IInternetSecurityManagerEx2::ProcessUrlActionEx2 method

Determines the policy for a specified action and displays a prompt, if the policy calls for one.


HRESULT ProcessUrlActionEx2(
  [in]  IUri  *pUri,
  [in]  DWORD dwAction,
  [out] BYTE  *pPolicy,
  [in]  DWORD cbPolicy,
  [in]  BYTE  *pContext,
  [in]  DWORD cbContext,
  [in]  DWORD dwFlags,
  [in]  DWORD dwReserved,
  [out] DWORD *pdwOutFlags


  • pUri [in]
    A pointer to an IUri interface that specifies the URL.

  • dwAction [in]
    A DWORD that specifies the action to be performed. This can be one of the URL Action Flags values.

  • pPolicy [out]
    Required. A pointer to a buffer that receives the policy and action for the specified URL. This must be one of the URL Policy Flags values.

  • cbPolicy [in]
    DWORD that specifies the size of the buffer pPolicy. Should be at least sizeof(DWORD).

  • pContext [in]
    A pointer to a buffer that contains the context information (a CLSID) used by the delegation routines. Can be set to NULL.

  • cbContext [in]
    A DWORD that specifies the size of the buffer pContext, or 0 if pContext is NULL.

  • dwFlags [in]
    A DWORD that specifies a PUAF enumeration value or values.

  • dwReserved [in]
    Reserved. Must be set to NULL.

  • pdwOutFlags [out]
    A pointer to a DWORD that gets the PUAFOUT value that specifies whether the lockdown zone was used.

Return value

Returns one of the following values.

Return code Description

Success. The URL policy is URLPOLICY_ALLOW.


Found a valid URL policy that is not URLPOLICY_ALLOW.


There is not enough memory to complete the operation.


URI is null.


Failed to initialize the ZoneManager.


This method can also return an HRESULT derived from the Microsoft Win32 error code ERROR_NOT_FOUND to indicate that the URL action cannot be read from the registry.

The IInternetSecurityManagerEx2::ProcessUrlActionEx2 method was introduced in Windows Internet Explorer 7. It is identical to ProcessUrlActionEx except that it takes its URL from an IUri object.

If FEATURE_PROTOCOL_LOCKDOWN is enabled for the current process, and URLACTION_ALLOW_RESTRICTEDPROTOCOLS is set to URLPOLICY_DISALLOW or URLPOLICY_QUERY for the zone of the URL, the caller can indicate that the URL value can be read from the lockdown zone. It can indicate whether it read the policy from the default security zone or from the Lockdown_Zones registry key. IInternetSecurityManagerEx2::ProcessUrlActionEx2 can inform the caller about the choice of zone setting made through the PUAFOUT flags parameter.

Security Warning: Incorrect implementation of this method can compromise the security of your application. A custom implementation of ProcessUrlActionEx should only process URL actions that the default application cannot or should not handle. For all other URL actions, this method should return INET_E_DEFAULT_ACTION. An attempt to duplicate the default implementation can result in incorrectly processing of URL actions and might leave users susceptible to elevation of privilege attacks. Review Security Considerations: URL Security Zones API before you continue.

Note If you create your own implementation of this method, you must set the pPolicy value before you return a success code (S_OK or S_FALSE).


Minimum supported client

Windows XP with SP2

Minimum supported server

Windows Server 2003 with SP1


Internet Explorer 7







See also