Results 1 to 11 of 11
  1. #1
    New Lounger
    Join Date
    Jan 2004
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default security setting (5.5)

    As a result of a spyware attack, IE is now showing all sites as "trusted sites", even though I used AdAware and Spybot to clean up. Also, when I go to tools-internet options-security, and select trusted sites, the button to add or remove trusted sites is greyed out and I can't add or remove or even see the list of trusted sites. When this happened to me before, I managed to stumble on a registry key which I fixed so that IE would properly default to Internet zone. But I now can't remember which registry key I fixed.

    So far as I can tell, the list of individual sites in the ..Internet SettingsZoneMapDomains.. branches of the registry seem to be present and coded properly ( Hex "2" for trusted sites, "4" for restricted sites).

    So I would appreciate info about which registry setting to fix or at least a reference to a site which will help me identify the registry setting I need to fix.

    Thanks - Joan

  2. #2
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Vienna, Wien, Austria
    Posts
    5,009
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Default security setting (5.5)

    There is a fairly extensive set of options in this newsgroup thread.

    When you are finished, you may wish to consider making the My Computer Security Zone (key "0" in the list of Keys you mention in your Post) visible. This is done by setting the Flags value (all the way down near the bottom), which is a DWORD, to 47 (in hexadecimal). Its default value is 21 (in hexadecimal) - which hides it.

    HTH
    Gre

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Default security setting (5.5)

    If the Registry is correct but IE is misbehaving, there might be something still in memory that is intercepting IE's calls to the Registry and returning bogus data. If you check the Task Manager's Processes tab, or use SysInternals' Process Explorer, can you find any suspicious executables or services? I suppose it's also possible that IE itself has been damaged. I thing you can repair it by using the "repair Windows" button in Add/Remove programs, but I've never tried it myself.

  4. #4
    New Lounger
    Join Date
    Jan 2004
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Default security setting (5.5)

    Ok - I reset zones2 flags to 3 (for the trusted zones) and now can access the settings to add & remove sites. I also set zones3 flags to hex 11 (dec 17) which is supposed to make it the default (dec 16) plus changes allowed (1).
    However, I'm still getting the default to trusted site for all pages. Is there another key that I should look at? I ran TASkMAN.exe, and did not see anything unexpected (I'm on windows ME, so there's no Processes tab).

    thanks - Joan

  5. #5
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Vienna, Wien, Austria
    Posts
    5,009
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Default security setting (5.5)

    From what you're saying, it's unclear whether you have been changing the Registry values in HKCU (Current User) or in HKLM (Local Machine). Have you updated the HKLM values? Based on what is said in <!mskb=182569>Microsoft Knowledge Base Article 182569<!/mskb> (towards the bottom), it appears that the HKLM values override the HKCU values. HTH
    Gre

  6. #6
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,572
    Thanks
    5
    Thanked 1,057 Times in 926 Posts

    Re: Default security setting (5.5)

    Sorry to jump in at this late juncture but I don't think that <!mskb=182569>Microsoft Knowledge Base Article 182569<!/mskb> syas the HKLM values override HKCU. There are two different sections in the KB - one states
    "Note By default, security zones settings are stored in the HKEY_CURRENT_USER registry key. Because this key is dynamically loaded for each user, the settings for one user do not affect the settings for another.

    If the Security Zones: Use only machine settings setting in Group Policy is enabled, or if the Security_HKLM_only DWORD value is present and has a value of 1 in the following registry key, only local computer settings are used and all users have the same security settings:
    HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows CurrentVersionInternet Settings
    With the Security_HKLM_only policy enabled, HKLM values will be used by Internet Explorer, but the HKCU values will still be displayed in the zone settings on the Security tab in Internet Explorer. This is by design and there are no plans to change this functionality.

    If the Security Zones: Use only machine settings setting is not enabled in Group Policy, or if the Security_HKLM_only DWORD value does not exist or is set to 0, computer settings are used along with user settings. However, only user settings appear in the Internet Options. For example, when this DWORD value does not exist or is set to 0, HKEY_LOCAL_MACHINE settings are read along with HKEY_CURRENT_USER settings, but only HKEY_CURRENT_USER settings appear in the Internet Options.
    Note With the Security_HKLM_only policy enabled, HKLM values will be used by Internet Explorer, but the HKCU values will still be displayed in the zone setting tab within the Internet Explorer Interface. This is by design, and there are no plans to change this functionality at this time. "

    The other says
    "If you add settings to both the HKEY_LOCAL_MACHINE and the HKEY_CURRENT_USER keys, the settings are additive. If you add Web sites to both keys, only those Web sites in the HKEY_CURRENT_USER are visible. The Web sites in the HKEY_LOCAL_MACHINE key are still enforced according to their settings, but they are not available, and you cannot modify them. This situation can be confusing because a Web site may be listed in only one security zone for each protocol. "

