Microsoft KB Archive/833633

= How to strengthen the security settings for the Local Machine zone in Internet Explorer =

Article ID: 833633

Article Last Modified on 9/14/2006

-

APPLIES TO


 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.0

-



Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
Warning If you choose to make the changes that are described in this article, you may lose some functionality in some Windows programs and components. Therefore, we recommend that you test the changes extensively to verify that mission-critical programs continue to work correctly for all users before you make these changes in a production environment.

This article describes how an administrator can strengthen the security settings for the Local Machine zone in Microsoft Internet Explorer. The Local Machine zone is also known as the My Computer zone. The information in this article applies to the following configurations:
 * 32-bit versions of Internet Explorer on 32-bit versions of Microsoft Windows
 * 64-bit versions of Internet Explorer on 64-bit versions of Microsoft Windows XP
 * 64-bit versions of Internet Explorer on 64-bit versions of Microsoft Windows Server 2003

Note Microsoft Windows XP Service Pack 2 (SP2) puts restrictions on the Local Machine zone. Therefore, if you installed Windows XP SP2, you may not have to perform one of the procedures that are described in this article. For additional information, see the following Microsoft Web sites:

http://www.microsoft.com/windowsxp/sp2/technologiesoverview.mspx#EBAA

http://www.microsoft.com/windowsxp/sp2/ieoeoverview.mspx



MORE INFORMATION

 * About security zones
 * Before you strengthen security settings for the Local Machine zone
 * Where security settings for the Local Machine zone are stored in the registry
 * How to change security settings for the Local Machine zone
 * In Active Directory directory service environments
 * In non-Active Directory environments
 * Assign an HTML file located in the Local Machine zone to the Internet zone

About security zones
The Internet Explorer user interface lets you configure four security zones:
 * Internet
 * Local intranet
 * Trusted sites
 * Restricted sites

A fifth zone, the Local Machine zone, is an implicit zone that exists on your local computer. You cannot configure the security settings for this zone in Internet Explorer. You also cannot configure the security settings by using the Internet Options Control Panel. However, if you have administrator permissions, you can configure the security settings for the Local Machine zone by changing a registry setting.

Internet Explorer lets you assign a Web site to a security zone. A Web site that is in the Internet zone has a higher level of security than a Web site that is in the Trusted sites zone or that is in the Local intranet zone. By assigning a Web site to a security zone, you can control how a Web site performs operations on your computer. For example, you can prevent a Web site from performing potentially unsafe operations on your computer by assigning the Web site to a security zone that has the most restrictive level of security.

A Web site that is in the Local Machine zone has a less restrictive security setting than a Web site that is in any one of the other zones. The exception to this rule is any content that Internet Explorer caches on your local computer. A malicious user may try to run arbitrary code on your computer by taking advantage of the less restrictive security settings for the Local Machine zone.

Before you strengthen security settings for the Local Machine zone
When you strengthen the security settings for the Local Machine zone, users may experience one or more of the following behaviors:
 * Users are prompted before they can open a data source on another domain.
 * Users are prompted before they can run a script on a page.
 * ActiveX controls and Java programs will not run.
 * The Web page that users are trying to open may not be displayed correctly.

Where security settings for the Local Machine zone are stored in the registry
The security settings for the Local Machine zone are stored in the following registry subkeys, depending on the following conditions:  If you let users set their own Internet Explorer security settings, the security settings for the Local Machine zone are stored in this subkey:

 If you force all users to have the same Internet Explorer security settings, the security settings for the Local Machine zone are stored in this subkey:



By default, the security zone settings are stored in the following registry subtree:

HKEY_CURRENT_USER

Because this subtree is dynamically loaded for each user, the settings for one user do not affect the settings for another user. To determine whether all users have the same security settings, look for one of the following conditions:
 * The Security Zones: The Use only machine settings option in Group Policy is enabled.
 * The Security_HKLM_only DWORD value exists, and it has a value of 1.

