Ran into an issue recently where Windows 7 IE 8 was experiencing an error when visiting a Microsoft Dynamics CRM website. The error was:
A Microsoft Dynamics CRM window was unable to open and may have been blocked by a pop-up blocker. Please add this Microsoft Dynamics CRM server to the list of sites your pop-up blocker allows to open new Windows: URL
What is really cool about this error message is the fact that I actually have the popup blocker disabled. DOH!
I started running through all of the usual suspects, disabling toolbars\BHO’s from manage addons but nothing seemed to help. So I took more drastic steps.
First I downloaded Disk2VHD from sysinternals (Microsoft) and made a backup of my machine. Why you might ask? Simple I want to be able to load a “VM” with an undo disk. The undo disk will allow me to do anything I want with the VM and never worry about what I might break. Stuff I would never do to my physical machine.
Anyways I made the VHD and booted it up, I then took a working machine and started exporting registry keys that I thought might help. After importing the known good registry keys from the working machine into the non-working machine I still had the error. I then began the process of registry comparison, while a very painful process I was able to find an anomaly
On my machine with the popup blocker error I had the following entry in the registry.
[HKEY_CLASSES_ROOT\Interface\{79EAC9C5-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32]
@="{79eac9c0-baf9-11ce-8c82-00aa004ba90b}"
On the machine that works (without the popup blocker error) I had the following.
[HKEY_CLASSES_ROOT\Interface\{79EAC9C5-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32]
@="{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
I modified the registry on the non-working machine to match what I had on the working machine and bingo the issue was resolved (note: I had to reboot first)
So what is this key and how did it get changed? That is a very good question and I am glad you asked. It appears the registration of ieproxy.dll was overwritten by another process (likely something I installed)
The real fix is not to simply edit the registry as I listed above, but is to regsvr32 the ieproxy.dll located in C:\program files\internet explorer or c:\program files (x86)\internet explorer
First click on the Windows button and type cmd in the search box.
Now right click on cmd and select Run as administrator
Now type in the following command:
regsvr32 "C:\program files\internet explorer\ieproxy.dll"
If you have a 64bit version of Windows register the 32bit version of IE
regsvr32 "C:\program files (x86)\internet explorer\ieproxy.dll"
If the registration was successful you will see the following message. At this point click OK.
That’s it I hope this helps some of you guys\gals.
There is a lot to say about security. Common sense is by far the most important aspect of security. Unlike all other browser the use of Internet Explorer Security Zones is just one aspect of browser security and a regular users first defense in locking down what sites can and can not do. Learn how to protect system, network, and your entire enterprise with the following Microsoft resources. You could save yourself and your company a lot of time and money by simply staying informed.
The first line of defense as a proactive user or IT Professional is to subscribe to the various notification mechanisms offered by Microsoft at the Microsoft Technical Security Notifications site. http://technet.microsoft.com/en-us/security/dd252948.aspx
From the notification site there are RSS and EMAIL notification options available that will allow you a real-time look into what is happening.
Not that you are setup for notifications are setup now you can move forward with additional education and training. We have outlined several starting points to get you on the right sites. We at IE8Blog.com think you will be very surprised what is made available.
IE Specific Starting Point:
IE Security Talk
http://edge.technet.com/Media/IE-Security/
IE 8 Security Trustworthy Browsing webcast:
http://edge.technet.com/Media/IE-8-Firestarter-Kickoff/
Internet Explorer 8 Security Tips:
http://channel9.msdn.com/posts/LarryLarsen/Internet-Explorer-8-Security-Tips/
Download the IE8 Security Guide
The following general resources will cover Internet Explorer when necessary.
The Microsoft Security Response Center is a valuable resource to get those extra details and/or early notification of various security situations involving Microsoft software.
http://blogs.technet.com/MSRC/
There is an overwhelming amount of information flowing out of Microsoft daily on security, http://www.microsoft.com/security/ is a good starting point for this journey.
The Microsoft TechNet Security TechCenter is a great resource. (http://technet.microsoft.com/en-us/security/default.aspx)
You may want to consider subscribing to Security Bulletins for the Regular IT Guy (http://feeds.feedburner.com/sbfritg) to stay up to date.