    If this is what you were referring to it would seem that you can have HKLM be the only settings that matter or you can have the resultant settings be an accumulation of HKLM & HKCU with the result being the most restrictive. However, the KB is not exactly clear and definitive so that is just my opinion without actually playing with the settings. <img src=/S/grin.gif border=0 alt=grin width=15 height=15>

    Joe
    Joe

  7. #7
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Vienna, Wien, Austria
    Posts
    5,009
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Default security setting (5.5)

    We are dealing here with a malware problem - not with "blue skies". Turn specifically to the MSKB (my emphasis added)
    <hr>Note With the Security_HKLM_only policy enabled, HKLM values will be used by Internet Explorer, but the HKCU values will still be displayed in the zone setting tab within the Internet Explorer Interface. This is by design, and there are no plans to change this functionality at this time.<hr>
    This is consistent with other Microsoft methods of "lock down". Implementing an "HKLM only" setting, for writers of malware, would ensure propagation to all Users of an infected machine.

    In another context, I could agree with your argument. Sorry if my phrasing was misleading.
    Gre

  8. #8
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Default security setting (5.5)

    Oops, sorry about the processes tab. I think you still might be able to use Process Explorer from SysInternals.

    So if you go to a random site you've never visited before, like http://www.carrferrell.com/ (our company site), IE detects it as being in the Trusted Zone instead of the Internet Zone? I really cannot understand how that could be. Maybe you should try repairing or reinstalling IE?

    Also, make sure nothing strange is happening with your hosts file. I can't remember where that is in Windows 98/ME, but usually it's in c:windows or one of its subfolders (it is hosts without a file extension).

  9. #9
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,572
    Thanks
    5
    Thanked 1,057 Times in 926 Posts

    Re: Default security setting (5.5)

    Oh, I think I understand what you were saying. Sorry, for muddying the waters. I find that MS is no different from other vendors when it comes to documentation. They always seem to put down everything but the answer for the question I have.

    Joe
    Joe

  10. #10
    New Lounger
    Join Date
    Jan 2004
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Default security setting (5.5)

    Yes, random sites were defaulting to "trusted" rather than "internet". But, I think I've solved it - more by luck than anything. Fortunately, I had a backup copy of registry.reg, so I ended up exporting the current registry and doing eyeball comparisons in branches referring to internet, security, zone etc. I finally discovered my problem in the HKEY_USERS.DEFAULT branch (NOT local_machine or current_user). In only the .default branch, CurrentVersionInternet SettingsZoneMapProtocolDefaults] "http" was set to dword:0000000<span style="background-color: #FFFF00; color: #000000; font-weight: bold">2</span hi>. Returning it to 3 solved the problem.

    BTW, one other nasty that these hijackers inflict is to make sure that you can't remove their site from trusted by putting the domain info in both the current user and local machine hierarchies (this relates to Joe's cite of the Knowledge Base article). My experience has been that Ad-Aware and Spybot S & D will remove the current user instance but not the local machine. On an earlier occasion, I just search for all citations of the offending domain and set all of them to 4 (restricted). (Spybot S&D does 'inoculation' by coding domains this way in (I think) the current_users branch). This time, I've just removed the duplicate domain listings that were under the local_machine branch, and also deleted a setting there where ..Internet SettingsZoneMapDomains] "Trusted"="1"

    In order to put everything in one place, I'll repeat that I also had to set zones2 flags to 3 (for the trusted zones) to make them accessible to IE options setup. (I also set zones3 flags to hex 11 (dec 17) which is supposed to make it the default (dec 16) plus changes allowed (1), but after looking at my old registry, I don't think that was necessary [but I'll leave it be for now])

    One more question: My old registry includes Internet SettingsZoneMap]
    "ProxyByPass"=dword:00000001
    "IntranetName"=dword:00000001
    "UNCAsIntranet"=dword:00000001
    The current registry has only "UNCAsIntranet" as 0. I don't know if this matters as my computer is a single-user, no intranet, dial-up access only. Comments?

    The principal culprit for all this was the CoolWWWSearch hijacker. Another household member, less experienced with computers, didn't realize that the machine was under attack. My anti-virus caught most of the trojans but I still ended up having to get rid of some files manually by booting from a DOS disk (as they were in use by windows otherwise).

    Maybe you can see why I still have Netscrape 4.7 as my default browser (I *never* had these problems until I started having to use IE for sites that Netscape couldn't render). : -)

    Thanks to all for your help. - Joan

  11. #11
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Default security setting (5.5)

    Thanks for pointing out that .DEFAULT setting.

    Regarding UNC notation -- ServernameSharename -- as far as I know, you will never need this for servers outside your local network. I haven't looked up what that setting means, but if "0" means it is not trusted, that's good for your needs. <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •