Internet Explorer URL Action and Advanced Security Settings in Group Policy

Applies To: Windows Server 2003 with SP1

Note

The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Notification Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the Enhanced Security Configuration on your server, these features will function as they do in Windows XP Service Pack 2.

What does Internet Explorer Settings in Group Policy do?

Windows XP Service Pack 2 introduced true policies for the configurable actions in the Internet Explorer Security tab settings. In addition to incorporating these policies into Internet Explorer in Windows Server 2003 Service Pack 1, additional policies were created for selected configurable actions in the Internet Explorer Advanced tab, as well as for URL action policies in Locked-Down zones used only by the Network Protocol Lockdown security feature. In this release, these security settings are managed using the Group Policy Management Console and, if set, can only be changed by a Group Policy object (GPO) or by an administrator.

An updated Inetres.adm file contains a list of settings as policies, including Advanced settings, which are also found in the Internet Explorer user interface as preferences. Administrators can manage the new feature control policies by using Group Policy objects (GPOs). When Internet Explorer is installed, the default HKEY_CURRENT_USER preferences settings for these settings are registered on the computer as they were in previous versions. The Administrator has to use the Group Policy Management Console (GPMC) to add these settings as policies.

Who does this feature apply to?

Group Policy administrators can uniformly configure the new Internet Explorer Advanced setting policies, as well as policies for Locked-Down security zones, for the computers and users that they manage. It is important to inform the end-user which actions are controlled by policy, as these actions will override user preference settings.

Note

The Internet Options control panel will display policy settings when opened and users can interact with user interface and appear to change their preferences. However, these preferences will not actually override Group Policy settings, which may cause a confusing user experience. The administrator can also set a policy to disable the Advanced page user interface so that it is clearer to the user that these settings are not available to be changed. This is not an issue for the Locked-Down zones' settings as they are not accessible through the user interface.

What existing functionality is changing in Windows Server 2003 Service Pack 1?

Group Policy Internet Explorer advanced settings

Detailed description

The following definitions apply to Internet Explorer settings for Windows Server 2003 with Service Pack 1:

  • Security zones: Locked-Down Intranet Zone, Locked-Down Trusted Sites Zone, Locked-Down Internet Zone, and Locked-Down Restricted Sites zone.

  • Templates: Standard settings for all URL actions in these security zones. Templates can be applied in any zone, and settings will provide a range of choices from low security, medium-low, medium, and up to high security for the zone.

  • URL actions: Security settings in the registry that identify the action to take for that feature in the security zone where the URL resides. URL action settings include enable, disable, prompt, and others as appropriate.

  • URL action policies: URL action policies can be added individually by enabling the desired URL action policy, then selecting the setting for the policy registry key value. They can also be set by zone template.

Internet Explorer will look for a policy in the following order:

  • HKEY_LOCAL_MACHINE policy hive

  • HKEY_CURRENT_USER policy hive

  • HKEY_CURRENT_USER preference hive

  • HKEY_LOCAL_MACHINE preference hive

If Internet Explorer finds a policy in the HKEY_LOCAL_MACHINE policy hive, it stops and does not continue; that is the setting it respects. If Internet Explorer does not find a policy in HKEY_LOCAL_MACHINE policy hive, it looks in the HKEY_CURRENT_USER policy hive, and so on. The administrator can set a policy for one or more URL actions in one or more zones, and allow the end user to manage preferences for URL actions that do not require policy-level security management.

Policy values for URL action

The new URL action policies have the same numeric values as their related preference keys. The following table provides a reference to these URL actions.

