Why is "My Computer" Zone hidden in inetcpl in Internet Explorer and how do I make it show up?

I was recently asked this question by someone so I did a bit a of look around to find the answer to this and thought I'd share it with the rest of you.

A quick word to clarify what I am talking about. In Internet Explorer, there are 5 Security Zones that are basically trust namespaces. A certain URL can end up in one of these 5 zones and then conforms to the policies described in that particular zone for all its URLActions. All but one of these security zones are exposed through the UI in inetcpl under the Security Tab which shows the Local Intranet, Trusted, Internet and Restricted zones in there. You can either set these zones to one of the predefined template setting or you can control the policies in these zones for individual URLActions by setting the level to 'Custom' and editing the policies. My Computer (aka Local Machine) zone, however, is not shown in this UI. That is the way it has always been. The reason this was the case was because Local Machine Zone was a zone of extremely high trust and we did not want the user making any changes to the security policies in that zone. The settings were historically low to begin with, and this was one of the reasons why in XPSP2, we came out with the idea of Local Machine Zone Lockdown (LMZL) to clamp down on some of the key settings in this zone for IE. Long story short, it was deemed unsafe to make the My Computer zone visible in the UI. But that does not mean that it can't be done. It used to be a simple registry tweak that would make it show up but due to LMZL, its become a little bit non-intuitive and somewhat less useful in actual terms of being able to modify active Local Machine Zone policy from the UI.

 Every zone has some attributes like the name, description, icon that are used to describe the zone. These attributes sit in the registy at the following location:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\[0-4] 

The last number is the zone ID which is 0 for Local Machine Zone. This is the same location where the actual URLAction policy set is stored as well. One of the DWORDs under these keys is the Flags DWORD that is a bitmask of the Zone Attribute Flags (ZAFLAGS). One of these attributes is the ZAFLAGS_NO_UI  attribute which is defined as 0x00000020. This attribute controls whether that particular zone shows up in the inetcpl UI or not. So really, unsetting that particular bit on the Flags DWORD should make the zone appear, right? WRONG!!! It used to be that way and it would still work if you are running inetcpl inside of a rundll32.exe to see the changes. But if you are running it from inside of iexplore.exe, you will notice that the My Computer icon does not show up on the Security Tab inside inetcpl. So whats going on? Why is it showing up? The answer is LMZL. Due to LMZL, now inetcpl uses the Zone Attributes from the Lockdown zone settings instead of the normal zone settings for Local machine to decide whether to show it in the UI or not. So in order to make My computer show in the UI, you will need to change the Flags DWORD under the Lockdown_Zones\0 .. so the location you need to change is at the following registry location:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0

Change the Flags DWORD to remove the 0x00000020 flag and now you should be able to see the My computer icon in the Security Tab in inetcpl UI. So what does that give you? It gives you the ability to click Custom Level button and change the settings for individual URLActions for My Computer Zone just like you can do for other zones. So picture this, you don't want scripts to run in the Local Machine Zone, So you open up inetcpl and go to the Security tab and click on My Computer icon and then click the Custom Level button that takes you to the Security Settings dialog. On that dialog, you scroll down to the Scripting section and change the value for Active Scripting to Disable. You apply the settings and then load up a local html file with a script in it. The script doesnt load and you see an Information Bar telling you about it. Working as expect you think, until you click on the information bar and it gives you an option to "Allow blocked content". You click it and your script runs. What just happened??? Didn't you just block scripts from running? Did that setting not take effect? Is there something else that needs to be done? Well, what just happened is that you just edited the settings for the Normal Local Machine from the UI. But since you're running inside IE, LMZL is turned ON for the process and the setting for LMZL dictates that you simply prompt the user about scripts in the page and if the user chooses to allow it, it goes ahead and allows it. So even though inetcpl reads the Attributes from the Lockdown_zones, it still read the policy settings from the Normal Zone hive in the registry and all changes made from the UI take effect in the normal zones\0 hive as well. So really all that hussle to make My Computer show up in the UI achieves little if anything at all as far as IE is concerned. The changes that you make through it will affect other processes that do not have Local Machine Zone Lockdown turned ON for them. But due to security reasons and the entire concept of "Locking Down" the local machine, inetcpl does not allow you to change the active LMZL policies from the UI. This is consistent with the original intent of not allowing the users to mess with the Local Machine Zone polices. The only 'weird' thing is that you have to change the NO_UI attribute under the Lockdown_zones\0 for the UI to show My Computer, but changes to settings work in the opposite way.

All part of a grand plan to obfuscate the settings from the user? Not really. The original idea was simple: set the flag so that it doesnt show up, advanced users can make it appear by flicking a bit in the registry. But since the default behavior was to not show, it became a bit of an unsupported scenario and subsequent changes have made things more complicated than they need to be. At the end of the day, though, I think its best not to mess with the Local Machine Zone policies at all. But that doesn't stop us from knowing how to do it if we ever decide to :)



P.S. I appeared to have lost the password to my account on the image server, so I am currently unable to add images to the text. I will update the post once I sort the password issues out.