I know this is IE 6 and who cares about IE 6 right? Well lots of corporations still use IE 6 for their day to day business activities. So here it is…
Environment
Internet Explorer 6 on Windows XP (sp2\3), you are using a .pac file to configure your proxy settings. Users access websites that require them to supply Kerberos credentials.
Results
Users see the informative error message “HTTP Error 401 – Unauthorized: Access is denied due to invalid credentials.” At this point your phone lights up like a Christmas tree.
Reason
Bug resolved with http://support.microsoft.com/kb/921400
This is great I just blogged about something that Microsoft fixed back in 2006. But I promise I am not wasting your time. Here is why; after you install this fix or a much later version of wininet.dll that is on the Microsoft QFE branch you must add the following registry key to actually “turn on the fix”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
FEATURE_AUTOPROXY_CACHE_ANAME_KB921400
Value Name: iexplore.exe
Data Type: REG_DWord
Value: = 1
NOTE: you will need to create a key named FEATURE_AUTOPROXY_CACHE_ANAME_KB921400 before you can specify the process.
NOTE 2: If you have a process other than iexplore.exe that you feel needs this fix then just add your process under this registry key.
NOTE 3: Or if you just want this on for all processes use an asterisk * in the place of the process name.
Ok that it for IE 6 today oh and btw this does not apply to IE 7 or IE 8 seems like they fixed the glitch.
I felt this was important to re-document and see if we can expand on it. Please see the ping back to where most of this content came from. The guy does a great job and deserves the credit. I am going to work to expand this information where possible so think of this post as a living post subject to updates 
Pingback: http://www.innovation.ch/personal/ronald/ntlm.html
Introduction
This is an attempt at documenting the undocumented NTLM authentication scheme used by M$’s browsers, proxies, and servers (MSIE and IIS); this scheme is also sometimes referred to as the NT challenge/response (NTCR) scheme. Most of the info here is derived from three sources (see also the Resources section at the end of this document): Paul Ashton’s work on the NTLM security holes, the encryption documentation from Samba, and network snooping. Since most of this info is reverse-engineered it is bound to contain errors; however, at least one client and one server have been implemented according to this data and work successfully in conjunction with M$’s browsers, proxies and servers.
Note that this scheme is not as secure as Digest and some other schemes; it is slightly better than the Basic authentication scheme, however.
Also note that this scheme is not an http authentication scheme – it’s a connection authentication scheme which happens to (mis-)use http status codes and headers (and even those incorrectly).
NTLM Handshake
When a client needs to authenticate itself to a proxy or server using the NTLM scheme then the following 4-way handshake takes place (only parts of the request and status line and the relevant headers are shown here; "C" is the client, "S" the server):
1: C --> S GET ...
2: C <-- S 401 Unauthorized
WWW-Authenticate: NTLM
3: C --> S GET ...
Authorization: NTLM <base64-encoded type-1-message>
4: C <-- S 401 Unauthorized
WWW-Authenticate: NTLM <base64-encoded type-2-message>
5: C --> S GET ...
Authorization: NTLM <base64-encoded type-3-message>
6: C <-- S 200 Ok
Messages
The three messages sent in the handshake are binary structures. Each one is described below as a pseudo-C struct and in a memory layout diagram. byte is an 8-bit field; short is a 16-bit field. All fields are unsigned. Numbers are stored in little-endian order. Struct fields named zero contain all zeroes. An array length of "*" indicates a variable length field. Hexadecimal numbers and quoted characters in the comments of the struct indicate fixed values for the given field.
The field flags is presumed to contain flags, but their significance is unknown; the values given are just those found in the packet traces.
