Adding Sites Programmatically
One way to add sites to the Intranet or Trusted sites zone is to call the IInternetSecurityManager::SetZoneMapping method exposed by URL Moniker APIs. This enables you to add sites to a security zone either at install time, or at run time. Begin by selecting the security zone which provides the maximum security while still allowing the features required by your application. For a detailed explanation of the security zones and other Internet Explorer settings under the enhanced security configuration, see Enhanced Security Configuration for Internet Explorer.
Add a Web site to the selected zone by creating an instance of the security manager object, and calling IInternetSecurityManager::SetZoneMapping. Combine the URLZONE_ESC_FLAG flag with the flag specifying the security zone, using a bitwise OR operator. Mappings created without the URLZONE_ESC_FLAG flag are not used in the enhanced security configuration.
The following sample shows how to add the URL "http://msdn.microsoft.com"
to the Trusted sites zone.
IInternetSecurityManager *pSecurityManager = NULL; HRESULT hResult = S_OK; ::CoInitialize(NULL); hResult=CoCreateInstance( CLSID_InternetSecurityManager, NULL, CLSCTX_INPROC_SERVER, IID_IInternetSecurityManager, (void **)&pSecurityManager ); if (SUCCEEDED(hResult)) { hResult=pSecurityManager->SetZoneMapping(URLZONE_ESC_FLAG|URLZONE_TRUSTED, L"http://msdn.microsoft.com", SZM_CREATE ); pSecurityManager->Release(); } ::CoUninitialize();
If a Web site is open prior to adding it to the Trusted sites or Intranet zone, the user must restart Internet Explorer for these changes to take effect. If zones are mapped as part of an installation, you should delete your zone mappings as part of the uninstallation procedure when the user uninstalls your application.
Adding Sites with a Registry Merge
Web sites can be added to the Intranet or Trusted sites zone by directly modifying the registry. The key HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/EscDomains contains the zone mappings under the enhanced security configuration. Each registry key that is below this key in the registry hierarchy is a Web site domain. Each of these keys has values which indicate the allowed protocol and the zone to which that protocol belongs for the domain. A value of 0x001 indicates the Intranet zone and a value of 0x002 indicates the Trusted sites zone.
The following sample shows the entries in a .reg file that are used to add the URL "http://www.msdn.microsoft.com"
to the Trusted sites zone.
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/EscDomains/microsoft.com] @="" [HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/EscDomains/microsoft.com/www.msdn] "http"=dword:00000002
The following sample shows the entries in a .reg file that are used to add the URL "http://widgets"
to the Intranet zone.
[[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/EscDomains/widgets] "http"=dword:00000002
If a Web site was open prior to adding it to the Trusted sites or Intranet zone, the user must restart Internet Explorer for these changes to take effect.
Instructing Users to Add Sites
If your Web-based application receives a user-agent request header which includes the string "Windows NT 5.2"
, this indicates that the request was made from a computer running Windows Server 2003. If this occurs, any HTML sent to the client should include a NOSCRIPT element with instructions describing how to add your application to the Trusted sites zone. These instructions are only display when the enhanced security configuration is enabled. The following sample shows how to use the NOSCRIPT element.
<NOSCRIPT> <P>Script, ActiveX Controls, and file downloads are not available for Internet sites under the enhanced security configuration. Add this URL to the Trusted sites zone to continue.</P> </NOSCRIPT>
Registry Merge sample code wrong? | neanderthal ... Thomas Lee | |
Careful, the Registry Merge sample code to add the URL "http://widgets"
to the Intranet zone looks wrong to me. Shouldn't it be more like:
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/Domains/widgets]
"http"=dword:00000001
Regsitry example is incorrect |
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/EscDomains/microsoft.com]
@=""
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/EscDomains/microsoft.com/www.msdn]
"http"=dword:00000002
These registry keys will not work. It should be:
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/Domains/microsoft.com]
@=""
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/Domains/microsoft.com/www.msdn]
"http"=dword:00000002
Reference URL:
http://msdn.microsoft.com./en-us/library/ms537181(VS.85).aspx