Internet Explorer URL Action and Advanced Security Settings in Group Policy

Internet Explorer URL Action and Ad...

Applies To: Windows Server 2003 with SP1

Note
The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Notification Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the Enhanced Security Configuration on your server, these features will function as they do in Windows XP Service Pack 2.

Note

The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Notification Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the Enhanced Security Configuration on your server, these features will function as they do in Windows XP Service Pack 2.

What does Internet Explorer Settings in Group Policy do?

Windows XP Service Pack 2 introduced true policies for the configurable actions in the Internet Explorer Security tab settings. In addition to incorporating these policies into Internet Explorer in Windows Server 2003 Service Pack 1, additional policies were created for selected configurable actions in the Internet Explorer Advanced tab, as well as for URL action policies in Locked-Down zones used only by the Network Protocol Lockdown security feature. In this release, these security settings are managed using the Group Policy Management Console and, if set, can only be changed by a Group Policy object (GPO) or by an administrator.

An updated Inetres.adm file contains a list of settings as policies, including Advanced settings, which are also found in the Internet Explorer user interface as preferences. Administrators can manage the new feature control policies by using Group Policy objects (GPOs). When Internet Explorer is installed, the default HKEY_CURRENT_USER preferences settings for these settings are registered on the computer as they were in previous versions. The Administrator has to use the Group Policy Management Console (GPMC) to add these settings as policies.

Who does this feature apply to?

Group Policy administrators can uniformly configure the new Internet Explorer Advanced setting policies, as well as policies for Locked-Down security zones, for the computers and users that they manage. It is important to inform the end-user which actions are controlled by policy, as these actions will override user preference settings.

Note
The Internet Options control panel will display policy settings when opened and users can interact with user interface and appear to change their preferences. However, these preferences will not actually override Group Policy settings, which may cause a confusing user experience. The administrator can also set a policy to disable the Advanced page user interface so that it is clearer to the user that these settings are not available to be changed. This is not an issue for the Locked-Down zones' settings as they are not accessible through the user interface.

Note

The Internet Options control panel will display policy settings when opened and users can interact with user interface and appear to change their preferences. However, these preferences will not actually override Group Policy settings, which may cause a confusing user experience. The administrator can also set a policy to disable the Advanced page user interface so that it is clearer to the user that these settings are not available to be changed. This is not an issue for the Locked-Down zones' settings as they are not accessible through the user interface.

What existing functionality is changing in Windows Server 2003 Service Pack 1?

Group Policy Internet Explorer advanced settings

Detailed description

The following definitions apply to Internet Explorer settings for Windows Server 2003 with Service Pack 1:

Security zones: Locked-Down Intranet Zone, Locked-Down Trusted Sites Zone, Locked-Down Internet Zone, and Locked-Down Restricted Sites zone.
Templates: Standard settings for all URL actions in these security zones. Templates can be applied in any zone, and settings will provide a range of choices from low security, medium-low, medium, and up to high security for the zone.
URL actions: Security settings in the registry that identify the action to take for that feature in the security zone where the URL resides. URL action settings include enable, disable, prompt, and others as appropriate.
URL action policies: URL action policies can be added individually by enabling the desired URL action policy, then selecting the setting for the policy registry key value. They can also be set by zone template.

Internet Explorer will look for a policy in the following order:

HKEY_LOCAL_MACHINE policy hive
HKEY_CURRENT_USER policy hive
HKEY_CURRENT_USER preference hive
HKEY_LOCAL_MACHINE preference hive

If Internet Explorer finds a policy in the HKEY_LOCAL_MACHINE policy hive, it stops and does not continue; that is the setting it respects. If Internet Explorer does not find a policy in HKEY_LOCAL_MACHINE policy hive, it looks in the HKEY_CURRENT_USER policy hive, and so on. The administrator can set a policy for one or more URL actions in one or more zones, and allow the end user to manage preferences for URL actions that do not require policy-level security management.

Policy values for URL action

The new URL action policies have the same numeric values as their related preference keys. The following table provides a reference to these URL actions.