Type-1 Message
This message contains the host name and the NT domain name of the client.
struct {
byte protocol[8]; // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'
byte type; // 0x01
byte zero[3];
short flags; // 0xb203
byte zero[2];
short dom_len; // domain string length
short dom_len; // domain string length
short dom_off; // domain string offset
byte zero[2];
short host_len; // host string length
short host_len; // host string length
short host_off; // host string offset (always 0x20)
byte zero[2];
byte host[*]; // host string (ASCII)
byte dom[*]; // domain string (ASCII)
} type-1-message
0 1 2 3
+-------+-------+-------+-------+
0: | 'N' | 'T' | 'L' | 'M' |
+-------+-------+-------+-------+
4: | 'S' | 'S' | 'P' | 0 |
+-------+-------+-------+-------+
8: | 1 | 0 | 0 | 0 |
+-------+-------+-------+-------+
12: | 0x03 | 0xb2 | 0 | 0 |
+-------+-------+-------+-------+
16: | domain length | domain length |
+-------+-------+-------+-------+
20: | domain offset | 0 | 0 |
+-------+-------+-------+-------+
24: | host length | host length |
+-------+-------+-------+-------+
28: | host offset | 0 | 0 |
+-------+-------+-------+-------+
32: | host string |
+ +
. .
. .
+ +-----------------+
| | domain string |
+-------------+ +
. .
. .
+-------+-------+-------+-------+
The host and domain strings are ASCII (or possibly ISO-8859-1), are uppercased, and are not nul-terminated. The host name is only the host name, not the FQDN (e.g. just "GOOFY", not "GOOFY.DISNEY.COM"). The offsets refer to the offset of the specific field within the message, and the lengths are the length of specified field. For example, in the above message host_off = 32 and dom_off = host_off + host_len. Note that the lengths are included twice (for some unfathomable reason).
Type-2 Message
This message contains the server’s NTLM challenge.
struct {
byte protocol[8]; // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'
byte type; // 0x02
byte zero[7];
short msg_len; // 0x28
byte zero[2];
short flags; // 0x8201
byte zero[2];
byte nonce[8]; // nonce
byte zero[8];
} type-2-message
0 1 2 3
+-------+-------+-------+-------+
0: | 'N' | 'T' | 'L' | 'M' |
+-------+-------+-------+-------+
4: | 'S' | 'S' | 'P' | 0 |
+-------+-------+-------+-------+
8: | 2 | 0 | 0 | 0 |
+-------+-------+-------+-------+
12: | 0 | 0 | 0 | 0 |
+-------+-------+-------+-------+
16: | message len | 0 | 0 |
+-------+-------+-------+-------+
20: | 0x01 | 0x82 | 0 | 0 |
+-------+-------+-------+-------+
24: | |
+ server nonce |
28: | |
+-------+-------+-------+-------+
32: | 0 | 0 | 0 | 0 |
+-------+-------+-------+-------+
36: | 0 | 0 | 0 | 0 |
+-------+-------+-------+-------+
The nonce is used by the client to create the LanManager and NT responses (see Password Hashes). It is an array of 8 arbitrary bytes. The message length field contains the length of the complete message, which in this case is always 40.
Type-3 Message
This message contains the username, host name, NT domain name, and the two "responses".
struct {
byte protocol[8]; // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'
byte type; // 0x03
byte zero[3];
short lm_resp_len; // LanManager response length (always 0x18)
short lm_resp_len; // LanManager response length (always 0x18)
short lm_resp_off; // LanManager response offset
byte zero[2];
short nt_resp_len; // NT response length (always 0x18)
short nt_resp_len; // NT response length (always 0x18)
short nt_resp_off; // NT response offset
byte zero[2];
short dom_len; // domain string length
short dom_len; // domain string length
short dom_off; // domain string offset (always 0x40)
byte zero[2];
short user_len; // username string length
short user_len; // username string length
short user_off; // username string offset
byte zero[2];
short host_len; // host string length
short host_len; // host string length
short host_off; // host string offset
byte zero[6];
short msg_len; // message length
byte zero[2];
short flags; // 0x8201
byte zero[2];
byte dom[*]; // domain string (unicode UTF-16LE)
byte user[*]; // username string (unicode UTF-16LE)
byte host[*]; // host string (unicode UTF-16LE)
byte lm_resp[*]; // LanManager response
byte nt_resp[*]; // NT response
} type-3-message
0 1 2 3
+-------+-------+-------+-------+
0: | 'N' | 'T' | 'L' | 'M' |
+-------+-------+-------+-------+
4: | 'S' | 'S' | 'P' | 0 |
+-------+-------+-------+-------+
8: | 3 | 0 | 0 | 0 |
+-------+-------+-------+-------+
12: | LM-resp len | LM-Resp len |
+-------+-------+-------+-------+
16: | LM-resp off | 0 | 0 |
+-------+-------+-------+-------+
20: | NT-resp len | NT-Resp len |
+-------+-------+-------+-------+
24: | NT-resp off | 0 | 0 |
+-------+-------+-------+-------+
28: | domain length | domain length |
+-------+-------+-------+-------+
32: | domain offset | 0 | 0 |
+-------+-------+-------+-------+
36: | user length | user length |
+-------+-------+-------+-------+
40: | user offset | 0 | 0 |
+-------+-------+-------+-------+
44: | host length | host length |
+-------+-------+-------+-------+
48: | host offset | 0 | 0 |
+-------+-------+-------+-------+
52: | 0 | 0 | 0 | 0 |
+-------+-------+-------+-------+
56: | message len | 0 | 0 |
+-------+-------+-------+-------+
60: | 0x01 | 0x82 | 0 | 0 |
+-------+-------+-------+-------+
64: | domain string |
+ +
. .
