Home  │  IE Hijack 1  │  IE Hijack 2  │  IE Hijack 3  │  IE Security

Security in My Computer zone

Topics on this page:

[1] The hidden security zone in Internet Options

[2] Add My Computer zone to Internet Options

[3] Setting a high security level in My Computer zone

Go to: IE Hijack 1

Go to: IE Hijack 2

Go to: IE Hijack 3

Go to: IE Security


1. The hidden security zone in Internet Options

In IE, Tools, Internet Options (or: Control Panel, Network and Internet Connections, Internet Options), Security tab there are four zones shown by default. This lets you select a zone and customise the security settings as desired. The My Computer zone is hidden although its security settings are in the registry just like the others. This seems to be a disadvantage to users who don't know where to look in the registry to customise this security zone. With a simple registry hack you can add My Computer to the zone to tighten its security using the available graphic interface.


2. Add My Computer zone to Internet Options

In regedit, modify the following value data to 1. Microsoft advises changing the hex value to 47 (see the KB link below) but 1 will do.

CurrentVersion\Internet Settings\Zones\0

DWORD = 0x00000001 (1)

Re-logon or reboot.

My Computer zone in Internet Options

Fig. 1. My Computer zone showing in Internet Options.


3. Setting a high security level in My Computer zone: DSO exploit

Once you've done the above you should check the security settings as part of a strategy to avoid data source object (DSO) exploit (which applies to both older and current versions of IE, more info here) and cookie-based script execution and Local Executable Invocation via Object tag vulnerabilities (Microsoft Security Bulletin MS02-015).

This flaw was patched by Microsoft in the 28 March 2002 Cumulative Patch for Internet Explorer if you installed it but it's worth checking because the settings in the registry can easily be changed again to (0 Enabled) by malicious script. Adjusting the settings alone is only a workaround (more info here) but not sufficient because the data binding to DSO in HTML can bypass scripting (more info here) so you need to apply this or a later cumulative patch.

Go to Tools, Internet Options, security, My Computer, Custom Level:

Under ActiveX controls and plug-ins, choose:

Prompt Download signed ActiveX controls;
Disable Download Unsigned ActiveX controls;
Prompt or Disable Initialise and script ActiveX controls not marked as safe and
Enable Script ActiveX controls marked safe for scripting.

The registry keys for the first two items are:

CurrentVersion\Internet Settings\Zones\0

DWORD = 0x00000001 (1)

DWORD = 0x00000003 (3)

In addition check the per computer key for the same entries and values:

CurrentVersion\Internet Settings\Zones\0
DWORD = 0x00000001 (1)

DWORD = 0x00000003 (3)

The default values are 0 (enable download) in both keys and should be changed to (1) for prompt and (3) disable respectively. Zone 0 is My Computer zone.

Spybot Search and Destroy 1.2 and later versions will identify the above security flaws and offer to fix the registry key values: you should let it fix them accordingly (but not delete the keys). Or you can manually modify the values as above.

In addition it may ask you to fix the 1004 data value of 3 (I find that it actually deletes the values altogether) in other registry keys for:

S-1-5-18 (Local System account);
S-1-5-19 (Local Service account) and
S-1-5-20 (Network Service account).



KB 315933


Copyright 2003-2004 by Kilian. All my articles including graphics are provided "as is" without warranties of any kind. I hereby disclaim all warranties with regard to the information provided. In no event shall I be liable for any damage of any kind whatsoever resulting from the information. The articles are provided in good faith and after some degree of verification but they may contain technical or typographical errors. Links to other web resources may be changed at any time and are beyond the control of the author. Articles may be added, removed, edited or improved at any time. No support is provided by the author.

This is not an official support page for any products mentioned. All the products mentioned are trademarks of their companies. Edit the registry at your own risk and back up first.

Last updated 3 Nov 2004