IEZoneAnalyzer v3


Announcing a major update to the IE security zone analyzer!

IEZoneAnalyzer is a utility for viewing and comparing Internet Explorer security zone settings. It is particularly valuable on systems controlled through Group Policy, on which the standard security settings dialog does not allow viewing of settings. IEZoneAnalyzer version 3 represents a total rewrite, adding a tremendous amount of new functionality compared to earlier versions. Note that IEZoneAnalyzer does not require administrative rights. It also does not have an installer – just run the utility directly. IEZoneAnalyzer does require.NET Framework 3.5.

Key features of IEZoneAnalyzer:

  • View effective security zone settings for any security zone on the local computer or exported from a remote computer and identify whether each setting was established by policy.
  • Compare settings between two or more security zones or templates.
  • View and compare entire sets of settings captured on different computers or on a single computer over time (e.g., to determine whether a system has drifted from its baseline settings).
  • Export results to Excel or to a Comma Separated Values (CSV) text file.
  • Filter comparison results to show only differences or conflicts.
  • Sort, reorder and resize result columns.
  • Copy selected or all results to the clipboard.

The download includes the program, sample files captured from various fresh systems with default settings, and extensive documentation. [Update, 22 Sept 2011: an updated version of IEZoneAnalyzer can be found here.]

Click on the thumbnails below to see full resolution screenshots:

View effective settings for the Internet zone captured on a Windows 7 x64 system with IE8 and USGCB settings applied:

View effective settings for the Internet zone captured on a Windows 7 x64 system with IE8 and USGCB settings applied

Compare all IE security zone settings on a Windows Vista SP2 with IE7 to those from a Windows XP x64 with IE6:

View effective settings for the Internet zone captured on a Windows 7 x64 system with IE8 and USGCB settings applied

Compare the Medium High template on the local computer, effective settings for the Internet zone on the local computer, and effective settings for the Internet zone captured on a Win7/IE8 system with USGCB settings:

Compare multiple templates and zones against one another

Effective settings for the five security zones exported to Excel:

Effective settings for the five security zones exported to Excel

Comments (11)

  1. Anonymous says:

    Just install Classic Shell. It will restore the zone to the status bar.

  2. tipsinc says:

    very cool application

  3. snissen says:

    Now that IE9 no longer shows the current zone on the status line, this utility is essential!

    [Aaron Margosis] Without getting into the debate about whether that was a good decision on the IE team’s part, you can still see the zone by pressing Alt, then File, then Properties.

  4. Stephane says:

    Thanks a million – you just saved my team days of work with this tool

    [Aaron Margosis]  You’re welcome — that’s what it’s for!

  5. Warren says:

    Thanks..I have used previous version too, but this one is good with some useful enhancements. Good work..Keep it up.

  6. Erik says:

    Does the output indicate the Option set for each policy?

    For example, when I run the tool against the Internet Zone and look at the policy "Submit non-encrypted form data", the tool says the policy is "Enabled".

    When you look at the GPO itself, when you can Enable the policy you have to set one of three options: Prompt, Enable or Disable.

    I can’t tell if the tool is telling me that both the Policy and Option are set to "Enabled" or if the just the policy itself is "Enabled".

    [Aaron Margosis]  Great question.  I just tested, and based on what I saw, disabling the policy and setting it to "not configured" have the same effect — no registry value for that setting under Policies, and consequenly it reverts to whatever the preference
    setting is.  If IEZoneAnalyzer reports "Enabled", the policy is enabled and it is configured to "Enabled."   That’s shown in some spreadsheets as "Enabled:Enabled".  If IEZoneAnalyzer reports "Disabled", consider it "Enabled:Disabled" – as in, the policy is
    turned on and it is set to "Disabled".  (Seriously, no one ever gets confused by how these GP settings work, do they? 🙂

  7. TC says:

    Re. confusing group policy poticy settings -, does this hep? :

    blogs.msdn.com/…/10171462.aspx

  8. RaymondB says:

    Aaron,

    Thank you very much for providing this tool, it is incredibly useful for documentation and debugging purposes.

    Question: On our corporate build (Win7EnterpriseSP1/64, IE 8.0.7601.17514), the following entries appear as "Unknown" at the bottom of the list:

    2708 (Machine Preferences, Enabled)

    2709 (Machine Preferences, Enabled)

    I haven't been able to find useful information about what they might represent – can you help me with this? Thank you very much in advance!

  9. BB says:

    Any plans to incorporate a way to apply the extracted settings to a test machine? My use case would be a customer having difficulty on our web page when using IE, I get the extraction of his settings and compare to a machine that does work and try to find
    the difference that causes the issue. If I could apply his settings it would help easily replicate the issue.

    [Aaron Margosis] Not at this time.  I like that use case, but it would probably be misused.  E.g., people would probably use it to apply policy settings, but policy settings should be set through the Group Policy interfaces rather than being written
    directly to the registry.  It should be possible to extract the machine/user policies from the output using a script and converting it to a form that can be consumed by

    Apply_LGPO_Delta
    …  If I had more spare time – or a customer willing to pay for my time to make it happen…

  10. Anonymous says:

    I've enhanced the IE security zone comparison utility that I posted here a few weeks ago. The new

  11. Anonymous says:

    Pingback from Viewing and Comparing IE Security Zone Settings – enhanced – Microsoft U.S. Partner Team – Partner Community – Microsoft Dynamics Community