Condividi tramite


IEZoneAnalyzer v3.5 with Zone Map Viewer

IEZoneAnalyzer is a utility for viewing and comparing Internet Explorer security zone settings – that is, the configuration settings that grant web sites in the Intranet zone more capabilities in the browser than web sites in the Internet zone.  Earlier today, I wrote about the surprisingly complex rules that determine whether and when explicit mappings of websites to security zones take effect or are ignored.  IEZoneAnalyzer version 3.5 adds a Zone Map Viewer that shows which web sites have been specifically assigned to security zones and whether the assignment is effective. Click on the “Zone Map Viewer” button in the main dialog’s toolbar to display the Zone Map Viewer. You can toggle the Zone Map Viewer between an “Effective Settings” view and a “Raw Settings” view with labeled toolbar buttons.

“Effective Settings” lists the configured web sites and the zones to which they are mapped. The Comments column calls out settings that are applicable only to 32-bit processes or only to 64-bit processes, or that are completely overridden and never take effect. For example, the first screenshot below shows a number of site assignments to Trusted Sites that are overridden because they are defined in User Preferences, but overridden both because the “use only machine settings” group policy is in effect and because a Computer Configuration Site-To-Zone Assignment policy is in effect. The screenshot also shows two overridden settings that are in effect only when Enhanced Security Configuration (ESC) is enabled, which is not the case as shown by the informational lines at the top of the listing. A given site is listed only once in the Effective Settings view. If a site is mapped the exact same way in a registry location that is in effect and in another that is not in use, the “overridden” one is not shown. That is, a setting is shown as “overridden” only if is defined somewhere differently from what is actually in effect.

ZoneMapViewer-EffectiveSettings

The “Raw Settings” view, shown below, shows all site-to-zone configuration settings, listing where they are defined, the zone each is assigned to, and whether that particular setting is in effect or ignored. Both views show the criteria that are used to determine which ZoneMap settings are in effect and which are ignored (per the rules listed in the Appendix.)

ZoneMapViewer-RawSettings

As with all other IEZoneAnalyzer views, columns can be sorted, resized and reordered; content can be searched for specific text, copied to the clipboard and exported to CSV and to Excel files. Further, the sort order for the “Website” columns is based on domain names rather than on a strict alphabetic order. For example, all the “microsoft.com” mappings are grouped together, alphabetized by subdomains in reverse order.

[Updated 14-Oct-2011: Posted v3.5.0.3 to fix a bug, and to change the text associated with URL Action 180C which ended up not being used by Windows or IE.]

[Updated 15-May-2012: Posted v3.5.0.4 to fix a bug involving precedence of Computer policies over User policies.]

[Updated 7-June-2012: Re-posted v3.5.0.4 with the documentation back in! Sorry about that.]

[Updated 20-June-2013: Posted v3.5.0.5: fixes version reporting issue with IE10, added text for additional settings, and added sample files back in, including a new one reporting default settings for IE10 on Win8 x64. It also includes an IEZoneAnalyzer.exe.config file; keep this file in the same directory with IEZoneAnalyzer.exe if you want it to run on a system that has .NET 4.0 but doesn't have .NET 3.5]

