Adding Sites to the Enhanced Security Configuration Zones

If your Windows Server 2003 application interacts with Web-based content through Windows Internet Explorer, you might need to place the Web site in a different security zone. By default, in Windows Server 2003, all Web sites are in the Internet zone. This topic describes how to add sites to security zones in the enhanced security configuration.

  • Adding Sites Programmatically
  • Adding Sites with a Registry Merge
  • Instructing Users to Add Sites

Adding Sites Programmatically

One way to add sites to the Intranet or Trusted sites zone is to call the IInternetSecurityManager::SetZoneMapping method exposed by URL Moniker APIs. This enables you to add sites to a security zone either at install time, or at run time. Begin by selecting the security zone which provides the maximum security while still allowing the features required by your application. For a detailed explanation of the security zones and other Internet Explorer settings under the enhanced security configuration, see Enhanced Security Configuration for Internet Explorer.

Security Warning: Adding arbitrary Web sites to the Intranet zone can compromise the security of the server. The Medium-low security template allows NTLM credentials to be sent to sites that request them. Only known sites should be added to the Intranet zone to prevent disclosure of this sensitive data. You should review Security Considerations: URL Security Zones API before continuing.

Add a Web site to the selected zone by creating an instance of the security manager object, and calling IInternetSecurityManager::SetZoneMapping. Combine the URLZONE_ESC_FLAG flag with the flag specifying the security zone, using a bitwise OR operator. Mappings created without the URLZONE_ESC_FLAG flag are not used in the enhanced security configuration.

Security Warning: Adding Web sites to a security zone without using the URLZONE_ESC_FLAG flag can compromise the security of the computer. The URLZONE_ESC_FLAG flag specifies that a URL is mapped to a copy of the specified security zone. Under the enhanced security configuration, this copy is used instead of the original security zone, and any Web sites added without the URLZONE_ESC_FLAG flag are ignored. Earlier versions of Windows, however, use the original security zones with less restrictive security templates. If your installation script adds Web sites to the original security zones and is run in an earlier version of Windows, your application makes the computer more susceptible to attack. You should review Security Considerations: URL Security Zones API before continuing.

The following sample shows how to add the URL "https://msdn.microsoft.com" to the Trusted sites zone.

    IInternetSecurityManager *pSecurityManager = NULL;
    HRESULT hResult = S_OK;

    ::CoInitialize(NULL);
    hResult=CoCreateInstance( CLSID_InternetSecurityManager, 
                              NULL, 
                              CLSCTX_INPROC_SERVER,
                              IID_IInternetSecurityManager,
                              (void **)&pSecurityManager );
    
    if (SUCCEEDED(hResult))
    {
      hResult=pSecurityManager->SetZoneMapping(URLZONE_ESC_FLAG|URLZONE_TRUSTED,
                                               L"https://msdn.microsoft.com",
                                               SZM_CREATE );
    
      pSecurityManager->Release();
    }
    ::CoUninitialize();

If a Web site is open prior to adding it to the Trusted sites or Intranet zone, the user must restart Internet Explorer for these changes to take effect. If zones are mapped as part of an installation, you should delete your zone mappings as part of the uninstallation procedure when the user uninstalls your application.

Adding Sites with a Registry Merge

Web sites can be added to the Intranet or Trusted sites zone by directly modifying the registry. The key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains contains the zone mappings under the enhanced security configuration. Each registry key that is below this key in the registry hierarchy is a Web site domain. Each of these keys has values which indicate the allowed protocol and the zone to which that protocol belongs for the domain. A value of 0x001 indicates the Intranet zone and a value of 0x002 indicates the Trusted sites zone.

The following sample shows the entries in a .reg file that are used to add the URL "http://www.msdn.microsoft.com" to the Trusted sites zone.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\microsoft.com]
@=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\microsoft.com\www.msdn]
"http"=dword:00000002

The following sample shows the entries in a .reg file that are used to add the URL "http://widgets" to the Intranet zone.

[[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\widgets]
"http"=dword:00000002

If a Web site was open prior to adding it to the Trusted sites or Intranet zone, the user must restart Internet Explorer for these changes to take effect.

Instructing Users to Add Sites

If your Web-based application receives a user-agent request header which includes the string "Windows NT 5.2", this indicates that the request was made from a computer running Windows Server 2003. If this occurs, any HTML sent to the client should include a NOSCRIPT element with instructions describing how to add your application to the Trusted sites zone. These instructions are only display when the enhanced security configuration is enabled. The following sample shows how to use the NOSCRIPT element.

<noscript>
    <p>Script, ActiveX Controls, and file downloads are not available for 
    Internet sites under the enhanced security configuration.  Add this URL
    to the Trusted sites zone to continue.</p>
</npscript>