. .
+ +-------------------+
| | user string |
+-----------+ +
. .
. .
+ +-------------+
| | host string |
+-----------------+ +
. .
. .
+ +---------------------------+
| | LanManager-response |
+---+ +
. .
. .
+ +------------------+
| | NT-response |
+------------+ +
. .
. .
+-------+-------+-------+-------+
The host, domain, and username strings are in Unicode (UTF-16, little-endian) and are not nul-terminated; the host and domain names are in upper case. The lengths of the response strings are 24.
Password Hashes
To calculate the two response strings two password hashes are used: the LanManager password hash and the NT password hash. These are described in detail at the beginning of the Samba ENCRYPTION.html document. However, a few things are not clear (such as what the magic constant for the LanManager hash is), so here is some almost-C code which calculates the two responses. Inputs are passw and nonce, the results are in lm_resp and nt_resp.
/* setup LanManager password */
char lm_pw[14];
int len = strlen(passw);
if (len > 14) len = 14;
for (idx=0; idx<len; idx++)
lm_pw[idx] = toupper(passw[idx]);
for (; idx<14; idx++)
lm_pw[idx] = 0;
/* create LanManager hashed password */
unsigned char magic[] = { 0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 };
unsigned char lm_hpw[21];
des_key_schedule ks;
setup_des_key(lm_pw, ks);
des_ecb_encrypt(magic, lm_hpw, ks);
setup_des_key(lm_pw+7, ks);
des_ecb_encrypt(magic, lm_hpw+8, ks);
memset(lm_hpw+16, 0, 5);
/* create NT hashed password */
int len = strlen(passw);
char nt_pw[2*len];
for (idx=0; idx<len; idx++)
{
nt_pw[2*idx] = passw[idx];
nt_pw[2*idx+1] = 0;
}
unsigned char nt_hpw[21];
MD4_CTX context;
MD4Init(&context);
MD4Update(&context, nt_pw, 2*len);
MD4Final(nt_hpw, &context);
memset(nt_hpw+16, 0, 5);
/* create responses */
unsigned char lm_resp[24], nt_resp[24];
calc_resp(lm_hpw, nonce, lm_resp);
calc_resp(nt_hpw, nonce, nt_resp);
Helpers:
/*
* takes a 21 byte array and treats it as 3 56-bit DES keys. The
* 8 byte plaintext is encrypted with each key and the resulting 24
* bytes are stored in the results array.
*/
void calc_resp(unsigned char *keys, unsigned char *plaintext, unsigned char *results)
{
des_key_schedule ks;
setup_des_key(keys, ks);
des_ecb_encrypt((des_cblock*) plaintext, (des_cblock*) results, ks, DES_ENCRYPT);
setup_des_key(keys+7, ks);
des_ecb_encrypt((des_cblock*) plaintext, (des_cblock*) (results+8), ks, DES_ENCRYPT);
setup_des_key(keys+14, ks);
des_ecb_encrypt((des_cblock*) plaintext, (des_cblock*) (results+16), ks, DES_ENCRYPT);
}
/*
* turns a 56 bit key into the 64 bit, odd parity key and sets the key.
* The key schedule ks is also set.