URL action flag name	Security setting UI	Numeric name
URLACTION_DOWNLOAD_SIGNED_ACTIVEX	Download signed ActiveX controls	1001
URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX	Download unsigned ActiveX controls	1004
URLACTION_ACTIVEX_RUN	Run ActiveX controls and plugins	1200
URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY	Initialize and script ActiveX controls not marked as safe	1201
URLACTION_SCRIPT_RUN	Active scripting	1400
URLACTION_SCRIPT_JAVA_USE	Scripting of Java applets	1402
URLACTION_SCRIPT_SAFE_ACTIVEX	Script ActiveX controls marked safe for scripting	1405
URLACTION_CROSS_DOMAIN_DATA	Access data sources across domains	1406
URLACTION_SCRIPT_PASTE	Allow paste operations via script	1407
URLACTION_HTML_SUBMIT_FORMS	Submit non-encrypted form data	1601
URLACTION_HTML_FONT_DOWNLOAD	Font download	1604
URLACTION_HTML_USERDATA_SAVE	Userdata persistence	1606
URLACTION_HTML_SUBFRAME_NAVIGATE	Navigate sub-frames across different domains	1607
URLACTION_HTML_META_REFRESH	Allow META REFRESH	1608
URLACTION_HTML_MIXED_CONTENT	Display mixed content	1609
URLACTION_SHELL_INSTALL_DTITEMS	Installation of desktop items	1800
URLACTION_SHELL_MOVE_OR_COPY	Drag and drop or copy and paste files	1802
URLACTION_SHELL_FILE_DOWNLOAD	File download	1803
URLACTION_SHELL_VERB	Launching applications and files in an IFRAME	1804
URLACTION_SHELL_POPUPMGR	Use Pop-up blocker	1809
URLACTION_NETWORK_MIN	Logon	1A00
URLACTION_CLIENT_CERT_PROMPT	Don't prompt for client certificate selection when no certificates or only one certificate exists	1A04
URLACTION_JAVA_PERMISSIONS	Java permissions	1C00
URLACTION_CHANNEL_SOFTDIST_PERMISSIONS	Software channel permissions	1E05
URLACTION_BEHAVIOR_RUN	Script and Binary Behaviors	2000
URLACTION_MANAGED_SIGNED	Run .NET Framework-reliant components signed with Authenticode	2001
URLACTION_MANAGED_UNSIGNED	Run .NET Framework-reliant components not signed with Authenticode	2004
URLACTION_FEATURE_MIME_SNIFFING	Open files based on content, not file extension	2100
URLACTION_FEATURE_ZONE_ELEVATION	Web sites in less privileged Web content zones can navigate into this zone	2101
URLACTION_FEATURE_WINDOW_RESTRICTIONS	Allow script-initiated windows without size or position constraints	2102
URLACTION_AUTOMATIC_DOWNLOAD_UI	Automatic prompting for file downloads	2200
URLACTION_AUTOMATIC_ACTIVEX_UI	Automatic prompting for ActiveX controls	2201
URLACTION_ALLOW_RESTRICTEDPROTOCOLS	Allow active content over restricted protocols to access my computer	2300

For more information about using URL action flags, see "URL Action Flags" on the MSDN Web site at http://go.microsoft.com/fwlink/?LinkId=32776.

The following table provides a reference to the setting options available for each URL action.

Numeric Name	URL Action Policy Setting Options
1001	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
1004	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
1200	"Administrator approved"=0x00010000 "Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
1201	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
1400	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
1402	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
1405	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
1406	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
1407	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
1601	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
1604	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
1606	"Enable"=0x00000000 "Disable"=0x00000003
1607	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
1608	"Enable"=0x00000000 "Disable"=0x00000003
1609	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
1800	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
1802	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
1803	"Enable"=0x00000000 "Disable"=0x00000003
1804	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
1809	"Enable"=0x00000000 "Disable"=0x00000003
1A00	"Anonymous logon"=0x00030000 "Automatic logon only in Intranet zone"=0x00020000 "Automatic logon with current user name and password"=0x00000000 "Prompt for user name and password"=0x00010000
1A04	"Enable"=0x00000000 "Disable"=0x00000003
1C00	"High safety"=0x00010000 "Medium safety"=0x00020000 "Low safety"=0x00030000 "Custom"=0x00800000 "Disable Java"=0x00000000
1E05	"High Safety"=0x00010000 "Medium Safety"=0x00020000 "Low Safety"=0x00030000
2000	"Enable"=0x00000000 "Administrator approved"=0x00010000 "Disable"=0x00000003
2001	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
2004	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
2100	"Enable"=0x00000000 "Disable"=0x00000003
2101	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001
2102	"Enable"=0x00000000 "Disable"=0x00000003
2200	"Enable"=0x00000000 "Disable"=0x00000003
2201	"Enable"=0x00000000 "Disable"=0x00000003
2300	"Enable"=0x00000000 "Disable"=0x00000003 "Prompt"=0x00000001

Key for numeric translation of URL policy settings

Value	DWORD	Setting
0	0x00000000	Enable
1	0x00000001	Prompt
3	0x00000003	Disable
65536	0x00010000	High Safety
131072	0x00020000	Medium Safety
196608	0x00030000	Low Safety

For descriptions for each of the URL policy settings, see "URL Action Flags" on the MSDN Web site at http://go.microsoft.com/fwlink/?LinkId=32777.

Default settings for each URL action in zones and templates

Each URL action has a default that is set in each zone and set when a specified template is applied. The default settings for each zone are described in the following table.

