IInternetSecurityManagerEx::ProcessUrlActionEx method

Determines the policy for a specified action and displays a prompt, if the policy calls for one.


HRESULT ProcessUrlActionEx(
  [in]  LPCWSTR pwszUrl,
  [in]  DWORD   dwAction,
  [out] BYTE    *pPolicy,
  [in]  DWORD   cbPolicy,
  [in]  BYTE    *pContext,
  [in]  DWORD   cbContext,
  [in]  DWORD   dwFlags,
  [in]  DWORD   dwReserved,
  [out] DWORD   *pdwOutFlags


  • pwszUrl [in]
    A constant pointer to a wide character string that specifies the URL.

  • dwAction [in]
    A DWORD that specifies the action to be performed. This can be one of the URL Action Flags values.

  • pPolicy [out]
    A pointer to a buffer that receives the policy and action for the specified URL. This will be one of the URL Policy Flags values.

  • cbPolicy [in]
    DWORD that specifies the size of the buffer pPolicy.

  • pContext [in]
    A pointer to a buffer that contains the context information (a CLSID) used by the delegation routines. May be set to NULL unless the call is marshalled.

  • cbContext [in]
    A DWORD that specifies the size of the buffer cbContext.

  • dwFlags [in]
    A DWORD that specifies a PUAF enumeration value or values.

  • dwReserved [in]
    Reserved. Must be set to NULL.

  • pdwOutFlags [out]
    A pointer to a DWORD that gets the PUAFOUT value that specifies whether the lockdown zone was used.

Return value

Returns one of the following values.

Return code Description

Success. The URL policy is URLPOLICY_ALLOW.


Found a valid URL policy that is not URLPOLICY_ALLOW.


There is not enough memory to complete the operation.


URI is null.


Failed to initialize the ZoneManager.



The IInternetSecurityManagerEx::ProcessUrlActionEx method was introduced in Microsoft Internet Explorer 6 for Windows XP Service Pack 2 (SP2).

ProcessUrlActionEx can indicate whether it read the policy from the default security zone or from the Lockdown_zones. If FEATURE_PROTOCOL_LOCKDOWN is enabled for the current process, and if URLACTION_ALLOW_RESTRICTEDPROTOCOLS is set to URLPOLICY_DISALLOW or URLPOLICY_QUERY for the zone of the URL, the caller can indicate that the URL value can be read from the Lock down zones. ProcessUrlActionEx can inform the caller about the choice of zone setting made through the PUAFOUT flags parameter.

This method can also return an HRESULT derived from the Microsoft Win32 error code ERROR_NOT_FOUND to indicate that the URL action cannot be read from the registry.

Security Warning: Incorrect implementation of this method can compromise the security of your application. A custom implementation of IInternetSecurityManagerEx::ProcessUrlActionEx should only process URL actions that the default application cannot or should not handle. For all other URL actions, this method should return INET_E_DEFAULT_ACTION. An attempt to duplicate the default implementation might result in incorrectly processing URL actions, and can leave users susceptible to elevation of privilege attacks. Review Security Considerations: URL Security Zones API before you continue.

Note  If you create your own implementation of this method, you must set the pPolicy value before returning a success code (S_OK or S_FALSE).



Minimum supported client

Windows XP with SP2

Minimum supported server

Windows Server 2003


Internet Explorer 6.0





See also





Security Considerations: URL Security Zones API