IEZoneAnalyzer.3.5.0.5.zip

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Aaron, While working on compiling the data for our IE9 GPOs, I found what may be a bug with the IEZoneAnalyzer, but I can't be sure. I ran IEZoneAnalyzer on a Win7 32bit machine with IE8 and IE8 Group Policies.  I compared the values reported by IEZoneAnalyzer vs. what the IE8 GPO has configured.  Everything looked great except for the policy "Turn Off First-Run Opt-In" (ID 1208).  According to IEZoneAnalyzer the policy is set to - Enabled  According to our GPO, the policy is set to - Enabled : Disabled Based on your previous response regarding primary settings and option settings, shouldn't the policy show up as "Disabled" in the IEZoneAnalyzer? I am not too worried about it, but I wanted to let you know in case the tools is interpretting the policy value incorrectly.  It's more likely that I am off my rocker and just don't know how to use the tool. Thanks for a great tool!  I use it all the time. P.S.  You wouldn't happen to know if there is a list of all the default policy settings that IE8 and IE9 install with?  I have been trying to find this information, but nobody seems to have it.  Seems odd that MS wouldn't have that documented somewhere. [Aaron Margosis - 15-May-2012]  Finally got some time to dig into this.  As far as I can tell, IEZoneAnalyzer is working correctly.  I opened gpedit.msc and set a bunch of Internet zone settings (including 1208 as you mentioned) to Enabled:Enable and then to Enabled:Disable.  IEZoneAnalyzer correctly reported "Enable" or "Disable" accordingly.  This is just one of those areas of Group Policy that's a little confusing, where you establish a policy by choosing Enabled and then choosing the desired setting for that policy (Enable or Disable).  Choosing Disabled removes the policy and actively deletes the corresponding registry value, so that the program (IE in this case) reverts to the Preferences values.  (Make sense?) When you say "all the default policy settings that IE8 and IE9 install with", do you mean the list of policies that are available, or the default settings for IE8/9?  Policies are not applied by default.

  • Anonymous
    April 17, 2012
    It would be really cool if this app could be used to compare a previously saved file with current IE settings. This way you could quickly determine if any of your original settings have been changed. [Aaron Margosis]  It does!  See the "File" dropdown in the main window.  (It does this only for the security zone settings, not for the zone mappings.)  See the documentation for more information.

  • Anonymous
    May 18, 2012
    I'm getting an error when trying to import saved settings or export local settings. "Unhandled exception has occurred in your application." "Absolute path information is required." [Aaron Margosis]  I haven't seen or heard of that before.  Can you capture a Process Monitor trace?

  • Anonymous
    June 07, 2012
    When comparing between settings (same browser, same OS, different users on identical but different machines) what do the grayed out areas mean for one user? This is a useful tool, but lacks some explanation to the output. Where are "Machine Preferences" set? In IE Security tab or somewhere else? [Aaron Margosis]  OOPS!  The last time I updated the program I forgot to include the extensive documentation I had written for it!  I'll upload that shortly.  In the meantime, gray in a cell means that no setting is defined for that entry. Re Machine Preferences etc., see this post. OK, the download on this page now includes the documentation.  Sorry about that!

  • Anonymous
    June 07, 2012
    Thanks for the quick response! Interesting, as I have a whole set of grayed out cells on my machine where the user has cells set, but when I look in the IE settings on mine they match what the user has set (in my IE Zone Analyzer V3.5.0.4) export of his machine. Are "Machine" preferences the same as "Computer" preferences by a different name? [Aaron Margosis]  Yes, "Machine" == "Computer".  On a vanilla system, recent IE versions have most settings defined in Machine Preferences rather than User.  If you open the security settings dialog, settings will get written into the User side.  Most important, though, are "effective settings".  See the previous link for the precedence order.

  • Anonymous
    June 07, 2012
    The precedence link is great info, I saw that or a version of it yesterday. Our machines are 32 bit (not 64) XP SP3 with IE8. I'm trying to figure out why a particular user has some web pages (intranet, and perhaps internet) with red X picture placeholders. The Admin user on the user's machine shows the page fine indicating it's a user setting, so I downloaded your wonderful program to see which one might cause the problem (although it may be a combination). Compatability mode isn't indicated (although this web page, blogs.technet, shows it, so IE is detecting it). Shouldn't changing a user preference setting be reflected in the registry, esp after exiting & restarting IE? (Or do I have to exit and restart regedit too?) I'm not even seeing the change in IE Zone Analyzer. Granted my setting is grayed out, but shouldn't setting it to a non-inherited setting cause it to be un-grayed out? (Currently I'm playing with User Preferences Trusted Sites 1208 Allow previously unused ActiveX controls to run without prompt Me: <grayed out> User: Enable. There are 32 differences in all.) I may also be barking up the wrong tree for the solution. [Aaron Margosis]  Compatibility mode can be set differently on a page-by-page basis, depending on factors such as whether the page has an X-UA-Compatible tag, whether it's in the Intranet zone, what the Compatibility mode settings and policies are, and more.  The easiest way to check is to use the F12 Developer Tools, which have been built into the last few versions of IE. Setting changes in the registry might require restarting IE, but not usually, from what I've seen.  To pick registry changes up in IEZoneAnalyzer, choose File | Refresh local settings.  Any settings you have added to lists of sets/settings to compare then need to be cleared out and re-added to pick up the changes. Another thought:  It may be a permissions issue on the server if Windows authentication is part of the picture.

  • Anonymous
    July 03, 2013
    Is there a way to change the defualt URL when the program starts (ie: possibly via the config file).  I would like to use this as a support tool and it would be easier if it pointed to our website by default rather than www.microsoft.com. Great tool by the way and thanks for creating it. [Aaron Margosis]  Not at this time, sorry.  I'll consider adding it the next time I update it.  Thanks.

  • Anonymous
    October 17, 2013
    I am getting "Unhandled exception has occurred..." "An entry with the same key already exists."  I can send more debugging info, if you tell me what you need.

  • Anonymous
    October 17, 2013
    Whoops - forgot to add I get the error when selecting Zone Map Viewer button only. [Aaron Margosis] Thanks, yes, I'd like to take a look at this.  If you could please capture aProcess Monitor trace of the error occurring, that would be great.  After you capture the trace, set the filter to show only events belonging to IEZoneAnalyzer.exe, save in native Procmon format (PML) with "events displayed using current filter" and uncheck "profiling events."  Compress to a zip file, come back to this page, click "Email blog author" and we'll trade email.  Thanks again.

  • Anonymous
    October 23, 2013
    Thank you for maintaining this tool and updating it for IE10.  Over the years, it has been very valuable when deflecting the persistent developer myth that there is some mysterious IE setting that prevents their app from working.  I personally have yet to encounter a vendor or developer who has actually found an offensive USGCB or GPO setting using this tool -- instead, I stay out from underneath their bus and they discover a "training opportunity".

  • Anonymous
    November 05, 2013
    Do you think it's possible to compare also Privacy Settings? Thanks, Riccardo

  • Anonymous
    November 27, 2013
    If this tool could be put into a logoff script, and the output could be saved to a file, it would be a significant improvement as it would allow for easy auditing of an entire environment.

  • Anonymous
    December 05, 2013
    The comment has been removed

  • Anonymous
    March 10, 2014
    I am also getting "Unhandled exception has occurred..." "An entry with the same key already exists." when I try to run the Zone Map Viewer. Was this ever resolved? I'm on Windows 7 with IE 9. [Aaron Margosis] I don't think anyone ever followed up with data to resolve this.  Please capture aProcess Monitor trace of the error occurring.  After you capture the trace, set the filter to show only events belonging to IEZoneAnalyzer.exe, save in native Procmon format (PML) with "events displayed using current filter" and uncheck "profiling events."  Compress to a zip file, come back to this page, click "Email blog author" and we'll trade email.  Thanks.

  • Anonymous
    September 18, 2014
    The comment has been removed

  • Anonymous
    October 03, 2014
    Part of the new functionality of EMET allows you to block or allow plugins in IE based on the zone that

  • Anonymous
    December 30, 2014
    From what I can tell, it appears that IE Zone Analyzer incorrectly reports the setting of 120B. The ADMX file lists 0 for DISABLE and 3 for ENABLE on this one setting (the opposite of other settings.) Can someone confirm my finding?

  • Anonymous
    January 21, 2015
    It would be great to broaden this to "IE Settings", so I can compare settings that aren't zone specific like Protected Mode, and the options in the Advanced Tab of Internet Options. [Aaron Margosis] Definitely a good idea.  BTW, Protected Mode is a zone-specific setting.  By default it's enabled for the Internet and Restricted Sites zones, and disabled in other zones.

  • Anonymous
    April 14, 2015
    I get a few weird results that have only unknown as their definition e.g. Unknown (0x1812), Unknown (0x270D). Any clue as to how I can identify what these settings are? [Aaron Margosis]  Try the public SDK. Urlmon.h includes these: #define URLACTION_SHELL_TOCTOU_RISK                            0x00001812 #define URLACTION_ALLOW_CSS_EXPRESSIONS                    0x0000270D

  • Anonymous
    April 16, 2015
    I also have the ZoneMapViewer - Unhandled Exception - An entry with the same key already exists

    In my case this is because I have the following two entries in ZoneMap/Domains (HKCU or HKLM or both and where names have been changed to simplify the typing). I think these are put there programmatically by Group Policy so not entered via the IE GUI.