*/
void setup_des_key(unsigned char key_56[], des_key_schedule ks)
{
des_cblock key;
key[0] = key_56[0];
key[1] = ((key_56[0] << 7) & 0xFF) | (key_56[1] >> 1);
key[2] = ((key_56[1] << 6) & 0xFF) | (key_56[2] >> 2);
key[3] = ((key_56[2] << 5) & 0xFF) | (key_56[3] >> 3);
key[4] = ((key_56[3] << 4) & 0xFF) | (key_56[4] >> 4);
key[5] = ((key_56[4] << 3) & 0xFF) | (key_56[5] >> 5);
key[6] = ((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6);
key[7] = (key_56[6] << 1) & 0xFF;
des_set_odd_parity(&key);
des_set_key(&key, ks);
}
Keeping the connection alive
As mentioned above, this scheme authenticates connections, not requests. This manifests itself in that the network connection must be kept alive during the second part of the handshake, i.e. between the receiving of the type-2 message from the server (step 4) and the sending of the type-3 message (step 5). Each time the connection is closed this second part (steps 3 through 6) must be repeated over the new connection (i.e. it’s not enough to just keep sending the last type-3 message). Also, once the connection is authenticated, the Authorization header need not be sent anymore while the connection stays open, no matter what resource is accessed.
For implementations wishing to work with M$’s software this means that they must make sure they use either HTTP/1.0 keep-alive’s or HTTP/1.1 persistent connections, and that they must be prepared to do the second part of the handshake each time the connection was closed and is reopened. Server implementations must also make sure that HTTP/1.0 responses contain a Content-length header (as otherwise the connection must be closed after the response), and that HTTP/1.1 responses either contain a Content-length header or use the chunked transfer encoding.
Example
Here is an actual example of all the messages. Assume the host name is "LightCity", the NT domain name is "Ursa-Minor", the username is "Zaphod", the password is "Beeblebrox", and the server sends the nonce "SrvNonce". Then the handshake is:
C -> S GET ...
S -> C 401 Unauthorized
WWW-Authenticate: NTLM
C -> S GET ...
Authorization: NTLM TlRMTVNTUAABAAAAA7IAAAoACgApAAAACQAJACAAAABMSUdIVENJVFlVUlNBLU1JTk9S
S -> C 401 Unauthorized
WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAU3J2Tm9uY2UAAAAAAAAAAA==
C -> S GET ...
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHIAAAAYABgAigAAABQAFABAAAAADAAMAFQAAAASABIAYAAAAAAAAACiAAAAAYIAAFUAUgBTAEEALQBNAEkATgBPAFIAWgBhAHAAaABvAGQATABJAEcASABUAEMASQBUAFkArYfKbe/jRoW5xDxHeoxC1gBmfWiS5+iX4OAN4xBKG/IFPwfH3agtPEia6YnhsADT
S -> C 200 Ok
and the unencoded messages are:
Type-1 Message:
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef 0: 4e 54 4c 4d 53 53 50 00 01 00 00 00 03 b2 00 00 "NTLMSSP........." 10: 0a 00 0a 00 29 00 00 00 09 00 09 00 20 00 00 00 "....)....... ..." 20: 4c 49 47 48 54 43 49 54 59 55 52 53 41 2d 4d 49 "LIGHTCITYURSA-MI" 30: 4e 4f 52 "NOR"
Type-2 Message:
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef 0: 4e 54 4c 4d 53 53 50 00 02 00 00 00 00 00 00 00 "NTLMSSP........." 10: 28 00 00 00 01 82 00 00 53 72 76 4e 6f 6e 63 65 "(.......SrvNonce" 20: 00 00 00 00 00 00 00 00 "........"
