关于security information bar和 iE security zone strategy

 

最近使用IE 7 本地打开 网页，在运行JS 的时候，总是发现有问题，在窗口的顶端，有黄色的信息提示条出现，很烦人。查了一下，原来是My computer zone 的 lockdown 特色在作怪，下面是如何取消这个feature,以及对相关问题的解释。有些是自己写的，有的是引用牛人的。

 

The prompt of security information bar is related to the windows security policy. All URL namespaces is divided into 5 security zone which is assigned different trust level.

They are my computer zone, intranet zone, internet zone, trusted zone, restricted zone.

 All these zones are showed in the UI in IE tools menu/internet options sub menu/security tab.

 

                                                      Picture 1 UI for zones

     

    The My Computer Zone also is called Local Machine zone, is an implicit zone for content that exists on the local computer. The content found on the user's computer (except for content that Internet Explorer caches on the local system) is treated with a high level of trust.

    Many HTML pages contain active content such as script, Microsoft ActiveX controls, or binary behaviors. These pages are known as active HTML documents. Prior to Windows XP SP2, the content on a user's local file system—except for content cached by Internet Explorer—was regarded as trusted and was therefore assigned to the Local Machine security zone. The Local Machine zone allowed files to run in Internet Explorer with few restrictions. Attackers found that they could exploit the Local Machine zone and its looser restrictions to access a user's computer. By using controls that are restricted to trusted zones, an attacker could elevate privileges and compromise the user's computer. The attacker would then have unrestricted access to the computer's content.

To mitigate this security risk, Internet Explorer 6 for Windows XP SP2 "locks down" the Local Machine zone. When the user opens an active HTML document, Internet Explorer prohibits the active content from running and displays an Information Bar. The user must then decide whether to permit the action that triggered the Information Bar. The Local Machine zone lockdown prevents the user's computer from automatically executing any scripts, and from using any ActiveX and other controls. You can close this feature through the following steps: 1) Open the internet options sub menu dialogue from tools menu, and go to Advanced Tab.2) Go to security column 3) make sure the allow active content to run in files on My computer.  

 

Picture 2  

    If  you want to customize the security setting for My Computer zone, you can switch to security Tab , and choose My Computer zone , then click the custom level… button below.

 

Picture 3

With this security setting dialogue (picture 4), you can choose to reset the setting to Medium or high security zone setting template (URL security zone template. A tool that allows users to specify levels of restriction using easy-to-understand terms: High, Medium-High, Medium, Medium-Low, and Low) or set it in details by checking or unchecking all options.

 

Picture 4

Note: if  My Computer Zone is not displayed in the Zones setting UI ,my be the following article is useful for you.

Why is "My Computer" Zone hidden in inetcpl in Internet Explorer and how do I make it show up?

I was recently asked this question by someone so I did a bit a of look around to find the answer to this and thought I'd share it with the rest of you.

A quick word to clarify what I am talking about. In Internet Explorer, there are 5 Security Zones that are basically trust namespaces. A certain URL can end up in one of these 5 zones and then conforms to the policies described in that particular zone for all its URLActions. All but one of these security zones are exposed through the UI in inetcpl under the Security Tab which shows the Local Intranet, Trusted, Internet and Restricted zones in there. You can either set these zones to one of the predefined template setting or you can control the policies in these zones for individual URLActions by setting the level to 'Custom' and editing the policies. My Computer (aka Local Machine) zone, however, is not shown in this UI. That is the way it has always been. The reason this was the case was because Local Machine Zone was a zone of extremely high trust and we did not want the user making any changes to the security policies in that zone. The settings were historically low to begin with, and this was one of the reasons why in XPSP2, we came out with the idea of Local Machine Zone Lockdown (LMZL) to clamp down on some of the key settings in this zone for IE. Long story short, it was deemed unsafe to make the My Computer zone visible in the UI. But that does not mean that it can't be done. It used to be a simple registry tweak that would make it show up but due to LMZL, its become a little bit non-intuitive and somewhat less useful in actual terms of being able to modify active Local Machine Zone policy from the UI.

 Every zone has some attributes like the name, description, icon that are used to describe the zone. These attributes sit in the registy at the following location:

HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/[0-4] 

The last number is the zone ID which is 0 for Local Machine Zone. This is the same location where the actual URLAction policy set is stored as well. One of the DWORDs under these keys is the Flags DWORD that is a bitmask of the Zone Attribute Flags (ZAFLAGS). One of these attributes is the ZAFLAGS_NO_UI  attribute which is defined as 0x00000020. This attribute controls whether that particular zone shows up in the inetcpl UI or not. So really, unsetting that particular bit on the Flags DWORD should make the zone appear, right? WRONG!!! It used to be that way and it would still work if you are running inetcpl inside of a rundll32.exe to see the changes. But if you are running it from inside of iexplore.exe, you will notice that the My Computer icon does not show up on the Security Tab inside inetcpl. So whats going on? Why is it showing up? The answer is LMZL. Due to LMZL, now inetcpl uses the Zone Attributes from the Lockdown zone settings instead of the normal zone settings for Local machine to decide whether to show it in the UI or not. So in order to make My computer show in the UI, you will need to change the Flags DWORD under the Lockdown_Zones/0 .. so the location you need to change is at the following registry location:

HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Lockdown_Zones/0

Change the Flags DWORD to remove the 0x00000020 flag and now you should be able to see the My computer icon in the Security Tab in inetcpl UI. So what does that give you? It gives you the ability to click Custom Level button and change the settings for individual URLActions for My Computer Zone just like you can do for other zones. So picture this, you don't want scripts to run in the Local Machine Zone, So you open up inetcpl and go to the Security tab and click on My Computer icon and then click the Custom Level button that takes you to the Security Settings dialog. On that dialog, you scroll down to the Scripting section and change the value for Active Scripting to Disable. You apply the settings and then load up a local html file with a script in it. The script doesnt load and you see an Information Bar telling you about it. Working as expect you think, until you click on the information bar and it gives you an option to "Allow blocked content". You click it and your script runs. What just happened??? Didn't you just block scripts from running? Did that setting not take effect? Is there something else that needs to be done? Well, what just happened is that you just edited the settings for the Normal Local Machine from the UI. But since you're running inside IE, LMZL is turned ON for the process and the setting for LMZL dictates that you simply prompt the user about scripts in the page and if the user chooses to allow it, it goes ahead and allows it. So even though inetcpl reads the Attributes from the Lockdown_zones, it still read the policy settings from the Normal Zone hive in the registry and all changes made from the UI take effect in the normal zones/0 hive as well. So really all that hussle to make My Computer show up in the UI achieves little if anything at all as far as IE is concerned. The changes that you make through it will affect other processes that do not have Local Machine Zone Lockdown turned ON for them. But due to security reasons and the entire concept of "Locking Down" the local machine, inetcpl does not allow you to change the active LMZL policies from the UI. This is consistent with the original intent of not allowing the users to mess with the Local Machine Zone polices. The only 'weird' thing is that you have to change the NO_UI attribute under the Lockdown_zones/0 for the UI to show My Computer, but changes to settings work in the opposite way.

All part of a grand plan to obfuscate the settings from the user? Not really. The original idea was simple: set the flag so that it doesnt show up, advanced users can make it appear by flicking a bit in the registry. But since the default behavior was to not show, it became a bit of an unsupported scenario and subsequent changes have made things more complicated than they need to be. At the end of the day, though, I think its best not to mess with the Local Machine Zone policies at all. But that doesn't stop us from knowing how to do it if we ever decide to :)