 |
3 |
3 |
3 |
3 |
2102 |
3 |
3 |
3 |
3 |
2200 |
3 |
3 |
3 |
3 |
2201 |
3 |
3 |
3 |
3 |
2300 |
3 |
1 |
1 |
1 |
These paths locate the available Advanced settings in the Group Policy Management Console:
- HKEY_LOCAL_MACHINE policies for Advanced settings:
\Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
- HKEY_CURRENT_USER policies for Advanced settings:
\User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
These paths locate the security zone settings in the Group Policy Management Console:
- HKEY_LOCAL_MACHINE policies by security zone for URL actions:
\Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page
- HKEY_CURRENT_USER policies by security zone for URL actions:
\User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page
These paths locate the Advanced settings in policy and in preference in the Windows registry (in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER):
| Advanced setting UI | Preference key name | Policy key name |
|---|---|---|
Install on Demand (Internet Explorer) |
HKCU \Software \Microsoft\Internet Explorer\Main \NoJITSetup |
Software\Policies\Microsoft\Internet Explorer\Main\NoJITSetup |
Install on Demand (Other) |
HKCU\Software\Microsoft\Internet Explorer\Main \NoWebJITSetup |
Software\Policies\Microsoft\Internet Explorer\Main\NoWebJITSetup |
Third-party Browser Extensions |
HKCU\Software \Microsoft\Internet Explorer\Main\Enable Browser Extensions |
Software\Policies \Microsoft\Internet Explorer\Main\Enable Browser Extensions |
Automatically check for IE Updates |
HKCU\Software \Microsoft\Internet Explorer\Main \NoUpdateCheck |
Software\Policies \Microsoft\Internet Explorer\Main \NoUpdateCheck |
Play Animations in Web Pages |
HKCU\Software \Microsoft\Internet Explorer\Main \Play_Animations |
Software\Policies \Microsoft\Internet Explorer\Main \Play_Animations |
Play Sounds in Web Pages |
HKCU\Software \Microsoft\Internet Explorer\Main \Play_Background_Sounds |
Software\Policies \Microsoft\Internet Explorer\Main \Play_Background_Sounds |
Play Videos in Web Pages |
HKCU\Software \Microsoft\Internet Explorer\Main\Display Inline Videos |
Software\Policies \Microsoft\Internet Explorer\Main\Display Inline Videos |
Allow software to run or install even if the signature is invalid |
HKCU\Software \Microsoft\Internet Explorer\Download \RunInvalidSignatures |
Software\Policies \Microsoft\Internet Explorer\Download \RunInvalidSignatures |
Allow active content from CDs to run on user machines |
HKCU\Software \Microsoft\Internet Explorer\Main \FeatureControl \FEATURE_LOCALMACHINE_LOCKDOWN \Settings \LocalMachine_CD_Unlock |
\Software\Policies \Microsoft\Internet Explorer\Main \FeatureControl \FEATURE_LOCALMACHINE_LOCKDOWN \Settings \LocalMachine_CD_Unlock |
Check for Server Certificate Revocation |
HKCU\Software \Microsoft\Internet Explorer\Download \CertificateRevocation |
Software\Policies \Microsoft\Windows \CurrentVersion \InternetSettings \CertificateRevocation |
Check for Signatures on Downloaded Programs |
HKCU\Software \Microsoft\Internet Explorer\Main\ CheckExeSignatures |
Software\Policies \Microsoft\Internet Explorer\Main\ CheckExeSignatures |
Do Not Save Encrypted Pages to Disk |
HKCU\Software \Microsoft\Windows \CurrentVersion \InternetSettings \DisableCachingOfSSLPages |
Software\Policies \Microsoft\Windows \CurrentVersion \InternetSettings \DisableCachingOfSSLPages |
Empty Temporary Internet Files Folder When Browser is Closed |
HKCU\Software \Microsoft\Internet Explorer\Cache \Persistent |
Software\Policies \Microsoft\Windows \CurrentVersion \InternetSettings\Cache \Persistent |
These paths locate the security zone settings in policy and in preference in the Windows registry (in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER):
- Location of Locked-Down Intranet zone policy values:
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
- Location of Locked-Down Trusted Sites policy:
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
- Location of Locked-Down Internet zone policy values:
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
- Location of Locked-Down Restricted Sites policy values:
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
- Location of Locked-Down Intranet zone template:
Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Lockdown Settings
- Location of Locked-Down Trusted Sites template:
Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Lockdown Settings
- Location of Locked-Down Internet zone template:
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Lockdown Settings
- Location of Locked-Down Restricted Sites template:
Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Lockdown Settings
Group Policy is the recommended tool for managing Internet Explorer for client computers on a corporate network. Internet Explorer supports Group Policy management for all new Internet Explorer Feature Controls in Windows Server 2003 Service Pack 1, and for Security page settings or URL actions. Administrators of Group Policy can manage these new policy settings in the Administrative Templates extension of the Group Policy Management Console.