Type-3 Message:
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef 0: 4e 54 4c 4d 53 53 50 00 03 00 00 00 18 00 18 00 "NTLMSSP........." 10: 72 00 00 00 18 00 18 00 8a 00 00 00 14 00 14 00 "r..............." 20: 40 00 00 00 0c 00 0c 00 54 00 00 00 12 00 12 00 "@.......T......." 30: 60 00 00 00 00 00 00 00 a2 00 00 00 01 82 00 00 "`..............." 40: 55 00 52 00 53 00 41 00 2d 00 4d 00 49 00 4e 00 "U.R.S.A.-.M.I.N." 50: 4f 00 52 00 5a 00 61 00 70 00 68 00 6f 00 64 00 "O.R.Z.a.p.h.o.d." 60: 4c 00 49 00 47 00 48 00 54 00 43 00 49 00 54 00 "L.I.G.H.T.C.I.T." 70: 59 00 ad 87 ca 6d ef e3 46 85 b9 c4 3c 47 7a 8c "Y....m..F...<Gz." 80: 42 d6 00 66 7d 68 92 e7 e8 97 e0 e0 0d e3 10 4a "B..f}h.........J" 90: 1b f2 05 3f 07 c7 dd a8 2d 3c 48 9a e9 89 e1 b0 "...?....-<H....." a0: 00 d3 ".."
For reference, the intermediate hashed passwords are:
- lm_hpw (LanManager hashed password):
- 91 90 16 f6 4e c7 b0 0b a2 35 02 8c a5 0c 7a 03 00 00 00 00 00
- nt_hpw (NT hashed password):
- 8c 1b 59 e3 2e 66 6d ad f1 75 74 5f ad 62 c1 33 00 00 00 00 00
Resources
LM authentication in SMB/CIFS - http://www.ubiqx.org/cifs/SMB.html#SMB.8.3
- A document on cracking NTLMv2 authentication
- http://www.blackhat.com/presentations/win-usa-02/urity-winsec02.ppt
- Squid’s NLTM authentication project
- http://squid.sourceforge.net/ntlm/
- Encryption description for Samba
- http://de.samba.org/samba/ftp/docs/htmldocs/ENCRYPTION.html
- Info on the MSIE security hole
- http://oliver.efri.hr/~crv/security/bugs/NT/ie6.html
- FAQ: NT Cryptographic Password Attacks & Defences
- http://www.ntbugtraq.com/default.asp?sid=1&pid=47&aid=17
- M$’s hotfix to disable the sending of the LanManager response
- ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/lm-fix
- A description of M$’s hotfix
- http://www.tryc.on.ca/archives/bugtraq/1997_3/0070.html
Acknowledgements
Special thanks to the following people who helped with the collection and debugging of the above information:
We at IE8 blog are always looking for tools to make life easier. During one of our usual surfing episodes we found a very interesting tool that has promise in easing the zone nightmare we find our selves in from time to time.
Those that have been dealing with Internet Explorer for any length of time know that the IE Zone feature is our best friend MOST of the time. Not only do we protect users from the bad guys but control how various sites will function simply based on a particular zone such as automatic logon if intranet.
We hope someone out there that is struggling with a particular site finds this tool useful
Feel free to post your feedback on your experiences. As we learn more about the tool we will update this posting.
The following is the full article we found with link back to the Microsoft folks, http://blogs.technet.com/fdcc/archive/2009/10/01/viewing-and-comparing-ie-security-zone-settings.aspx
Viewing and Comparing IE Security Zone Settings
The Security tab of the Internet Explorer Properties dialog shows security settings for the Internet, Intranet, Trusted Sites and Restricted Sites zones. However:
- It doesn’t show settings for the Local Machine (Computer) zone, nor for Local Machine Zone Lockdown (LMZL).
- When machine settings or other policies are in effect, most of the Security Zones UI is disabled.
The attached utility “IE Zone Comparer” was designed to overcome these limitations and provide additional visibility into security zone settings. Pick any two collections of security zone settings, and IE Zone Comparer displays the values of those settings, highlighting any differences between the two collections.
IE Zone Comparer requires .NET 2.0 or higher; it does not require administrative privileges.
How to use it:
Click “Pick Zones…” from the toolbar. The following dialog will appear:
The Effective Settings label indicates whether User settings are used or ignored. Refer to this blog post which discusses precedence order of the various policies and preferences.
For each column, there are two dropdowns. The first dropdown lets you select Templates, Machine Policy, Machine Preferences, User Policy, User Preferences, or FDCC Q1 2009 Policies. If you select Templates, the second dropdown lets you select one of the security zone templates (High, Medium-High, Medium, etc.); if you select Policies or Preferences, the second dropdown lets you select any of the five standard zones or five lockdown zones. (See this post for more information about all those zones.)
