Share via


URL Security Zones

A version of this page is also available for

Windows Embedded CE 6.0 R3

4/8/2010

The URL security zones API lets developers manage URL security zones and create custom URL security zone managers.

A URL action is an action that a browser can take that might pose a security risk to the local computer. These include actions such as running a Java language program (URLACTION_JAVA_PERMISSIONS in this case) or a Microsoft ActiveX® control (URLACTION_ACTIVEX_RUN in this case).

A URL policy determines what permission or trust level is set for a particular URL action. These include setting the safety level for Java language to high (URLPOLICY_JAVA_HIGH in this case).

A URL security zone is a group of URL namespaces that are assigned an equal level of permission or trust. Each URL action for the zone has an appropriate URL policy assigned to it that reflects the level of trust given to the URL namespaces in that zone.

The following table shows the default URL security zones in Internet Explorer 6.

Zone Description

Local intranet zone

Content located on a company's intranet. Because the servers and information would be in a company's firewall, a user or company could assign a higher trust level to the content on the intranet.

Trusted sites zone

Content located on Web sites that are considered more reputable and trustworthy than other sites on the Internet. Users can map the URLs of these Web sites into this zone to reduce the number of authentication requests.

Internet zone

Web sites on the Internet that do not belong to another zone. The default settings would cause the user to be prompted when potentially unsafe content was about to be downloaded. Web sites that are not mapped into other zones automatically fall into this zone.

Restricted sites zone

Web sites that contain content that could cause, or could have previously caused, problems when it is downloaded. Users can map the URLs of these Web sites into this zone to be prompted every time potentially unsafe content was about to be downloaded or to prevent that content from being downloaded.

There are two situations where you as a developer would use the URL security zone interfaces:

  • Applications that are hosting either the WebBrowser Control or MSHTML and want to implement their own security manager to handle security zones.
  • Controls that are hosted by MSHTML and want to receive information about a security setting.

Applications can manage the default URL security zone settings by using the IInternetZoneManager interface. Any changes that were made by using IInternetZoneManager will not be static because the user could override them. In most cases, applications that have to control the URL security zone settings should create an application that hosts the WebBrowser Control or MSHTML and implement their own security manager.

For more information about how to implement security managers and managing the default URL security zone settings, see the URL Security Zones SDK documentation from this Microsoft Web site.

See Also

Other Resources

URL Moniker Services Application Development
URL Security Zones Settings