Click here to Skip to main content
Click here to Skip to main content

HOWTO: Lockdown Internet Explorer using a Trusted Zone helper

, 14 Jan 2005
Rate this:
Please Sign up or sign in to vote.
This article includes a fully working Javascript with user interface that plugs-in to Internet Explorer. The plugin allows you to effortlessly manage which websites are part of your "Trusted Zone". The Trusted Zone is a little used (and generally little known) powerful security feature of

Introduction

Recently there has been a lot of bad press surrounding Internet Explorer, a lot of it quite undeserving in my opinion. I frequent several web forums and I am seeing them literally overrun with people proclaiming the virtues of switching to FireFox, but frankly I don't buy it (at least, not yet). The main problem with Internet Explorer is its users, I don't mean that offensively - it's just a simple fact that Microsoft always gets lumbered with the computer novices, because they create the easiest to use and most widely available software. The effect this has on Microsoft is devastating, as has been proven by FireFox slowly by surely taking away market share.

I am not saying that IE is perfect - because evidently it is not, but I am saying that its biggest problem is the user base.

Microsoft took big strides with SP2, and it has been slowing recently - only a handful of hot fixes have been released since its debut last year. And it is always pleasing to see attached to the bottom of security advisories, often in the small print, "XP Service Pack 2 not affected".

There is however still several reoccurring, what I call, "hacker hot spots" which weren't fully plugged up in Service Pack 2. This of course is Active Scripting and almost anything linked to it. Only recently were several more vulnerabilities discovered in this particular part of Internet Explorer, and for a couple months now security advisories even from the likes of CERT have been suggesting to disable Active Scripting and several other related privileges on the "Internet Zone" of IE.

At which point I thought "Why would I want to disable Active Scripting when probably half of my regularly visited sites require it even to log-in?" And that's when it occurred to me. Why not just add all my favourite sites to the "Trusted Zone", and set the security privileges of the Trusted Zone fairly low whilst keeping the Internet Zone security level on the highest possible (and with Active Scripting disabled).

IE doesn't seem to have an easy to access interface to control which sites you trust and don't trust. So that's where this "Code Project" of mine comes in…

Internet Explorer Trusted Zone helper plugin

After some thought, I decided that what's needed is an additional menu item on the right-click context menu of any web page… a dialog of some kind that will let you add/remove the current site's domain to and from the Trusted Zone with just a couple mouse clicks and no hassle.

My first version was nothing more than just a simple JavaScript confirm() message box asking if you wanted to add "domain.com" to the Trusted Zone, and if it was already there it asked if you wanted to remove it. This was an okay utility for my personal use for a couple days but I really wanted to make it a bit more user friendly, powerful, a hint of style, something that I could distribute on great web sites like this.

For the interface, I decided to almost completely "rip off" the new dialog on Service Pack 2's Internet Explorer that asks you to confirm the Publisher before running an executable:

This is what I ended up with:

Now you're probably thinking "that's just a normal Windows dialog", but you'd be wrong Unsure | :~ ) It's actually a HTML table, two form buttons (but no form), and a clever use of CSS styling. IE's CSS supports system-colors, so for the background color it was just a matter of using background-color:ButtonFace;, and for the font color color:WindowText, and of course the standard dialog font since Windows 2000 has been Tahoma, but for good measure I used "font: 8pt Tahoma, MS Shell Dlg".

Internals

To add the extra menu item on IE's right-click menu (also known as context menu), it's as simple as adding the following entry to the Registry:

"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\My new menu"

Here's how my plug-in looks like:

There are also two additional keys available, Contexts and Flags.

Contexts lets you specify which HTML elements the extra menu item will be available on. So if you were developing a Download Manager you would only assign a Context to anchor links. But for my plugin, I use Contexts of 0x1 (also known as default). Default means the menu item is only available when the user right-clicks the body of the web page - that is, they haven't right-clicked on any specific element of the page such as an image or a selection of text.

Flags is a bit more involved. Setting this parameter to 0x1 (like I have in my plugin) will mean that your JavaScript will be opened in a new Modal Dialog window. Technically, it is very similar to the createModalDialog method in DOM - however having Flags does give you slightly more privileges as it is of course running in the local machine and not on some web site.

The next part is regarding IE's ZoneMap Registry keys. Located at "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains". This is where all the details for what sites are and aren't trusted are stored. It is just a matter of my plugin manipulating these registry keys, adding and removing as so desired by the user. It can get a little complicated though, as IE doesn't recognize all SLD (second level domains), so like "adslguide.org.uk" and any other domains using ".org.uk" will all be stored under one tree titled "org.uk", whereas IE does recognize other SLDs such as ".co.uk" and any domain using this SLD will always be stored in a unique key to itself. It took a lot of trickery in my JavaScript to get this working seamlessly and flawlessly to the user's eyes.

In my script's source code, I refer to "Known SLD" and "Unknown SLD". Probably quite obvious by now, but a Known SLD is one that IE recognizes (ex: ".co.uk") and an Unknown SLD is one that it doesn't (ex: ".org.uk").

At the moment you can't use this plugin to trust an IP address. I am still debating with myself if there is a requirement to trust an IP address. But feel free to modify the source code if you require that functionality.

One neat thing that I am quite proud of, despite its simplicity, is the way the script can handle sites with a "favicon.ico". For those who don't know, this is a regular Icon file on the root of the domain of a website which modern browsers can use for the Icon on their Favourites list. As I said before, I was quite keen to keep the user interface in keeping with the new security dialogs in SP2's IE, and as you can see on the screenshot above it displays the Icon of the executable. So I thought I would use the site's favicon to display the Icon of the site you are about to trust. I don't know, just gives it that little edge I suppose. If the site doesn't have a favicon it will fall back to a standard Icon (see the code to find out how that works). I wanted to make it use a res:// URL to fetch a standard system Icon but for some reason <img> and res:// with an .ico doesn't work at all.

