WindowsSecrets - Nov 2004
Local Machine Zone IE Security

Microsoft documents in its online Knowledge Base a Registry setting that makes the Local Machine Zone visible. This doesn't affect its security, it simply makes it possible for you to alter the security settings of the zone.

Before altering the Registry, first make sure you back it up and know how to restore it if you make a mistake.

Then click Start, Run, type regedit and click OK. In the HKEY_CURRENT_USER folder, find the following Registry key:

SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 0

In that key, the Flags value, which is a DWORD, controls whether or not the Local Machine Zone is visible in IE's Security tab. Set the data value to 47 (in hexadecimal) to display the zone or 21 (in hexadecimal) to hide it.

Microsoft's description of this procedure is in KB article 315933.

After you've made the change, you can then apply to the Local Machine Zone the same security settings that are recommended below for the Internet Zone. Be aware that this doesn't give you the multiple protections provided by QwikFix-Pro and similar security software.

Protecting the Internet Zone

Many security experts recommend that you configure IE's Internet Zone so dangerous technologies are not allowed to run. These recommendations don't go as far as setting the zone to "High" but protect you against most security breaches that a hacked Web site could expose you to.

Many programs other than IE, such as Microsoft Outlook and Outlook Express, use IE's rendering engine to write to the screen, etc. Changing the security settings of the Internet Zone also strengthens these applications, making it safer for you to read e-mail and use these programs in other ways. One set of recommendations is provided by InfiniSource, a Web resource center.

To make your Internet Zone more secure, pull down the Tools menu in IE, then click Internet Options and select the Security tab. (You can also access Internet Options as an applet in the Control Panel.) Select the Internet Zone, then click the Custom Level button. In the dialog box that appears, change the following settings to the values shown:

* ActiveX controls and plug-ins
Download signed ActiveX controls: Disable
Download unsigned ActiveX controls: Disable
Initialize and script ActiveX controls not marked as safe: Disable
Run ActiveX controls and plug-ins: Disable
Script ActiveX controls marked safe for scripting: Disable

* Downloads
Font Download: Disable

* Microsoft VM
Java permissions: Disable Java

* Miscellaneous
Allow META REFRESH: Disable
Display mixed content: Disable
Drag and drop or copy and paste files: Disable
Installation of desktop items: Disable
Launching programs and files in an IFRAME: Disable
Navigate sub-frames across different domains: Disable
Software channel permissions: High Safety
Userdata persistence: Disable

* Scripting
Active scripting: Disable
Allow paste operations via script: Disable
Scripting of Java applets: Disable

* User Authentication
Logon: Prompt for username and password

If you made the Local Machine Zone visible using the manual technique described in the previous section of this article, make the above changes to that zone as well. InfiniSource also recommends some other changes for Windows XP users who've installed SP2.

One benefit of changing the above settings manually, rather than simply setting the Internet Zone to High Security, is that you can easily change back any individual setting if it causes you a problem.

If a Web site or application complains about a certain setting, you can investigate it and determine whether or not lowering your security settings is justified. If you didn't know about the settings shown above, you'd be tempted in the face of problems to reset the Internet Zone from High to Medium, which would put you back where you started.

Microsoft itself has posted a Knowledge Base article about changing some of the above settings manually in IE, going back to version 3.0. The article is primarily oriented toward troubleshooting, rather than security. The description is in KB article 154036.

Add legit sites to the Trusted Sites list so they'll run

Changing the above-named settings very likely will disable some of the features of some of the Web sites you visit. Unfortunately, in the bad old "anything goes" days of the Internet which hopefully someday will be "long gone" these sites adopted nonsecure or proprietary technology to display banner ads, submenus, and the like. Shutting down this stuff is part of the price of making the Internet a more secure place.

If a site that you know is legitimate has a problem with your security settings, it's easy to add the site to your Trusted Zone. The site will then benefit from the less-secure settings in that zone, which is by default set to Low Security.

You can add a site manually to the Trusted Zone by visiting it using IE, then clicking Tools, Internet Options. Select the Security tab, then select Trusted Zone and click the Sites button. Type http:// and the domain name into the input box and click the Add button to add the domain.

To include non-SSL-encrypted sites in the list, turn off the check box labeled "Require server verification (https:) for all sites in this zone." Click the OK button to close all the dialog boxes.

There's a much easier way to add a site to your Trusted Zone, though. You can put an item named "Add Site to Trusted Zone" on IE's Tools menu and click it rather than having to go through Internet Options every time. To get this, download and install Power Tweaks Web Accessories from Microsoft's Web site. This 129 KB download is described as being for IE 5, but it works just as well on IE 6.

Unfortunately, the utility also places on IE's Tools menu another item named "Add Site To Restricted Zone." You should never visit a site that you think is untrustworthy so you can click this menu item. Instead, always add such a site to the Restricted Zone manually, using the procedure described above, before visiting the site.

It's unfortunate that Windows users have to go through all this just to get some peace of mind. Microsoft should simply distribute, free of charge, the fixes necessary to provide this minimal level of protection to all Windows users. Until that time, however, you should take steps to protect yourself.

To send us more information about IE security, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You'll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

Questions or problems regarding this web site should be directed to abeckman@outdoorssite.com.

Copyright 2008 Art Beckman. All rights reserved.

Last Modified: March 9, 2008