IEZoneAnalyzer v3.5 with Zone Map Viewer


IEZoneAnalyzer is a utility for viewing and comparing Internet Explorer security zone settings – that is, the configuration settings that grant web sites in the Intranet zone more capabilities in the browser than web sites in the Internet zone.  Earlier today, I wrote about the surprisingly complex rules that determine whether and when explicit mappings of websites to security zones take effect or are ignored.  IEZoneAnalyzer version 3.5 adds a Zone Map Viewer that shows which web sites have been specifically assigned to security zones and whether the assignment is effective. Click on the “Zone Map Viewer” button in the main dialog’s toolbar to display the Zone Map Viewer. You can toggle the Zone Map Viewer between an “Effective Settings” view and a “Raw Settings” view with labeled toolbar buttons.

“Effective Settings” lists the configured web sites and the zones to which they are mapped. The Comments column calls out settings that are applicable only to 32-bit processes or only to 64-bit processes, or that are completely overridden and never take effect. For example, the first screenshot below shows a number of site assignments to Trusted Sites that are overridden because they are defined in User Preferences, but overridden both because the “use only machine settings” group policy is in effect and because a Computer Configuration Site-To-Zone Assignment policy is in effect. The screenshot also shows two overridden settings that are in effect only when Enhanced Security Configuration (ESC) is enabled, which is not the case as shown by the informational lines at the top of the listing. A given site is listed only once in the Effective Settings view. If a site is mapped the exact same way in a registry location that is in effect and in another that is not in use, the “overridden” one is not shown. That is, a setting is shown as “overridden” only if is defined somewhere differently from what is actually in effect.

ZoneMapViewer-EffectiveSettings

The “Raw Settings” view, shown below, shows all site-to-zone configuration settings, listing where they are defined, the zone each is assigned to, and whether that particular setting is in effect or ignored. Both views show the criteria that are used to determine which ZoneMap settings are in effect and which are ignored (per the rules listed in the Appendix.)

ZoneMapViewer-RawSettings

As with all other IEZoneAnalyzer views, columns can be sorted, resized and reordered; content can be searched for specific text, copied to the clipboard and exported to CSV and to Excel files. Further, the sort order for the “Website” columns is based on domain names rather than on a strict alphabetic order. For example, all the “microsoft.com” mappings are grouped together, alphabetized by subdomains in reverse order.

[Updated 14-Oct-2011:  Posted v3.5.0.3 to fix a bug, and to change the text associated with URL Action 180C which ended up not being used by Windows or IE.]

[Updated 15-May-2012:  Posted v3.5.0.4 to fix a bug involving precedence of Computer policies over User policies.]

[Updated 7-June-2012:  Re-posted v3.5.0.4 with the documentation back in!  Sorry about that.]

[Updated 20-June-2013:  Posted v3.5.0.5:  fixes version reporting issue with IE10, added text for additional settings, and added sample files back in, including a new one reporting default settings for IE10 on Win8 x64.  It also includes an IEZoneAnalyzer.exe.config file; keep this file in the same directory with IEZoneAnalyzer.exe if you want it to run on a system that has .NET 4.0 but doesn’t have .NET 3.5]

IEZoneAnalyzer.3.5.0.5.zip

Comments (24)

  1. Anonymous says:

    Version 3.5.0.3 shows wildcards incorrectly? For a trusted zone assignment from a Machine source set by a GPO, the protocol wildcard displays properly in the zone map viewer but the wildcard is omitted for sub domains. For example, in the "GPO:/Computer
    Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List", the trusted zone assignment *://*.domain.local is created. The local registry entries show

    HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsord.local *

    HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMapKey *.domain.local

    but the zone map viewer shows *://domain.local

    while the same assignment of a User Preferences source made as a preference from a "GPO:/User Configuration/Policies/Windows Settings/Internet Explorer Maintenance/Security/Security Zones and Content Ratings/Trusted sites (Security Level: Medium)/Sites/Sites
    in this zone" shows *://*.domain.local

    What gives? Is this a bug? Thanks for all the great tools Aaron!

    [Aaron Margosis – 15-May-2012]  Finally got some time to dig into this.  As far as I can tell, IEZoneAnalyzer is working correctly.  Remember that the values under ZoneMapKey don’t matter, only the values under ZoneMap.  Where you see something like
    a key named "domain.local" containing a value "*" associated with data "1", the "*" means "all protocols", not "all subdomains".  Try creating an assignment for
    https://*.domain.local, and you’ll see the value "https" appear in the registry instead of "*", meaning that the assignment applies to the domain only for the
    https protocol.  Apparently "*" as a subdomain gets dropped.

  2. Anonymous says:

    Aaron,

    While working on compiling the data for our IE9 GPOs, I found what may be a bug with the IEZoneAnalyzer, but I can’t be sure.

    I ran IEZoneAnalyzer on a Win7 32bit machine with IE8 and IE8 Group Policies.  I compared the values reported by IEZoneAnalyzer vs. what the IE8 GPO has configured.  Everything looked great except for the policy "Turn Off First-Run Opt-In" (ID 1208).

     According to IEZoneAnalyzer the policy is set to – Enabled

     According to our GPO, the policy is set to – Enabled : Disabled

    Based on your previous response regarding primary settings and option settings, shouldn’t the policy show up as "Disabled" in the IEZoneAnalyzer?

    I am not too worried about it, but I wanted to let you know in case the tools is interpretting the policy value incorrectly.  It’s more likely that I am off my rocker and just don’t know how to use the tool.

    Thanks for a great tool!  I use it all the time.

    P.S.  You wouldn’t happen to know if there is a list of all the default policy settings that IE8 and IE9 install with?  I have been trying to find this information, but nobody seems to have it.  Seems odd that MS wouldn’t have that documented somewhere.

    [Aaron Margosis – 15-May-2012]  Finally got some time to dig into this.  As far as I can tell, IEZoneAnalyzer is working correctly.  I opened gpedit.msc and set a bunch of Internet zone settings (including 1208 as you mentioned) to Enabled:Enable and
    then to Enabled:Disable.  IEZoneAnalyzer correctly reported "Enable" or "Disable" accordingly.  This is just one of those areas of Group Policy that’s a little confusing, where you establish a policy by choosing Enabled and then choosing the desired setting
    for that policy (Enable or Disable).  Choosing Disabled removes the policy and actively deletes the corresponding registry value, so that the program (IE in this case) reverts to the Preferences values.  (Make sense?)

    When you say "all the default policy settings that IE8 and IE9 install with", do you mean the list of policies that are available, or the default settings for IE8/9?  Policies are not applied by default.

  3. J says:

    It would be really cool if this app could be used to compare a previously saved file with current IE settings. This way you could quickly determine if any of your original settings have been changed.

    [Aaron Margosis]  It does!  See the "File" dropdown in the main window.  (It does this only for the security zone settings, not for the zone mappings.)  See the documentation for more information.

  4. J says:

    I’m getting an error when trying to import saved settings or export local settings. "Unhandled exception has occurred in your application." "Absolute path information is required."

    [Aaron Margosis]  I haven’t seen or heard of that before.  Can you capture a Process Monitor trace?

  5. Phil Reinemann says:

    When comparing between settings (same browser, same OS, different users on identical but different machines) what do the grayed out areas mean for one user?

    This is a useful tool, but lacks some explanation to the output.

    Where are "Machine Preferences" set? In IE Security tab or somewhere else?

    [Aaron Margosis]  OOPS!  The last time I updated the program I forgot to include the extensive documentation I had written for it!  I’ll upload that shortly.  In the meantime, gray in a cell means that no setting is defined for that entry.

    Re Machine Preferences etc., see
    this post
    .

    OK, the download on this page now includes the documentation.  Sorry about that!

  6. Phil Reinemann says:

    Thanks for the quick response!

    Interesting, as I have a whole set of grayed out cells on my machine where the user has cells set, but when I look in the IE settings on mine they match what the user has set (in my IE Zone Analyzer V3.5.0.4) export of his machine.

    Are "Machine" preferences the same as "Computer" preferences by a different name?

    [Aaron Margosis]  Yes, "Machine" == "Computer".  On a vanilla system, recent IE versions have most settings defined in Machine Preferences rather than User.  If you open the security settings dialog, settings will get written into the User side.  Most
    important, though, are "effective settings".  See the previous link for the precedence order.

  7. Phil Reinemann says:

    The precedence link is great info, I saw that or a version of it yesterday.

    Our machines are 32 bit (not 64) XP SP3 with IE8. I’m trying to figure out why a particular user has some web pages (intranet, and perhaps internet) with red X picture placeholders. The Admin user on the user’s machine shows the page fine indicating it’s
    a user setting, so I downloaded your wonderful program to see which one might cause the problem (although it may be a combination). Compatability mode isn’t indicated (although this web page, blogs.technet, shows it, so IE is detecting it).

    Shouldn’t changing a user preference setting be reflected in the registry, esp after exiting & restarting IE? (Or do I have to exit and restart regedit too?) I’m not even seeing the change in IE Zone Analyzer. Granted my setting is grayed out, but shouldn’t
    setting it to a non-inherited setting cause it to be un-grayed out? (Currently I’m playing with User Preferences Trusted Sites 1208 Allow previously unused ActiveX controls to run without prompt Me: <grayed out> User: Enable. There are 32 differences in all.)

    I may also be barking up the wrong tree for the solution.

    [Aaron Margosis]  Compatibility mode can be set differently on a page-by-page basis, depending on factors such as whether the page has an X-UA-Compatible tag, whether it’s in the Intranet zone, what the Compatibility mode settings and policies are, and
    more.  The easiest way to check is to use the F12 Developer Tools, which have been built into the last few versions of IE.

    Setting changes in the registry might require restarting IE, but not usually, from what I’ve seen.  To pick registry changes up in IEZoneAnalyzer, choose File | Refresh local settings.  Any settings you have added to lists of sets/settings
    to compare then need to be cleared out and re-added to pick up the changes.

    Another thought:  It may be a permissions issue on the server if Windows authentication is part of the picture.

  8. Nate Fiorito says:

    Is there a way to change the defualt URL when the program starts (ie: possibly via the config file).  I would like to use this as a support tool and it would be easier if it pointed to our website by default rather than http://www.microsoft.com.

    Great tool by the way and thanks for creating it.

    [Aaron Margosis]  Not at this time, sorry.  I’ll consider adding it the next time I update it.  Thanks.

  9. John says:

    I am getting "Unhandled exception has occurred…" "An entry with the same key already exists."  I can send more debugging info, if you tell me what you need.

  10. John says:

    Whoops – forgot to add I get the error when selecting Zone Map Viewer button only.

    [Aaron Margosis] Thanks, yes, I’d like to take a look at this.  If you could please capture a
    Process Monitor trace of the error occurring, that would be great.  After you capture the trace, set the filter to show only events belonging to IEZoneAnalyzer.exe, save in native Procmon
    format (PML) with "events displayed using current filter" and uncheck "profiling events."  Compress to a zip file, come back to this page, click "Email blog author" and we’ll trade email.  Thanks again.

  11. StupidSec says:

    Thank you for maintaining this tool and updating it for IE10.  Over the years, it has been very valuable when deflecting the persistent developer myth that there is some mysterious IE setting that prevents their app from working.  I personally have yet to encounter a vendor or developer who has actually found an offensive USGCB or GPO setting using this tool — instead, I stay out from underneath their bus and they discover a "training opportunity".

  12. Do you think it's possible to compare also Privacy Settings?

    Thanks,

    Riccardo

  13. Batch says:

    If this tool could be put into a logoff script, and the output could be saved to a file, it would be a significant improvement as it would allow for easy auditing of an entire environment.

  14. Steve H says:

    Great tool – thank you.

    Only negative is that it doesn’t appear to honour the automatically detect Intranet site settings. E.g. if you have a site listed in a PAC / WPAD as DIRECT to bypass the proxy then IE seems to treat it as Intranet, even if you specify it as a Trusted Site.
    The tool doesn’t reflect this leading to the wrong answer.

    Thanks – Steve

    [Aaron Margosis]  All I do is call the
    Zone.CreateFromURL method
    .  I asked
    Eric Lawrence
    , and he said this:

    He’s mistaken (based on my knowledge of the design, and a quick test I just ran).