The Security_HKLM_only DWORD value is stored in the following registry subkey:

Computer settings and user settings are used when one of the following conditions is true:
 * The Security Zones: The Use only machine settings option in Group Policy is not enabled
 * The Security_HKLM_only DWORD value does not exist
 * The Security_HKLM_only DWORD value is set to 0

If the Security_HKLM_only DWORD value does not exist, or if the Security_HKLM_only DWORD value is set to 0, Internet Explorer reads the HKEY_LOCAL_MACHINE registry key and the HKEY_CURRENT_USER registry key, respectively. However, only the HKEY_CURRENT_USER settings appear in the Internet Options Control Panel.

The security settings that are displayed in the Internet Options Control Panel have corresponding numeric values in the registry. The following table shows the default values for each security setting. The table also shows the recommended values that you can use to strengthen each security setting for the Local Machine zone.

In the aforementioned table, the settings for the DWORD values mean the following:
 * 0 indicates that the action is enabled. This is the default setting.
 * 1 indicates that a prompt appears.
 * 3 indicates that the action is disabled.

The default setting of 00 00 02 00 for the Binary value indicates a medium level of safety. The 00 00 00 00 setting disables Java.

Note For Active scripting, a setting of 1 may cause too many prompts to appear. Therefore, you may want to permit scripting. To do this, set the Active scripting value to 0. If you do not want to set Active scripting to prompt, change the line that starts with 1400 in the next section, &quot;How to change security settings for the Local Machine zone.&quot;

How to change security settings for the Local Machine zone
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To change the security settings for the Local Machine zone, change either the DWORD value or the Binary value. Use the method that is appropriate to your environment.

Strengthening default settings for the Local Machine zone
In an Active Directory environment, use Group Policy Object Editor, formerly known as Group Policy Editor. To strengthen the security settings for the Local Machine zone, follow these steps:   Copy the following text and paste it into a text editor, such as Notepad.

If users can set their own security settings, use the following text: REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

&quot;1200&quot;=dword:00000003 &quot;1201&quot;=dword:00000003 &quot;1400&quot;=dword:00000001 &quot;1406&quot;=dword:00000001 &quot;1C00&quot;=hex:00,00,00,00 If all users must use the same security settings, use the following text: REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

&quot;1200&quot;=dword:00000003 &quot;1201&quot;=dword:00000003 &quot;1400&quot;=dword:00000001 &quot;1406&quot;=dword:00000001 &quot;1C00&quot;=hex:00,00,00,00  Save the file as ADHardenLMZ.reg. On the computer where you want to run Group Policy Object Editor, run the ADHardenLMZ.reg file to import the registry settings into the registry. Open Group Policy Object Editor for the Active Directory object that you want to modify.</li> You may be prompted for the following actions:  Permit scripts to run</li> Confirm that you want to continue running scripts</li></ul>

If you receive this prompt, click Yes. If you receive a message that states that your current settings do not let ActiveX controls to be run, click OK.

Note After you strengthen the security settings for the Local Machine zone, the Help pane will no longer appear in Group Policy Object Editor.</li> Expand User Configuration, expand Windows Settings, expand Internet Explorer Maintenance, and then expand Security. Double-click Security Zones and Content Ratings.</li> Click Import the current security zones and privacy settings, and then click OK.</li></ol>

Restoring default settings for the Local Machine zone
To restore the default settings for the Local Machine zone, follow these steps: <ol>  Copy the following text and paste it into a text editor, such as Notepad.

If users can set their own security settings, use the following text: REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

&quot;1200&quot;=dword:00000000 &quot;1201&quot;=dword:00000001 &quot;1400&quot;=dword:00000000 &quot;1406&quot;=dword:00000000 &quot;1C00&quot;=hex:00,00,02,00 If all users must use the same security settings, use the following text: REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

&quot;1200&quot;=dword:00000000 &quot;1201&quot;=dword:00000001 &quot;1400&quot;=dword:00000000 &quot;1406&quot;=dword:00000000 &quot;1C00&quot;=hex:00,00,02,00 </li> Save the file as ADDefaultLMZ.reg.</li> On the computer where you want to run Group Policy Object Editor, run the ADDefaultLMZ.reg file to import the default settings into the registry.</li> Open Group Policy Object Editor for the Active Directory object that you want to modify.</li> You may be prompted for the following actions:  Permit scripts to run</li> Confirm that you want to continue running scripts</li></ul>

If you receive this prompt, click Yes. If you receive a message that states that your current settings do not let ActiveX controls to be run, click OK.