URL action default settings

URL action numeric name	Locked-Down Restricted zone	Locked-Down Internet zone	Locked-Down Intranet zone	Locked-Down Trusted zone
1001	3	1	1	0
1004	3	3	3	3
1200	3	3	3	3
1201	3	3	3	3
1400	3	3	3	3
1402	3	0	0	0
1405	3	0	0	0
1406	3	3	1	0
1407	3	0	0	0
1601	1	1	0	0
1604	1	0	0	0
1606	3	0	0	0
1607	3	0	0	0
1608	3	0	0	0
1609	1	1	1	1
1800	3	1	1	0
1802	1	0	0	0
1803	3	0	0	0
1804	3	1	1	0
1809	0	0	3	3
1A00	65536	131072	131072	0
1A04	3	3	3	3
1C00	0	0	0	0
1E05	65536	131072	131072	196608
2000	3	65536	65536	65536
2001	3	3	3	3
2004	3	3	3	3
2100	3	3	3	3
2101	3	3	3	3
2102	3	3	3	3
2200	3	3	3	3
2201	3	3	3	3
2300	3	1	1	1

Group Policy Settings Paths

These paths locate the available Advanced settings in the Group Policy Management Console:

HKEY_LOCAL_MACHINE policies for Advanced settings:

\Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

HKEY_CURRENT_USER policies for Advanced settings:

\User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

These paths locate the security zone settings in the Group Policy Management Console:

HKEY_LOCAL_MACHINE policies by security zone for URL actions:

\Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page

HKEY_CURRENT_USER policies by security zone for URL actions:

\User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page

These paths locate the Advanced settings in policy and in preference in the Windows registry (in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER):

Advanced setting UI	Preference key name	Policy key name
Install on Demand (Internet Explorer)	HKCU \Software \Microsoft\Internet Explorer\Main \NoJITSetup	Software\Policies\Microsoft\Internet Explorer\Main\NoJITSetup
Install on Demand (Other)	HKCU\Software\Microsoft\Internet Explorer\Main \NoWebJITSetup	Software\Policies\Microsoft\Internet Explorer\Main\NoWebJITSetup
Third-party Browser Extensions	HKCU\Software \Microsoft\Internet Explorer\Main\Enable Browser Extensions	Software\Policies \Microsoft\Internet Explorer\Main\Enable Browser Extensions
Automatically check for IE Updates	HKCU\Software \Microsoft\Internet Explorer\Main \NoUpdateCheck	Software\Policies \Microsoft\Internet Explorer\Main \NoUpdateCheck
Play Animations in Web Pages	HKCU\Software \Microsoft\Internet Explorer\Main \Play_Animations	Software\Policies \Microsoft\Internet Explorer\Main \Play_Animations
Play Sounds in Web Pages	HKCU\Software \Microsoft\Internet Explorer\Main \Play_Background_Sounds	Software\Policies \Microsoft\Internet Explorer\Main \Play_Background_Sounds
Play Videos in Web Pages	HKCU\Software \Microsoft\Internet Explorer\Main\Display Inline Videos	Software\Policies \Microsoft\Internet Explorer\Main\Display Inline Videos
Allow software to run or install even if the signature is invalid	HKCU\Software \Microsoft\Internet Explorer\Download \RunInvalidSignatures	Software\Policies \Microsoft\Internet Explorer\Download \RunInvalidSignatures
Allow active content from CDs to run on user machines	HKCU\Software \Microsoft\Internet Explorer\Main \FeatureControl \FEATURE_LOCALMACHINE_LOCKDOWN \Settings \LocalMachine_CD_Unlock	\Software\Policies \Microsoft\Internet Explorer\Main \FeatureControl \FEATURE_LOCALMACHINE_LOCKDOWN \Settings \LocalMachine_CD_Unlock
Check for Server Certificate Revocation	HKCU\Software \Microsoft\Internet Explorer\Download \CertificateRevocation	Software\Policies \Microsoft\Windows \CurrentVersion \InternetSettings \CertificateRevocation
Check for Signatures on Downloaded Programs	HKCU\Software \Microsoft\Internet Explorer\Main\ CheckExeSignatures	Software\Policies \Microsoft\Internet Explorer\Main\ CheckExeSignatures
Do Not Save Encrypted Pages to Disk	HKCU\Software \Microsoft\Windows \CurrentVersion \InternetSettings \DisableCachingOfSSLPages	Software\Policies \Microsoft\Windows \CurrentVersion \InternetSettings \DisableCachingOfSSLPages
Empty Temporary Internet Files Folder When Browser is Closed	HKCU\Software \Microsoft\Internet Explorer\Cache \Persistent	Software\Policies \Microsoft\Windows \CurrentVersion \InternetSettings\Cache \Persistent

These paths locate the security zone settings in policy and in preference in the Windows registry (in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER):

Location of Locked-Down Intranet zone policy values:

