Author: Uzi
Paz
E-Mail: For
e-mail contact: user is uzi4wg and domain is uzipaz.com 
First version date: 12
October 2001
Recent version:
19 September 2002
Legal Notice: While
as far as I know all the information here is exact and
correct, as I'm giving this information as a
free service, I'm taking no responsibility.
Parent Page: http://www.uzipaz.com
1. Introduction
Internet Exporer allows you to set up different
security settings to different sites and web pages, according to some categorization
which categorizes them into different security zones.
While you may wish to allow sites that are considered as trusted to
execute on your computer a code that has the permission to do in your computer
whatever it wants, you are likely to limit other sites on the Internet
to do only what is defined by you as safe.
While the different security settings, and their meaning will be the
subject of a different article, this one is dedicated to a case, where
the 4 security zones may not be enough, and you wish to make the definition
of the security permissions for each site more detailed by adding further
security zones for specific sites, and then define the exact security permissions
for those sites, and the exact sites that will have those security zones.
Comment:
We did not count here the "My Computer" security zone in the security
zones. This security zone is not visible by default. Yet, we do recommend
to make it visible, and to also set its permission in order to tighten
security further. This is explained in "Basic
Steps to protect a personal computer on the Internet".
2. Testing of the Added Security Zones
In the rest of this article I shall explain how to add a fifth security zone to Internet Explorer. This security zone, can then be set according to your wish, and you may decide which sites, and web pages will be part of this zone. I myself added this zone to my Internet Explorer, version 5.5 on my Win98, and in all my tests it seems to work fine.
Although I believe that this trick works in other version of Internet
Explorer, and in other versions of Windows, I have never tested it. I also
believe that you can use this trick to add more than one zone, to have
six or more security zones, I never tested it myself, and thus I don't
know if there is any practical limit to the number of security zones that
can be added to Internet Explorer. I would certainly appreciate any report
you may provide related to this issue.
3. A Word of Caution Regarding Registry Tweaking
During the process of adding the security zone, you should edit your
registry files.
The registry files hold all the information Windows and the various
programs, need to operate.
In order to make the changes in the registry files, we shall use the
standard program that comes with Windows - regedit.
Making mistakes while making the changes in the registry files, such
as deleting the wrong registry keys, may cause immediate problems in Windows
or in other applications, and may even cause Windows to stop working, depending
on the exact type of mistake. It is thus important to at least know how
to backup you registry files, and how to restore them in case things go
wrong. Any change that you make using regedit, applies immediately. Fpr
further information on how to use regedit, see: http://www.winguides.com/registry/article.php?id=1&page=3
.
4. Adding a Security Zone to Internet Explorer
I shall assume here that you already have some experience with using the regedit command.
In order to add the fifth security zone, you should enter regedit, and
there, to go to the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones
You will find there five numbers: 0,1,2,3,4 related to five security
zones that you already have.
The security zone number zero related to the security settings regarding
running files from your own computer ("My Computer" security zone). It
is not visible by default, although we recommend to make it visible in
order to tighten the computer's security (as commented above).
The other four security zones (numbers 1 to 4) are the different security
zones that you can set on your Internet Explorer. While marking each of
those five numbers, you can see in the right pane of regedit window, the
different entries and their values. You will find there among other things,
the name and description of each of those zones.
The different zones and their names according to those entries are
then:
Zone 0 - "My Computer"
Zone 1 - "Local Intranet"
Zone 2 - "Trusted Sites"
Zone 3 - "Internet"
Zone 4 - "Restricted Sites"
By default, only zones 1-4 are apparent in Internet Explorer.
The natural guess, is that if you wish to add another security zone, you should simply copy one of the other zones and name it "5", so that under the "Zones" key there will be 6 subkeys 0,1,2,3,4,5.
Which security zone we would like to base our "5" security zone on?
the "Trusted sites" zone seems to be the appropriate one to copy, because
its options seem to be the one that I wish to have.
For this example, let us assume that I want to call this security zone
"Experimental".
The easiest way to copy the subkey is to export it first into a .reg
file.
I do this by marking the "2" key, (the subkey of "Zones") and then
from the "Registry" menu, I choose
Export Registry File". I then choose a name for this file - let us
assume that I chose the name:
experimental.reg .
I check that it is set to export only this selected branch, and I note
in which directory this file is saved.
Then I press OK to export it.
Now, I exit from regedit, and edit the experimental.reg file using a simple text editor (Please notice that you should use a text editor and not a word processor. Please notice that you don't edit, but rather execute the experimental.reg file by doublclicking it, so you don't wish at this stage to doubleclick it).
So you open it using a text editor (Notepad is fine. I myself prefer
to use Gvim, but it is a matter of taste),
and then you change the registry key on those lines (in this file)
from "2" to "5". You wish this file to build a registry key with the number
5 in it.
After all lines refer to the "5" registry key. You should change the
name and the description of the zone from what is written there (which
is the name and description of the "trusted zone" to the name and description
you wish your new security zone to have.
Pernsonally, I preferred to also change its icon in the Internet explorer, from the default icon of trusted sites to a different one, so I changed the value of the icon registry entry to "inetcpl.cpl#1307".
After making those changes, save the edited experimental.reg file, and doubleclick it to build the new security zone.
Now you may enter Internet Explorer, and there from the "Tools" menu,
"Internet options" submenu, and "Security" page, you will see the security
zone that you have just added. You may then set it to custom, and customize
it the way you wish, (the instructions on how to customize the security
zones is a bit different from version to version of Internet Explorer.
You might need to browse the Internet Explorer's menus a bit in order to
find where it is done. The instructions in this paragraph, refer to version
5.5).
5. A Comment About the Choice of Icons
We offered to replace the original reference to the Icon of "Trusted
Zone": "inetcpl.cpl#00004480" (which is equivalent to "inetcpl.cpl#4480")
to "inetcpl.cpl#1307", but you might wish to set it to a different icon.
So you might ask yourself how to refer to a different icon. Trying
to provide the location of a simple icon file in that entery does not work.
In fact, those references are not directly into icons but rather to icon
groups. Internet Explorer needs to use both icons of sizes 16x16 and 32x32
for the zones, thus the question becomes, how to look for different icon
groups and the references to those icon groups.
I use a program called "Resource Hacker" for that. Resource Hacker can
be found on http://www.users.on.net/johnson/resourcehacker/
.
If you open with resource hacker, the inetcpl.cpl file, you will see
there, under "Icon group" different group numbers, and for each of them
a "subfolder" with some standard number, and the various icons (typically
the same icon in different sizes and resolutions). You will find that the
icon for the trusted size can be found in the "Icon Group" under the number
4480. This suggests that the right reference to that icon is
"inetcpl.cpl#4480". Notice that the reference should be to the icon
groups rather than the actual icons themselves. Many other .dll, .exe,
.cpl, .ocx, and .scr files hold relevant icon groups inside them, and you
may use the resource hacker to browse them and to find the exact reference
for them.
I also heard of another program that can be used instead of the resource
hacker, and I give here the reference although I myself didn't check it:
http://www.copseystrain.com/iconsucker/
.