Note After you strengthen the security settings for the Local Machine zone, the Help pane will no longer appear in Group Policy Object Editor.</li> Expand User Configuration, expand Windows Settings, expand Internet Explorer Maintenance, and then expand Security. Double-click Security Zones and Content Ratings.</li> <li>Click Import the current security zones and privacy settings, and then click OK.</li></ol>

Strengthening default settings for the Local Machine zone
To strengthen the security settings for the Local Machine zone, import the updated security settings into the registry. To do this, follow these steps: <ol> <li> Copy the following text and paste it into a text editor, such as Notepad.

If users can set their own Internet Explorer security settings, use the following text: REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

&quot;1200&quot;=dword:00000003 &quot;1201&quot;=dword:00000003 &quot;1400&quot;=dword:00000001 &quot;1406&quot;=dword:00000001 &quot;1C00&quot;=hex:00,00,00,00 If all users have the same security settings, use the following text: REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

&quot;1200&quot;=dword:00000003 &quot;1201&quot;=dword:00000003 &quot;1400&quot;=dword:00000001 &quot;1406&quot;=dword:00000001 &quot;1C00&quot;=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

&quot;Security_HKLM_only&quot;=dword:00000001 </li> <li>Save the file as HardenLMZ.reg.</li> <li>Run the HardenLMZ.reg file on all client computers to import the settings into the registry.</li></ol>

Restoring default settings for the Local Machine zone
To restore the default settings for the Local Machine zone, follow these steps: <ol> <li> Copy the following text and paste it into a text editor, such as Notepad.

If users can set their own Internet Explorer security settings, use the following text: REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

&quot;1200&quot;=dword:00000000 &quot;1201&quot;=dword:00000001 &quot;1400&quot;=dword:00000000 &quot;1406&quot;=dword:00000000 &quot;1C00&quot;=hex:00,00,02,00 If all users have the same security settings, use the following text: REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

&quot;1200&quot;=dword:00000000 &quot;1201&quot;=dword:00000001 &quot;1400&quot;=dword:00000000 &quot;1406&quot;=dword:00000000 &quot;1C00&quot;=hex:00,00,02,00

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

&quot;Security_HKLM_only&quot;=dword:00000001 </li> <li>Save the file as DefaultLMZ.reg.</li> <li>Run the DefaultLMZ.reg file on all client computers to import the settings into the registry.</li></ol>

Assign an HTML file located in the Local Machine zone to the Internet zone
After you strengthen the security settings for the Local Machine zone, you can assign a local HTML file that contains scripts, ActiveX controls, or Java programs to the Internet zone. When Internet Explorer opens the HTML file, Internet Explorer looks for the &quot;saved from URL&quot; comment. If Internet Explorer finds the &quot;saved from URL&quot; comment, Internet Explorer uses the security settings for the Internet zone instead of the settings for the Local Machine zone. If the Internet zone is configured to run scripts, to run ActiveX controls, or to run Java programs, these items will run and you will not experience the behaviors that are described in the &quot;Before you strengthen security settings for the Local Machine zone&quot; section.

To assign a local HTML file to the Internet zone, you can add a &quot;saved from URL&quot; comment to the local HTML file. This comment instructs Internet Explorer to apply the security settings for the Internet zone to the HTML file that is saved on your hard disk. This comment must look similar to the following:

The value in parentheses represents the number of characters in the URL that follows the equal sign. In this example, this value is 0023. Contoso represents the name of an Internet Web site.

<div class="references_section">