Event 1023 - Zone Elevation Restrictions

  • Logged Message
  • What Is It?
  • When Is This Event Logged?
  • Example
  • Remediation
  • Related topics

Logged Message

Zone elevation is an attempt to gain access to a stronger security-enabled zone from a weaker zone. Zone Elevation Restrictions prevent the overall security context of any link on a webpage from being higher than the security context of the root URL. For example, a page in the Internet zone cannot navigate to a page in the Local intranet zone except as the result of a user-initiated action. A script cannot automatically make this sort of navigation without user interaction, such as a mouse click or a keystroke. Zone Elevation Restrictions also disables JavaScript navigation if there is no security context.

What Is It?

Zone Elevation Restrictions prevent the overall security context of any link on a page from being higher than the security context of the root URL. This means, for example, that a page in the Internet zone cannot navigate to a page in the Local intranet zone except as the result of a user-initiated action. A script cannot automatically make this sort of navigation without user interaction, such as a mouse click or a keystroke. Zone Elevation Restrictions also disable JavaScript navigation if there is no security context.

Note  The security ranking of the zones from least trusted to most trusted is Restricted sites zone, Internet zone, Local intranet zone, Trusted sites zone, and Local Machine zone.

 

When Is This Event Logged?

This event is logged when an attempt is made to gain access to a stronger security-enabled zone from a weaker zone.

Example

Perform the following steps to see this event logged in the compatibility tool:

  1. Create a webpage with the following contents. For this example call it 1023Target.html. The file can be placed anywhere. For this example, the file is located in C:\.

    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>Zone Elevation</title>
    </head>
    <body>    
    </body>
    </html>
    
  2. Create another webpage with the following contents. For this example call it 1023Source.html.

    <html xmlns="http://www.w3.org/1999/xhtml" >
    <head>
        <title>Zone Elevation</title>
    </head>
    <body>    
    <script>
        window.location = 'C:\1023Target.html';
    </script>
    </body>
    </html>
    
  3. Install the 1023Source.html file in the root directory of the local web server. On a Microsoft Internet Information Services (IIS) server this means putting the file in this directory:

    .\wwwroot

  4. Browse to the file:

    https://localhost/1023Source.html

    A blank page is displayed with an Error (note the yellow exclamation icon in the lower left).

  5. Double-click the Done message in the lower left of the browser.

This displays the detail of the error that occurred. In this case, it's an Access Denied error. The webpage attempts to re-direct to the 1023Target.html file. But, since 1023Target.html is located in the Local Machine Zone (and the calling page is located in the Local Intranet Zone), you receive an access denied error and the event is logged to the compatibility tool.

Remediation

You manage the Zone Elevation Restrictions through a security feature control registry key (FEATURE_ZONE_ELEVATION). Windows Internet Explorer (Iexplore.exe) needs to run under this feature control to disable the feature and this can be achieved by setting the following registry key:

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
   SOFTWARE
      Microsoft
         Internet Explorer
            Main
               FeatureControl
                  FEATURE_ZONE_ELEVATION
                     iexplore.exe = 0x00000000

This feature can also be controlled by the following Group Policy settings:

GPO Policy Path GPO Policy Setting Name GPO Settings
Administrative Templates\Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation Internet Explorer Processes

If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.

If you disable this policy setting, no zone receives such protection for Internet Explorer processes.

If you do not configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.

 

Applications that host the WebBrowser control can also take advantage of the security feature control by adding their process to the same registry locations. Your application can do this programmatically, using the CoInternetSetFeatureEnabled function.

Note  If an application does not run under this security feature control, the WebBrowser control behaves the same as previous versions of Windows Internet Explorer.

 

Applications can also use the CoInternetIsFeatureZoneElevationEnabled function to determine whether to enable navigation from one URL to another. The function returns an HRESULT based on the value of the URL policy for the URL action flag URLACTION_FEATURE_ZONE_ELEVATION in the zone of the specified URL.

You can modify the Internet Explorer security zone settings if a trusted Web application is unusable.

To modify the security zone settings:

  1. In Internet Explorer, click Tools, point to Internet Options, and then click the Security tab.
  2. Select the required zone, and then click Custom Level.
  3. Scroll down under Miscellaneous and then select the check box for websites in less privileged web content zone can navigate into this zone.

If you need to open a local file from the Internet or local intranet zone, you can add a Mark of the Web comment in the HTML code. This Internet Explorer feature forces your HTML files into a zone other than the Local Machine zone, based on the URL identified in the comment.

To insert a Mark of the Web comment into your HTML file, add the following comment:

<!-- saved from url= <(0022)http://www.fabrikam.com>-->

Where http://www.fabrikam.com is the URL of the Internet or intranet domain hosting the page, and 0022 is the length of the URL.

You can use the Mark of the Web comment with .mht, .xml, or .htc files; however, if you use a version prior to Microsoft Internet Explorer 6 for Windows XP with Service Pack 2 (SP2), Mark of the Web is ignored.

If you need to access local resource files like .doc or .xls, you can disable the zone elevation feature for the Local Machine zone.

Security Warning: The Local Machine zone is a prime target for malicious users attempting to gain access to a more secure zone. Disabling this feature reduces security in the Local Machine zone.

Zone Elevation restrictions protect personal or other confidential content on your local machine. Disabling Zone Elevation Restrictions can facilitate serious breaches of confidentiality including identity theft.

The zone elevation feature for the Local Machine zone can be disabled by using the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\2101 = 0

This feature can also be controlled by the following Group Policy settings:

GPO Policy Path GPO Policy Setting Name GPO Settings
Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone websites in less privileged Web content zones can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

 

Internet Explorer Application Compatibility

Events 1021 through 1028