Click “OK” on the “Pick items…” dialog, and the selected settings will be rendered in the list view. Items that are present in both columns but with different values will be highlighted in yellow. Items that are present only in one column will be grayed in the other column.
Additional Features
To find a particular item with a partial text search, press Ctrl+F (or the “binoculars” toolbar dropdown). The text search is case-insensitive and searches in all columns from the currently-selected row down. Press F3 to repeat the last search from the current location.
Enter a URL in the text area in the toolbar and click “Map URL to Zone”: IE Zone Comparer will tell you in what security zone IE would render that URL.
The Help/About toolbar button includes some helpful links for more information about IE security zones and URL actions.
Some Example scenarios for the IE Zone Comparer
- View effective settings for a particular zone. E.g., something isn’t working correctly on a page that is rendered in the Intranet zone. If user settings are being ignored, select Machine Policies / Intranet and Machine Preferences / Intranet. Policies override preferences; where no policy is set, the machine preferences will apply.
- Compare the relative security settings of the Intranet zone vs. the Trusted Sites zone (see screenshot above).
- Seeing exactly what changes when you transition from the Locked-Down Local Machine Zone to the regular Local Machine Zone. (Description here.)
- Compare Machine Policies for a zone to the policies mandated by FDCC Q1 2009.
- View the settings that are applied by a given template, and compare those settings to another template or to an existing zone to see whether it has been modified from that template.
- Compare the effective settings of the Locked-Down Local Machine Zone (LMZL) to Local Machine Zone, to see what becomes enabled when the user clicks through the information bar.
- Compare user preferences for a zone to the machine preferences for the same zone. (They should be the same; if they are not, then results may change when the “use only machine settings” policy is applied.)
Published Thursday, October 01, 2009 6:27 PM by Aaron Margosis
Filed under: Local Group Policy utilities, Group Policy, FDCC, Internet Explorer
Attachment(s): IEZoneCompare.zip
In the following blog post by the Internet Explorer support team they explain the mandatory integrity level new to Internet Explorer 8.0. What is not covered in the article is the fact that utilizing TabProcGrowth and setting the value to 0 also disables Protected Mode.
- TabProcGrowth=0 : tabs and frames run within the same process; frames are not unified across MIC levels.
(Should also say disables Protected Mode for all Internet Explorer (IE) Security Zones)
- TabProcGrowth =1: all tabs for a given frame process run in a single tab process for a given
(Should always be tried so that Protected Mode is Enabled to validate if the situation is Protected Mode or LCIE Loosely Coupled IE)
Opening a New Tab may launch a New Process with Internet Explorer 8.0
Word to the wise be careful when setting the TabProcGowth registry value as you will leave the Internet Security Zone with Protected Mode Disabled.
- Location: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- Name: TabProcGrowth
- Type: REG_DWORD
- Values: 0-16
It is a common troubleshooting step in the IT space for Internet Explorer 7 Freezes, Hangs, and Crashes to test the site with Protected Mode off to determine if a particular web page only fails under a Protected Mode Zone. Of course you would not attempt this with a site that you do not fully trust or suspect the content might be dangerous. The same holds true with Internet Explorer 8 on Windows Vista, Windows 2008 Server, Windows 7, and Windows 2008 R2 but you have the added security measure of LCIE (Loosely Coupled IE).
A worthy note about the Protected Mode Zones feature that the defaults have changed with respect to which zones have Protected Mode enabled by default.
IE7: Enabled – Internet, Intranet, and Restricted
IE8: Enabled – Internet and Restricted
Note: For Protected Mode to be enable you must also have the operating systems UAC feature enabled. UAC was introduced in Windows Vista and Windows 2008 Server and carried forward in Windows 7 and Windows 2008 R2.
AC: User Account Control http://msdn.microsoft.com/en-us/library/bb756996.aspx
Sidebar for Windows XP. Despite Windows XP does not support User Account Control you will see that multiple instances of the iexplore.exe process via Task Manager are created when you open a new TAB or possible a new window. So for those on still on the Windows XP TabProcGrowth still applies. So what is the big deal. XP users can run into possible authentication or cookie issues so you are not completely off the hook.
Cheers