Please note: I have only tested this code on my Windows XP Service Pack 2 workstation. Though I don't see any reason why it wouldn't work on even an IE5 system.

Recommended security zone settings

You can configure the privileges of your Internet and Trusted Zones by entering Internet Options->Security tab. Select the zone and click "Custom Level…" button.

Internet Zone

Run components not signed with Authenticode = Disable
Run components signed with Authenticode = Disable
Automatic prompting for ActiveX controls = Disable
Binary and script behaviours = Enable
Download signed ActiveX controls = Disable
Download unsigned ActiveX  controls = Disable
Initialize and script ActiveX controls not marked as safe = Disable
Run ActiveX controls and plug-ins = Enable
Script ActiveX controls marked safe for scripting = Enable
Automatic prompting for file downloads = Disable
File Download = Enable
Font Download = Disable
Java permissions = High safety
Access data sources across domains = Disable
Allow META REFRESH = Enable
Allow scripting of Internet Explorer Webbrowser control = Disable
Allow script-initiated windows without size 
or position constraints = Disable
Allow web pages to use restricted protocols for 
active content = Prompt
Display mixed content = Prompt
Don't prompt for client certificate selection when no 
certificates or only one certificate exists = Disable
Drag and drop or copy and paste files = Disable
Installation of desktop items = Disable
Launching programs and files in an IFRAME = Disable
Navigate sub-frames across different domains = Enable
Open files based on content, not file extention = Enable
Software channel permissions = High safety
Submit nonencrypted form data = Enable
Use Pop-up Blocker = Enable
Userdata persistence = Enable
Web sites in less privileged web content zone 
can navigate into this zone = Enable
Active Scripting = Disable
Allow paste operations via script = Disable
Scripting of Java applets = Enable
Logon = Automatic logon only in Intranet zone

Trusted Zone

Run components not signed with Authenticode = Disable
Run components signed with Authenticode = Enable
Automatic prompting for ActiveX controls = Disable
Binary and script behaviours = Enable
Download signed ActiveX controls = Prompt
Download unsigned ActiveX  controls = Disable
Initialize and script ActiveX controls not marked as safe = Disable
Run ActiveX controls and plug-ins = Enable
Script ActiveX controls marked safe for scripting = Enable
Automatic prompting for file downloads = Disable
File Download = Enable
Font Download = Enable
Java permissions = High safety
Access data sources across domains = Disable
Allow META REFRESH = Enable
Allow scripting of Internet Explorer Webbrowser control = Enable
Allow script-initiated windows without size or 
position constraints = Disable
Allow web pages to use restricted protocols for active content = Prompt
Display mixed content = Prompt
Don't prompt for client certificate selection when no certificates 
or only one certificate exists = Disable
Drag and drop or copy and paste files = Enable
Installation of desktop items = Disable
Launching programs and files in an IFRAME = Disable
Navigate sub-frames across different domains = Enable
Open files based on content, not file extention = Enable
Software channel permissions = Medium safety
Submit nonencrypted form data = Enable
Use Pop-up Blocker = Enable
Userdata persistence = Enable
Web sites in less privileged web content zone can navigate 
into this zone = Enable
Active Scripting = Enable
Allow paste operations via script = Disable
Scripting of Java applets = Enable
Logon = Automatic logon only in Intranet zone

Installation

Please see the Readme.txt included in the ZIP archive.

Change Log

  • 19-01-2005:
    • Fixed icon sizing bug - ex: 16x16 icons now display properly, instead of being rescaled to 32x32.
    • Fixed option button selection not firing when clicking the option's text.
    • Added to article a screenshot of the right-click menu.
  • 14-01-2005: Initial release.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

Nathan Evans
Software Developer (Senior)
United Kingdom United Kingdom
I am the lead developer of numerous .NET-based networking and communication server systems for Windows, for a company based in Cambridge. Including SMS/SMPP, VOIP and VoiceXML technologies.

Comments and Discussions

 
Questionadd an ip address to user's trusted sites list Pinmemberladypins21-Jul-08 3:01 
AnswerRe: add an ip address to user's trusted sites list PinmemberG_Pope14-Oct-08 6:27 
GeneralHi Nothan Pinmemberjayanthnadig9-Oct-07 21:29 
GeneralOutstanding! Pinmembermkrawats15-Aug-07 4:00 
GeneralKudos; requesting more zones and better FQDN support Pinmemberbpleat10-Apr-07 3:02 
QuestionAdding Favicons in the right click standard context menu? Pinmemberdivay9-Apr-07 18:14 
Questionhelp !Excellent and use full article Pinmemberalokdotnet12-Jul-06 21:47 
GeneralThanks Nathan - Use It all the Time! PinmemberEvilgrows19-Feb-06 0:21 
Thanks Nathan for thinking up this Great plug-in for IE. >I use it all the time!
 
- Evil
GeneralRe: Thanks Nathan - Use It all the Time! PinmemberNathan Evans19-Feb-06 1:06 
GeneralGood but... PinmemberM_A_MaDeRo23-Jul-05 6:50 
GeneralRe: Good but... PinmemberNathan Evans31-Jul-05 22:33 
GeneralExcellent Article +1 Pinmemberwebooth19-Jan-05 7:19 
GeneralRe: Excellent Article +1 PinmemberNathan Evans19-Jan-05 7:23 
GeneralExcellent aricle! Pinmemberblue_seaing14-Jan-05 17:07 
GeneralRe: Excellent aricle! PinmemberNathan Evans16-Jan-05 5:54 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.141030.1 | Last Updated 14 Jan 2005
Article Copyright 2005 by Nathan Evans
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid