IEZoneAnalyzer is a utility for viewing and comparing Internet Explorer security zone settings – that is, the configuration settings that grant web sites in the Intranet zone more capabilities in the browser than web sites in the Internet zone. Earlier today, I wrote about the surprisingly complex rules that determine whether and when explicit mappings of websites to security zones take effect or are ignored. IEZoneAnalyzer version 3.5 adds a Zone Map Viewer that shows which web sites have been specifically assigned to security zones and whether the assignment is effective. Click on the “Zone Map Viewer” button in the main dialog’s toolbar to display the Zone Map Viewer. You can toggle the Zone Map Viewer between an “Effective Settings” view and a “Raw Settings” view with labeled toolbar buttons.
“Effective Settings” lists the configured web sites and the zones to which they are mapped. The Comments column calls out settings that are applicable only to 32-bit processes or only to 64-bit processes, or that are completely overridden and never take effect. For example, the first screenshot below shows a number of site assignments to Trusted Sites that are overridden because they are defined in User Preferences, but overridden both because the “use only machine settings” group policy is in effect and because a Computer Configuration Site-To-Zone Assignment policy is in effect. The screenshot also shows two overridden settings that are in effect only when Enhanced Security Configuration (ESC) is enabled, which is not the case as shown by the informational lines at the top of the listing. A given site is listed only once in the Effective Settings view. If a site is mapped the exact same way in a registry location that is in effect and in another that is not in use, the “overridden” one is not shown. That is, a setting is shown as “overridden” only if is defined somewhere differently from what is actually in effect.
The “Raw Settings” view, shown below, shows all site-to-zone configuration settings, listing where they are defined, the zone each is assigned to, and whether that particular setting is in effect or ignored. Both views show the criteria that are used to determine which ZoneMap settings are in effect and which are ignored (per the rules listed in the Appendix.)
As with all other IEZoneAnalyzer views, columns can be sorted, resized and reordered; content can be searched for specific text, copied to the clipboard and exported to CSV and to Excel files. Further, the sort order for the “Website” columns is based on domain names rather than on a strict alphabetic order. For example, all the “microsoft.com” mappings are grouped together, alphabetized by subdomains in reverse order.
[Updated 14-Oct-2011: Posted v184.108.40.206 to fix a bug, and to change the text associated with URL Action 180C which ended up not being used by Windows or IE.]
[Updated 15-May-2012: Posted v220.127.116.11 to fix a bug involving precedence of Computer policies over User policies.]
[Updated 7-June-2012: Re-posted v18.104.22.168 with the documentation back in! Sorry about that.]
[Updated 20-June-2013: Posted v22.214.171.124: fixes version reporting issue with IE10, added text for additional settings, and added sample files back in, including a new one reporting default settings for IE10 on Win8 x64. It also includes an IEZoneAnalyzer.exe.config file; keep this file in the same directory with IEZoneAnalyzer.exe if you want it to run on a system that has .NET 4.0 but doesn’t have .NET 3.5]