URL action flag name Security setting UI Numeric name

URLACTION_DOWNLOAD_SIGNED_ACTIVEX

Download signed ActiveX controls

1001

URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX

Download unsigned ActiveX controls

1004

URLACTION_ACTIVEX_RUN

Run ActiveX controls and plugins

1200

URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY

Initialize and script ActiveX controls not marked as safe

1201

URLACTION_SCRIPT_RUN

Active scripting

1400

URLACTION_SCRIPT_JAVA_USE

Scripting of Java applets

1402

URLACTION_SCRIPT_SAFE_ACTIVEX

Script ActiveX controls marked safe for scripting

1405

URLACTION_CROSS_DOMAIN_DATA

Access data sources across domains

1406

URLACTION_SCRIPT_PASTE

Allow paste operations via script

1407

URLACTION_HTML_SUBMIT_FORMS

Submit non-encrypted form data

1601

URLACTION_HTML_FONT_DOWNLOAD

Font download

1604

URLACTION_HTML_USERDATA_SAVE

Userdata persistence

1606

URLACTION_HTML_SUBFRAME_NAVIGATE

Navigate sub-frames across different domains

1607

URLACTION_HTML_META_REFRESH

Allow META REFRESH

1608

URLACTION_HTML_MIXED_CONTENT

Display mixed content

1609

URLACTION_SHELL_INSTALL_DTITEMS

Installation of desktop items

1800

URLACTION_SHELL_MOVE_OR_COPY

Drag and drop or copy and paste files

1802

URLACTION_SHELL_FILE_DOWNLOAD

File download

1803

URLACTION_SHELL_VERB

Launching applications and files in an IFRAME

1804

URLACTION_SHELL_POPUPMGR

Use Pop-up blocker

1809

URLACTION_NETWORK_MIN

Logon

1A00

URLACTION_CLIENT_CERT_PROMPT

Don't prompt for client certificate selection when no certificates or only one certificate exists

1A04

URLACTION_JAVA_PERMISSIONS

Java permissions

1C00

URLACTION_CHANNEL_SOFTDIST_PERMISSIONS

Software channel permissions

1E05

URLACTION_BEHAVIOR_RUN

Script and Binary Behaviors

2000

URLACTION_MANAGED_SIGNED

Run .NET Framework-reliant components signed with Authenticode

2001

URLACTION_MANAGED_UNSIGNED

Run .NET Framework-reliant components not signed with Authenticode

2004

URLACTION_FEATURE_MIME_SNIFFING

Open files based on content, not file extension

2100

URLACTION_FEATURE_ZONE_ELEVATION

Web sites in less privileged Web content zones can navigate into this zone

2101

URLACTION_FEATURE_WINDOW_RESTRICTIONS

Allow script-initiated windows without size or position constraints

2102

URLACTION_AUTOMATIC_DOWNLOAD_UI

Automatic prompting for file downloads

2200

URLACTION_AUTOMATIC_ACTIVEX_UI

Automatic prompting for ActiveX controls

2201

URLACTION_ALLOW_RESTRICTEDPROTOCOLS

Allow active content over restricted protocols to access my computer

2300

For more information about using URL action flags, see "URL Action Flags" on the MSDN Web site at https://go.microsoft.com/fwlink/?LinkId=32776.

The following table provides a reference to the setting options available for each URL action.

Numeric Name URL Action Policy Setting Options

1001

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

1004

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

1200

"Administrator approved"=0x00010000

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

1201

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

1400

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

1402

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

1405

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

1406

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

1407

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

1601

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

1604

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

1606

"Enable"=0x00000000

"Disable"=0x00000003

1607

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

1608

"Enable"=0x00000000

"Disable"=0x00000003

1609

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

1800

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

1802

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

1803

"Enable"=0x00000000

"Disable"=0x00000003

1804

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

1809

"Enable"=0x00000000

"Disable"=0x00000003

1A00

"Anonymous logon"=0x00030000

"Automatic logon only in Intranet zone"=0x00020000

"Automatic logon with current user name and password"=0x00000000

"Prompt for user name and password"=0x00010000

1A04

"Enable"=0x00000000

"Disable"=0x00000003

1C00

"High safety"=0x00010000

"Medium safety"=0x00020000

"Low safety"=0x00030000

"Custom"=0x00800000

"Disable Java"=0x00000000

1E05

"High Safety"=0x00010000

"Medium Safety"=0x00020000

"Low Safety"=0x00030000

2000

"Enable"=0x00000000

"Administrator approved"=0x00010000

"Disable"=0x00000003

2001

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

2004

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

2100

"Enable"=0x00000000

"Disable"=0x00000003

2101

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

2102

"Enable"=0x00000000

"Disable"=0x00000003

2200

"Enable"=0x00000000

"Disable"=0x00000003

2201

"Enable"=0x00000000

"Disable"=0x00000003

2300

"Enable"=0x00000000

"Disable"=0x00000003

"Prompt"=0x00000001

Key for numeric translation of URL policy settings   

Value DWORD Setting

0

0x00000000

Enable

1

0x00000001

Prompt

3

0x00000003

Disable

65536

0x00010000

High Safety

131072

0x00020000

Medium Safety

196608

0x00030000

Low Safety

For descriptions for each of the URL policy settings, see "URL Action Flags" on the MSDN Web site at https://go.microsoft.com/fwlink/?LinkId=32777.

