Registry Keys for IE's Security Zones

Discussion in 'other anti-malware software' started by Dazed_and_Confused, Jul 10, 2005.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Does anyone know what the Windows (XP) Registry Keys are for IE's various security zones? Actually, I think I'm close. I know the following key represents one of them, but I don't know which zone it represents. Thanks!

    hkey_users\...\software\microsoft\windows\currentversion\internet settings\zonemap\domains
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    The Domains key is where Trusted and Restricted Site URL's are placed....so it's not necessarily Zone specific.
     
  3. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Not sure I follow you, Bubba. When a site is added to the key I gave above, what does that mean? :doubt:


    Edit: I may have figured it out. For a specific site, if the REG_DWORD has a value of (4), it's in the trusted zone. If the value is (2), it's restricted. Right?
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I'll flip that around a bit.

    When you add a site to your Trusted Zone in IE(Tools\Internet Options\Security tab....click to highlight Trusted Zone....then the Sites button)....Internet Explorer then stores that info in the above mentioned Domains key. The same holds true for sites added to the Restricted Zone of IE....they go to the Domains key also.

    To tell the entries apart in the registry....the Trusted Zone has a dword value of 0x00000002 (2)
    ....and the Restricted Zone has a dword value of 0x00000004 (4)
     
  5. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks, Bubba. :D I guess I had it backwards. That's really helpful to know!
     
  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    You are Welcome....and almost all settings and sub-keys for Internet Explorer....regardless of it's version or the OS used....is stored in the software\microsoft\windows\currentversion\internet settings key.
     
  7. JRosenfeld

    JRosenfeld Registered Member

    Joined:
    Jul 26, 2004
    Posts:
    117
    just to complete: the Dword value name is *
     
  8. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    The reason I asked the question is that MJRW caught entries being made to this registry key. Unfortunately, MJRW doesn't give you the DWORD_VALUE within it's warning window, so it's impossible to tell what zone it's being added to. :(

    Now I have to find out what caused these entries to be made. o_O

    Thanks again!! :-*
     
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Just remember....that's where Spywareblaster places entries from it's Restricted Sites database....and also Spybot's Immunization feature places it's Restricted Sites database there....just to name a few programs ;)
     
  10. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks. I use both of those, and that is what I was thinking. But I wasn't running either of them at the time the changes were made.


    By the way, when I right-click the registry entry that was quarantined by MJRW, the Windows Explorer context menu gives me a "Merge" option. Does that option, when selected, insert the registry entry into the proper location in the registry?
     
  11. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Indeed it does....Merging a .reg file or importing via regedit a .reg file into the registry are one in the same.
     
Loading...
Thread Status:
Not open for further replies.