     

    An explicit zone assignment will trump the “DIRECT==Intranet” fallback.

     

    In the configuration described, the .NET API returns
    Trusted.

    In the configuration described, IE / MapUrlToZone returns
    Trusted.

     

    It may be worthwhile to get his exact configuration to determine whether he’s omitted some relevant detail.

  15. Greg says:

    I am also getting "Unhandled exception has occurred…" "An entry with the same key already exists." when I try to run the Zone Map Viewer. Was this ever resolved? I’m on Windows 7 with IE 9.

    [Aaron Margosis] I don’t think anyone ever followed up with data to resolve this.  Please capture a
    Process Monitor trace of the error occurring.  After you capture the trace, set the filter to show only events belonging to IEZoneAnalyzer.exe,
    save in native Procmon format (PML) with "events displayed using current filter" and uncheck "profiling events."  Compress to a zip file, come back to this page, click "Email blog author" and we’ll trade email.  Thanks.

  16. abaig says:

    When I extract the files. I am not able to run IEZoneAnalyzer,exe file. Please let me know what security is stopping it. Thanks

    [Aaron Margosis] Do you have a proxy that's stripping out the exe file from the zip file?  Maybe policies limiting what programs you can run?  (FWIW, I just downloaded, extracted and ran it.)

  17. Anonymous says:

    Part of the new functionality of EMET allows you to block or allow plugins in IE based on the zone that

  18. Warren says:

    From what I can tell, it appears that IE Zone Analyzer incorrectly reports the setting of 120B. The ADMX file lists 0 for DISABLE and 3 for ENABLE on this one setting (the opposite of other settings.) Can someone confirm my finding?

  19. Chuck Wagner says:

    It would be great to broaden this to "IE Settings", so I can compare settings that aren't zone specific like Protected Mode, and the options in the Advanced Tab of Internet Options.

    [Aaron Margosis] Definitely a good idea.  BTW, Protected Mode is a zone-specific setting.  By default it's enabled for the Internet and Restricted Sites zones, and disabled in other zones.

  20. PeterH says:

    I get a few weird results that have only unknown as their definition e.g. Unknown (0x1812), Unknown (0x270D). Any clue as to how I can identify what these settings are?

    [Aaron Margosis]  Try the public SDK. Urlmon.h includes these:

    #define URLACTION_SHELL_TOCTOU_RISK                            0x00001812

    #define URLACTION_ALLOW_CSS_EXPRESSIONS                    0x0000270D

  21. Pete says:

    I also have the ZoneMapViewer – Unhandled Exception – An entry with the same key already exists

    In my case this is because I have the following two entries in ZoneMap/Domains (HKCU or HKLM or both and where names have been changed to simplify the typing). I think these are put there programmatically by Group Policy so not entered via the IE GUI.

    -ZoneMap
    – Domains
    – ab.cde.com

    and

    ZoneMap
    – Domains
    – cde.com
    – ab

    These evaluate to the same website (both are https) and hence I guess to the same entry in whatever data structure is used internally in IEZoneAnalyzer.

    I just removed one of the 'duplicate' entries wherever it existed in HKLM and HKCU and I got the ZoneMap table appearing.

    It would be great if this situation could be handled.

    Thanks for a very useful tool and informative blog.

  22. Red says:

    Hi, great tool but no way to have it running (Zone Map Viewer Unhandled Exception – An entry with the same key already exists) on Windows 7 x64 SP1 and IE11.
    Thank you for your work.
    Regards.
    Red.

    [Aaron Margosis] See whether the previous comment applies to you, too.
  23. tviki says:

    Version 3.5.0.5 has a misprint!
    correct the string: 2600 Disable .NET Framework setup
    must be: 2600 Enable .NET Framework setup

    1. @tviki: Well, yes and no. The Group Policy setting is “Turn off .NET Framework Setup”, with Enable=3 and Disable=0, and the Internet Properties (inetcpl.cpl) text is “Enable .NET Framework Setup”, with Enable=0 and Disable=3. I don’t know where the label “Disable .NET Framework setup” came from – perhaps from the Vista timeframe when I first started working on this.