Default settings for each URL action in zones and templates

Each URL action has a default that is set in each zone and set when a specified template is applied. The default settings for each zone are described in the following table.

URL action default settings

URL action numeric name Locked-Down Restricted zone Locked-Down Internet zone Locked-Down Intranet zone Locked-Down Trusted zone

1001

3

1

1

0

1004

3

3

3

3

1200

3

3

3

3

1201

3

3

3

3

1400

3

3

3

3

1402

3

0

0

0

1405

3

0

0

0

1406

3

3

1

0

1407

3

0

0

0

1601

1

1

0

0

1604

1

0

0

0

1606

3

0

0

0

1607

3

0

0

0

1608

3

0

0

0

1609

1

1

1

1

1800

3

1

1

0

1802

1

0

0

0

1803

3

0

0

0

1804

3

1

1

0

1809

0

0

3

3

1A00

65536

131072

131072

0

1A04

3

3

3

3

1C00

0

0

0

0

1E05

65536

131072

131072

196608

2000

3

65536

65536

65536

2001

3

3

3

3

2004

3

3

3

3

2100

3

3

3

3

2101

3

3

3

3

2102

3

3

3

3

2200

3

3

3

3

2201

3

3

3

3

2300

3

1

1

1

Group Policy Settings Paths

These paths locate the available Advanced settings in the Group Policy Management Console:

  • HKEY_LOCAL_MACHINE policies for Advanced settings:

\Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

  • HKEY_CURRENT_USER policies for Advanced settings:

\User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

These paths locate the security zone settings in the Group Policy Management Console:

  • HKEY_LOCAL_MACHINE policies by security zone for URL actions:

\Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page

  • HKEY_CURRENT_USER policies by security zone for URL actions:

\User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page

These paths locate the Advanced settings in policy and in preference in the Windows registry (in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER):

Advanced setting UI Preference key name Policy key name

Install on Demand (Internet Explorer)

HKCU \Software \Microsoft\Internet Explorer\Main \NoJITSetup

Software\Policies\Microsoft\Internet Explorer\Main\NoJITSetup

Install on Demand (Other)

HKCU\Software\Microsoft\Internet Explorer\Main \NoWebJITSetup

Software\Policies\Microsoft\Internet Explorer\Main\NoWebJITSetup

Third-party Browser Extensions

HKCU\Software \Microsoft\Internet Explorer\Main\Enable Browser Extensions

Software\Policies \Microsoft\Internet Explorer\Main\Enable Browser Extensions

Automatically check for IE Updates

HKCU\Software \Microsoft\Internet Explorer\Main \NoUpdateCheck

Software\Policies \Microsoft\Internet Explorer\Main \NoUpdateCheck

Play Animations in Web Pages

HKCU\Software \Microsoft\Internet Explorer\Main \Play_Animations

Software\Policies \Microsoft\Internet Explorer\Main \Play_Animations

Play Sounds in Web Pages

HKCU\Software \Microsoft\Internet Explorer\Main \Play_Background_Sounds

Software\Policies \Microsoft\Internet Explorer\Main \Play_Background_Sounds

Play Videos in Web Pages

HKCU\Software \Microsoft\Internet Explorer\Main\Display Inline Videos

Software\Policies \Microsoft\Internet Explorer\Main\Display Inline Videos

Allow software to run or install even if the signature is invalid

HKCU\Software \Microsoft\Internet Explorer\Download \RunInvalidSignatures

Software\Policies \Microsoft\Internet Explorer\Download \RunInvalidSignatures

Allow active content from CDs to run on user machines

HKCU\Software \Microsoft\Internet Explorer\Main \FeatureControl \FEATURE_LOCALMACHINE_LOCKDOWN \Settings \LocalMachine_CD_Unlock

\Software\Policies \Microsoft\Internet Explorer\Main \FeatureControl \FEATURE_LOCALMACHINE_LOCKDOWN \Settings \LocalMachine_CD_Unlock

Check for Server Certificate Revocation

HKCU\Software \Microsoft\Internet Explorer\Download \CertificateRevocation

Software\Policies \Microsoft\Windows \CurrentVersion \InternetSettings \CertificateRevocation

Check for Signatures on Downloaded Programs

HKCU\Software \Microsoft\Internet Explorer\Main\ CheckExeSignatures

Software\Policies \Microsoft\Internet Explorer\Main\ CheckExeSignatures

Do Not Save Encrypted Pages to Disk

HKCU\Software \Microsoft\Windows \CurrentVersion \InternetSettings \DisableCachingOfSSLPages