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1

Location of Locked-Down Trusted Sites policy:

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2

Location of Locked-Down Internet zone policy values:

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3

Location of Locked-Down Restricted Sites policy values:

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4

Location of Locked-Down Intranet zone template:

Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Lockdown Settings

Location of Locked-Down Trusted Sites template:

Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Lockdown Settings

Location of Locked-Down Internet zone template:

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Lockdown Settings

Location of Locked-Down Restricted Sites template:

Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Lockdown Settings

Configuring policies and preferences

Group Policy is the recommended tool for managing Internet Explorer for client computers on a corporate network. Internet Explorer supports Group Policy management for all new Internet Explorer Feature Controls in Windows Server 2003 Service Pack 1, and for Security page settings or URL actions. Administrators of Group Policy can manage these new policy settings in the Administrative Templates extension of the Group Policy Management Console.

When implementing policy settings, it is recommended that you configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific client computers.

Policies can be read by users but can only be changed by via Group Policy management or by an administrator. Preference settings can be changed programmatically, by editing the registry, or in the case of URL actions, by using Internet Explorer. Settings specified by Group Policy take precedence over settings specified using preferences.

Why is this change important?

By adding the new Advanced setting policies and Locked-Down security policies to Group Policy, administrators can manage these true policies to establish standard settings for all the computers that they configure. The administrator can control these settings in such a way that they cannot be changed except through Group Policy or by a user with administrator privileges, thus ensuring that security and certain Advanced settings are not set by end users.

Do I need to change my code to work with Windows Server 2003 Service Pack 1?

Windows Server 2003 Service Pack 1 adds new policies to Group Policy but does not change how policies are managed. Developers need to be aware of how each Feature Control and URL action setting or setting combination affects security-related behavior for their applications in each security zone.

For greater security, the administrator should enable policies for all zones, so that there is a known configuration set by policy rather than an unknown setting read from HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER preference settings not set by policy. If the administrator sets policies for all zones, we recommend that the policy to disable the Security page be enabled, which will make the user interface in Internet Explorer unavailable.

Feature Control Policies

The administrator should also understand the Feature Control policy settings. Some of the URL action settings will not be valid unless the corresponding Feature Control policy is enabled. Internet Explorer checks to see whether the feature is enabled, and if it is, then looks for the setting for the action based on the security zone of the URL.

Zone Map Policies

The method for adding Zone Map keys to policy is as follows:

To set computer policy, go to \Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page within Group Policy. To set user policy, go to \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page within Group Policy.
Select the Site to Zone Assignment List policy.
Select Enabled and click Show…
For each site you would like to map:
1. Click Add…
2. Enter the name, IP address, or IP range of the site you want to map (for example, http://www.contoso.com, www.contoso.com, 127.0.0.1, 127.0.0.1-10)
3. Enter the value identifying the zone to which this site should be mapped. The choices are (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, (4) Restricted Sites zone.
4. Click OK.
5. The site name and value should appear in the list.
Click OK in the Show Contents window.

Click OK again to close the Site to Zone Assignment List Properties window.

Note
Policies created by following these instructions are ignored by computers with the Windows Server 2003 Internet Explorer Enhanced Security Configuration component installed. To set zone map policy on a computer with Windows Server 2003 Internet Explorer Enhanced Security Configuration component installed, use the Internet Explorer Maintenance (IEM) snap-in to Group Policy. When using the IEM to create a Group Policy object to apply to a computer with the Windows Server 2003 Internet Explorer Enhanced Security Configuration component installed, you must be using a computer with the Windows Server 2003 Internet Explorer Enhanced Security Configuration component installed.

Note

Policies created by following these instructions are ignored by computers with the Windows Server 2003 Internet Explorer Enhanced Security Configuration component installed. To set zone map policy on a computer with Windows Server 2003 Internet Explorer Enhanced Security Configuration component installed, use the Internet Explorer Maintenance (IEM) snap-in to Group Policy. When using the IEM to create a Group Policy object to apply to a computer with the Windows Server 2003 Internet Explorer Enhanced Security Configuration component installed, you must be using a computer with the Windows Server 2003 Internet Explorer Enhanced Security Configuration component installed.

Note
For more information about using Group Policy, see "Implementing Registry-based Group Policy" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=28188. For more information about using Internet Explorer security zone and privacy settings, see "Description of Internet Explorer Security Zones Registry Entries" on the Microsoft Knowledge Base Web site at http://go.microsoft.com/fwlink/?LinkId=28195.

Note

For more information about using Group Policy, see "Implementing Registry-based Group Policy" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=28188. For more information about using Internet Explorer security zone and privacy settings, see "Description of Internet Explorer Security Zones Registry Entries" on the Microsoft Knowledge Base Web site at http://go.microsoft.com/fwlink/?LinkId=28195.