Geoff Chappell - Software Analyst
For the release of Windows XP SP2 and Windows Server 2003 SP1, Microsoft seems to have got very conscious of a need to be seen to do more about security for web browsing. The URLMON.DLL in these service-pack releases introduces a scheme of named security features. Each is a defence of some sort, such that the cautious configuration is to enable the feature. Features may be configured differently for different processes. Provision also exists by which a feature that is enabled in general for some process is disabled for the process’s work with a trusted URL.
These features are made programmatically accessible through functions exported from URLMON, the archetypes being CoInternetIsFeatureEnabled and CoInternetSetFeatureEnabled. They are all documented, and some even have user-interface support.
The following are the features that are supported as of version 7.00 (for Windows Vista).
|0x00||FEATURE_OBJECT_CACHING||6.00 from Windows XP SP2, and higher|
|0x01||FEATURE_ZONE_ELEVATION||6.00 from Windows XP SP2, and higher|
|0x02||FEATURE_MIME_HANDLING||6.00 from Windows XP SP2, and higher|
|0x03||FEATURE_MIME_SNIFFING||6.00 from Windows XP SP2, and higher|
|0x04||FEATURE_WINDOW_RESTRICTIONS||6.00 from Windows XP SP2, and higher|
|0x05||FEATURE_WEBOC_POPUPMANAGEMENT||6.00 from Windows XP SP2, and higher|
|0x06||FEATURE_BEHAVIORS||6.00 from Windows XP SP2, and higher|
|0x07||FEATURE_DISABLE_MK_PROTOCOL||6.00 from Windows XP SP2, and higher|
|0x08||FEATURE_LOCALMACHINE_LOCKDOWN||6.00 from Windows XP SP2, and higher|
|0x09||FEATURE_SECURITYBAND||6.00 from Windows XP SP2, and higher|
|0x0A||FEATURE_RESTRICT_ACTIVEXINSTALL||6.00 from Windows XP SP2, and higher|
|0x0B||FEATURE_VALIDATE_NAVIGATE_URL||6.00 from Windows XP SP2, and higher|
|0x0C||FEATURE_RESTRICT_FILEDOWNLOAD||6.00 from Windows XP SP2, and higher|
|0x0D||FEATURE_ADDON_MANAGEMENT||6.00 from Windows XP SP2, and higher|
|0x0E||FEATURE_PROTOCOL_LOCKDOWN||6.00 from Windows XP SP2, and higher|
|0x0F||FEATURE_HTTP_USERNAME_PASSWORD_DISABLE||6.00 from Windows XP SP2, and higher|
|0x10||FEATURE_SAFE_BINDTOOBJECT||6.00 from Windows XP SP2, and higher|
|0x11||FEATURE_UNC_SAVEDFILECHECK||6.00 from Windows XP SP2, and higher|
|0x12||FEATURE_GET_URL_DOM_FILEPATH_UNENCODED||6.00 from Windows XP SP2, and higher|
|0x13||FEATURE_TABBED_BROWSING||7.00 and higher|
|0x14||FEATURE_SSLUX||7.00 and higher|
|0x15||FEATURE_DISABLE_NAVIGATION_SOUNDS||7.00 and higher|
|0x16||FEATURE_DISABLE_LEGACY_COMPRESSION||7.00 and higher|
|0x17||FEATURE_FORCE_ADDR_AND_STATUS||7.00 and higher|
|0x18||FEATURE_XMLHTTP||7.00 and higher|
|0x19||FEATURE_DISABLE_TELNET_PROTOCOL||7.00 and higher|
|0x1A||FEATURE_FEEDS||7.00 and higher|
|0x1B||FEATURE_BLOCK_INPUT_PROMPTS||7.00 and higher|
The initial state for each feature is loaded from the registry. As with several other collections of registry settings for Internet Explorer, the feature controls may appear in any of several branches. In order of decreasing precedence, these are:
except that the branches in HKEY_CURRENT_USER are ignored if the following evaluates to 1:
The merit of allowing each setting at the same place with respect to multiple branches is the usual one of establishing policies versus preferences, machine-wide or per user.
Each feature is its own subkey of the FeatureControl key. The (case-insensitive) values in the feature’s key each name a process. A special value * catches processes that aren’t named explicitly. A feature is evaluated for a process by iterating through the applicable branches in order of decreasing precedence and accepting the first value that applies to that process. It does not matter which branch the value comes from. Each feature has a default for when no applicable value is found in any branch.
for any process whose executable has that filename (subject to note below);
* for all executables
|Type||REG_SZ in policy branches, else REG_DWORD|
|Data||the string 0 in policy branches, else the dword
0, for false;
the string 1 in policy branches, else the dword 1, for true;
else value is ignored
|Default||varies with feature and filename|
Among the filename values for any feature control, iexplore.exe stands also for any process whose filename is “ieuser.exe”, with the side-effect that values named ieuser.exe are ignored.
Note, by the way, that the pattern of these registry settings is not exclusive to the features that are exposed through exported URLMON functions. There are very many internal features. For a list, see Feature Control in Internet Explorer.
Each feature has two types of default.
The Internet Explorer default applies when the feature is requested for a process named EXPLORER.EXE, IEUSER.EXE or IEXPLORE.EXE. The Internet Explorer default has all features enabled except:
For other processes, all features are disabled by default except:
Some of the features have user-interface support as administrative policies through the Windows Vista version of the Group Policy Object Editor. The following table lists the folders among the Security Features in the Internet Explorer administrative template (displayed under Windows Components), and shows the feature that corresponds to each. Note that this support isn’t complete even for the original features and doesn’t extend to any of the features added for Windows Vista.
|Binary Behavior Security Restriction||FEATURE_BEHAVIORS|
|Consistent Mime Handling||FEATURE_MIME_HANDLING|
|Local Machine Zone Lockdown Security||FEATURE_LOCALMACHINE_LOCKDOWN|
|Mime Sniffing Safety Feature||FEATURE_MIME_SNIFFING|
|MK Protocol Security Restriction||FEATURE_DISABLE_MK_PROTOCOL|
|Network Protocol Lockdown||FEATURE_PROTOCOL_LOCKDOWN|
|Object Caching Protection||FEATURE_OBJECT_CACHING|
|Protection From Zone Elevation||FEATURE_ZONE_ELEVATION|
|Restrict ActiveX Install||FEATURE_RESTRICT_ACTIVEXINSTALL|
|Restrict File Download||FEATURE_RESTRICT_FILEDOWNLOAD|
|Scripted Window Security Restrictions||FEATURE_WINDOW_RESTRICTIONS|
One feature is known to have user-interface support through Internet Properties in the Control Panel, in the Security group on the Advanced tab. The support is specific to “iexplore.exe” as the process. Checking “Allow active content to run in files on My Computer” disables FEATURE_LOCALMACHINE_LOCKDOWN.