When implementing policy settings, it is recommended that you configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific client computers.
Policies can be read by users but can only be changed by via Group Policy management or by an administrator. Preference settings can be changed programmatically, by editing the registry, or in the case of URL actions, by using Internet Explorer. Settings specified by Group Policy take precedence over settings specified using preferences.
By adding the new Advanced setting policies and Locked-Down security policies to Group Policy, administrators can manage these true policies to establish standard settings for all the computers that they configure. The administrator can control these settings in such a way that they cannot be changed except through Group Policy or by a user with administrator privileges, thus ensuring that security and certain Advanced settings are not set by end users.
Windows Server 2003 Service Pack 1 adds new policies to Group Policy but does not change how policies are managed. Developers need to be aware of how each Feature Control and URL action setting or setting combination affects security-related behavior for their applications in each security zone.
For greater security, the administrator should enable policies for all zones, so that there is a known configuration set by policy rather than an unknown setting read from HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER preference settings not set by policy. If the administrator sets policies for all zones, we recommend that the policy to disable the Security page be enabled, which will make the user interface in Internet Explorer unavailable.
The administrator should also understand the Feature Control policy settings. Some of the URL action settings will not be valid unless the corresponding Feature Control policy is enabled. Internet Explorer checks to see whether the feature is enabled, and if it is, then looks for the setting for the action based on the security zone of the URL.
The method for adding Zone Map keys to policy is as follows:
To set computer policy, go to \Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page within Group Policy. To set user policy, go to \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page within Group Policy.
Select the Site to Zone Assignment List policy.
Select Enabled and click Show…
For each site you would like to map:
Click Add…
Enter the name, IP address, or IP range of the site you want to map (for example, https://www.contoso.com, www.contoso.com, 127.0.0.1, 127.0.0.1-10)
Enter the value identifying the zone to which this site should be mapped. The choices are (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, (4) Restricted Sites zone.
Click OK.
The site name and value should appear in the list.
Click OK in the Show Contents window.
Click OK again to close the Site to Zone Assignment List Properties window.
Note
Policies created by following these instructions are ignored by computers with the Windows Server 2003 Internet Explorer Enhanced Security Configuration component installed. To set zone map policy on a computer with Windows Server 2003 Internet Explorer Enhanced Security Configuration component installed, use the Internet Explorer Maintenance (IEM) snap-in to Group Policy. When using the IEM to create a Group Policy object to apply to a computer with the Windows Server 2003 Internet Explorer Enhanced Security Configuration component installed, you must be using a computer with the Windows Server 2003 Internet Explorer Enhanced Security Configuration component installed.
Note
For more information about using Group Policy, see "Implementing Registry-based Group Policy" on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=28188. For more information about using Internet Explorer security zone and privacy settings, see "Description of Internet Explorer Security Zones Registry Entries" on the Microsoft Knowledge Base Web site at https://go.microsoft.com/fwlink/?LinkId=28195.