    -ZoneMap
    - Domains
    - ab.cde.com

    and

    ZoneMap
    - Domains
    - cde.com
    - ab

    These evaluate to the same website (both are https) and hence I guess to the same entry in whatever data structure is used internally in IEZoneAnalyzer.

    I just removed one of the 'duplicate' entries wherever it existed in HKLM and HKCU and I got the ZoneMap table appearing.

    It would be great if this situation could be handled.

    Thanks for a very useful tool and informative blog.

  • Anonymous
    January 12, 2016
    Hi, great tool but no way to have it running (Zone Map Viewer Unhandled Exception – An entry with the same key already exists) on Windows 7 x64 SP1 and IE11.Thank you for your work.Regards.Red.[Aaron Margosis] See whether the previous comment applies to you, too.

  • Anonymous
    February 01, 2016
    Version 3.5.0.5 has a misprint!correct the string: 2600 Disable .NET Framework setupmust be: 2600 Enable .NET Framework setup

    • Anonymous
      February 09, 2016
      @tviki: Well, yes and no. The Group Policy setting is "Turn off .NET Framework Setup", with Enable=3 and Disable=0, and the Internet Properties (inetcpl.cpl) text is "Enable .NET Framework Setup", with Enable=0 and Disable=3. I don't know where the label "Disable .NET Framework setup" came from - perhaps from the Vista timeframe when I first started working on this.
  • Anonymous
    April 05, 2017
    Zone Map Viewer TabAn entry with the same key already exists************** Exception Text System.ArgumentException: An entry with the same key already exists. at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource) at System.Collections.Generic.SortedList`2.Add(TKey key, TValue value) at ZoneMappings.ZoneMaps.Refresh() at IEZoneAnalyzer3.ZoneMapViewer..ctor() at IEZoneAnalyzer3.IEZoneAnalyzerMainDlg.btnZoneMapTool_Click(Object sender, EventArgs e) at System.Windows.Forms.ToolStripItem.RaiseEvent(Object key, EventArgs e) at System.Windows.Forms.ToolStripButton.OnClick(EventArgs e) at System.Windows.Forms.ToolStripItem.HandleClick(EventArgs e) at System.Windows.Forms.ToolStripItem.HandleMouseUp(MouseEventArgs e) at System.Windows.Forms.ToolStrip.OnMouseUp(MouseEventArgs mea) at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks) at System.Windows.Forms.Control.WndProc(Message& m) at System.Windows.Forms.ToolStrip.WndProc(Message& m) at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam) Loaded Assemblies **************mscorlib Assembly Version: 4.0.0.0 Win32 Version: 4.6.1590.0 built by: NETFXREL2 CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll----------------------------------------IEZoneAnalyzer Assembly Version: 3.5.0.5 Win32 Version: 3.5.0.5 CodeBase: file:///D:/Download/Microsoft/IEZoneAnalyzer.3.5.0.5/IEZoneAnalyzer.exe----------------------------------------System.Windows.Forms Assembly Version: 4.0.0.0 Win32 Version: 4.6.1590.0 built by: NETFXREL2 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll----------------------------------------System Assembly Version: 4.0.0.0 Win32 Version: 4.6.1590.0 built by: NETFXREL2 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll----------------------------------------System.Drawing Assembly Version: 4.0.0.0 Win32 Version: 4.6.1590.0 built by: NETFXREL2 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll----------------------------------------System.Configuration Assembly Version: 4.0.0.0 Win32 Version: 4.6.1590.0 built by: NETFXREL2 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll----------------------------------------System.Core Assembly Version: 4.0.0.0 Win32 Version: 4.6.1590.0 built by: NETFXREL2 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll----------------------------------------System.Xml Assembly Version: 4.0.0.0 Win32 Version: 4.6.1590.0 built by: NETFXREL2 CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll