Jump to content

Security Zone setting explanation required

Ascii2

By Ascii2
in Windows XP

 Share

Recommended Posts

Ascii2

Ascii2

Posted
Posted (edited)

At HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0, exist DWORD values "Flags".

I have found different sources using different values for the "Flags" DWORD.

Some sources:

http://support.microsoft.com/kb/182569/

http://antionline.com/showthread.php?t=237895

http://surfthenetsafely.com/ieseczone3.htm

Although, a Microsoft Corporation article is one of the sources, other sources use other values for "Flags" that are not documented in the Microsoft Knowledgebase article.

What are the valid values for "Flags" and what effect do they have?

Relevant operating systems: Windows 2000, XP, and Server 2003 families

Edited by Ascii2
Link to comment
Share on other sites

cluberti

cluberti

Posted
Posted

What you've found is all accurate - the reason 0x47 (71 decimal) "unhides" the My Computer zone is simple math, as it sets the following values:

   Value	Setting
   ------------------------------------------------------------------
   1		Allow changes to custom settings
   2		Allow users to add Web sites to this zone
   4		Require verified Web sites (https protocol)
   64	   Show the Requires Server Verification dialog box

Note that 32 (Do not show security zone in Internet Properties) is not set, meaning the zone IS shown. Setting it to 0x27 (33 decimal) means that the following are set:

   Value	Setting
   ------------------------------------------------------------------
   1		Allow changes to custom settings
   32	   Do not show security zone in Internet Properties (default
			setting for My Computer)

Note that this will hide the security zone.

There are other valid configurations that make 32 set as well, but you have to do the math (in decimal, then convert to hex to set the reg key if you're doing it in a .reg) to figure out what numbers include what settings, and what they exclude. These are additive, remember.

Link to comment
Share on other sites
Ascii2

Ascii2

Posted
  • Author
Posted (edited)

I believe I now understand the different meanings of the values for the "Flag" DWORD.

I tried to apply different values for "Flags" in both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hives using REGEDIT on Windows 2000 Professional with Service Pack 4. After apply the values, I could not observe changes in behavior of the display in the Internet Properties dialog box, even after restarting Windows.

After using a VBS script to apply the changes to the "Flags" values, the changes in behavior of the display in the Internet Properties dialog box were observable immediately.

Why was the VBS script able to change Internet Security behavior, but changing the "Flags" values in the Registry Editor did not?

Edited by Ascii2
Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted
I believe I now understand the different meanings of the values for the "Flag" DWORD.

I tried to apply different values for "Flags" in both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hives using REGEDIT on Windows 2000 Professional with Service Pack 4. After apply the values, I could not observe changes in behavior of the display in the Internet Properties dialog box, even after restarting Windows.

After using a VBS script to apply the changes to the "Flags" values, the changes in behavior of the display in the Internet Properties dialog box were observable.

Why was the VBS script able to change Internet Security behavior, but changing the "Flags" values in the Registry Editor did not?

Those settings are read by explorer.exe on start, and iexplore.exe as well on start (or clicking tools > options). Best practices for changing security zone settings like that is to reboot after making changes, or at least log off and back on. Not sure why the vbscript worked and the reg change did not, unless you had IE open when you changed it manually and did not when you used the vbscript (just guessing).

Link to comment
Share on other sites
Ascii2

Ascii2

Posted
  • Author
Posted (edited)
Those settings are read by explorer.exe on start, and iexplore.exe as well on start (or clicking tools > options). Best practices for changing security zone settings like that is to reboot after making changes, or at least log off and back on. Not sure why the vbscript worked and the reg change did not, unless you had IE open when you changed it manually and did not when you used the vbscript (just guessing).
IE was not open when I attempted to change the settings.

Also, I forgot to mention that the change using the VBscript was observable immediately in the Internet Properties box after the running of the script (but not open when script run).

I have rebooted like nine times after I last posted, installed Microsoft mouse software (with driver), and a newer version of my chipset (nVidia nForce4 SLI) drivers. I am now able to make the changes in the Registry Editor and immediately observe the changes in the Internet Properties dialog box (although I do not know why I was not able to before).

Edited by Ascii2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...