Software\Policies \Microsoft\Windows \CurrentVersion \InternetSettings \DisableCachingOfSSLPages

Empty Temporary Internet Files Folder When Browser is Closed

HKCU\Software \Microsoft\Internet Explorer\Cache \Persistent

Software\Policies \Microsoft\Windows \CurrentVersion \InternetSettings\Cache \Persistent

These paths locate the security zone settings in policy and in preference in the Windows registry (in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER):

  • Location of Locked-Down Intranet zone policy values:

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1

  • Location of Locked-Down Trusted Sites policy:

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2

  • Location of Locked-Down Internet zone policy values:

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3

  • Location of Locked-Down Restricted Sites policy values:

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4

  • Location of Locked-Down Intranet zone template:

Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Lockdown Settings

  • Location of Locked-Down Trusted Sites template:

Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Lockdown Settings

  • Location of Locked-Down Internet zone template:

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Lockdown Settings

  • Location of Locked-Down Restricted Sites template:

Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Lockdown Settings

Configuring policies and preferences

Group Policy is the recommended tool for managing Internet Explorer for client computers on a corporate network. Internet Explorer supports Group Policy management for all new Internet Explorer Feature Controls in Windows Server 2003 Service Pack 1, and for Security page settings or URL actions. Administrators of Group Policy can manage these new policy settings in the Administrative Templates extension of the Group Policy Management Console.

When implementing policy settings, it is recommended that you configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific client computers.

Policies can be read by users but can only be changed by via Group Policy management or by an administrator. Preference settings can be changed programmatically, by editing the registry, or in the case of URL actions, by using Internet Explorer. Settings specified by Group Policy take precedence over settings specified using preferences.

Why is this change important?

By adding the new Advanced setting policies and Locked-Down security policies to Group Policy, administrators can manage these true policies to establish standard settings for all the computers that they configure. The administrator can control these settings in such a way that they cannot be changed except through Group Policy or by a user with administrator privileges, thus ensuring that security and certain Advanced settings are not set by end users.

Do I need to change my code to work with Windows Server 2003 Service Pack 1?

Windows Server 2003 Service Pack 1 adds new policies to Group Policy but does not change how policies are managed. Developers need to be aware of how each Feature Control and URL action setting or setting combination affects security-related behavior for their applications in each security zone.

For greater security, the administrator should enable policies for all zones, so that there is a known configuration set by policy rather than an unknown setting read from HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER preference settings not set by policy. If the administrator sets policies for all zones, we recommend that the policy to disable the Security page be enabled, which will make the user interface in Internet Explorer unavailable.

Feature Control Policies

The administrator should also understand the Feature Control policy settings. Some of the URL action settings will not be valid unless the corresponding Feature Control policy is enabled. Internet Explorer checks to see whether the feature is enabled, and if it is, then looks for the setting for the action based on the security zone of the URL.

Zone Map Policies

The method for adding Zone Map keys to policy is as follows:

  1. To set computer policy, go to \Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page within Group Policy. To set user policy, go to \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page within Group Policy.

  2. Select the Site to Zone Assignment List policy.

  3. Select Enabled and click Show…

  4. For each site you would like to map:

    1. Click Add…

    2. Enter the name, IP address, or IP range of the site you want to map (for example, https://www.contoso.com, www.contoso.com, 127.0.0.1, 127.0.0.1-10)

    3. Enter the value identifying the zone to which this site should be mapped. The choices are (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, (4) Restricted Sites zone.

    4. Click OK.

    5. The site name and value should appear in the list.

  5. Click OK in the Show Contents window.

  6. Click OK again to close the Site to Zone Assignment List Properties window.

    Note

    Policies created by following these instructions are ignored by computers with the Windows Server 2003 Internet Explorer Enhanced Security Configuration component installed. To set zone map policy on a computer with Windows Server 2003 Internet Explorer Enhanced Security Configuration component installed, use the Internet Explorer Maintenance (IEM) snap-in to Group Policy. When using the IEM to create a Group Policy object to apply to a computer with the Windows Server 2003 Internet Explorer Enhanced Security Configuration component installed, you must be using a computer with the Windows Server 2003 Internet Explorer Enhanced Security Configuration component installed.

Note

For more information about using Group Policy, see "Implementing Registry-based Group Policy" on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=28188. For more information about using Internet Explorer security zone and privacy settings, see "Description of Internet Explorer Security Zones Registry Entries" on the Microsoft Knowledge Base Web site at https://go.microsoft.com/fwlink/?LinkId=28195.