Q: Can you explain the use of the hidden Microsoft Internet Explorer (IE) Local Computer security zone? Are any security risks linked to its use, and if so, how can I mitigate those risks?
The IE Local Computer security zone, also known as the My Computer zone, includes all data that's stored on the local computer and that can be accessed from IE. This zone doesn't include locally cached temporary Internet files. By default the Local Computer zone doesn't appear on the Security tab of the Internet Options dialog box. If you want to modify the Local Computer zone properties you must edit the system registry.
Locking down the security settings of the Local Computer zone is recommended on pre-Windows XP Service Pack 2 (SP2) systems. On these systems, the default security settings of the Local Computer zone are at a low security level. Windows XP SP2 comes with a new feature called Local Computer security zone lockdown that mitigates the risks related to this zone. In SP2 the permissions given to content of the Local Machine zone are more restrictive than the ones given to Internet security zone content. Every time Web content attempts a restricted Local Machine zone action, the following text will appear in the IE information bar: "This page has been restricted from running active content that might be able to access your computer. If you trust this page, click here to allow it to access your computer." In XP SP2, this feature is enabled by default for IE processes, and you can control it through the HKEY_LOCAL_MACHINE\Software \Microsoft \Internet Explorer\Main \FeatureControl \FEATURE_LOCALMACHINE_LOCKDOWN\Iexplore.exe registry subkey. (A value of 1 means the feature is enabled.)
Here's an example of how malicious code could exploit the unsecure security settings of the Local Computer zone. An IE user might be browsing a Web site that's classified in the Restricted Sites zone. One of the pages of the site could contain a piece of malicious code that looks for and transmits user password files to a malicious Web site. As a restricted site, the script is part of the downloaded Web page, so it won't be able to do any harm because of the Restricted Sites security restrictions that are in place. That situation changes if the employee saves the page to his or her computer's hard disk. Later, when the employee opens the page from the hard disk, it will be classified as being part of the Local Computer security zone. Because the security level for this zone is low, the malicious code could execute and cause damage by silently transmitting data.
A little known detail is that IE users can modify a registry setting to make the Local Computer security zone show up on the Internet Options Security tab, as Figure 1 shows. After doing so, users can easily modify the Local Computer security zone's configuration settings just as they can do for the four other security zones.
To see the Local Computer zone on pre-Windows XP SP2 systems set the "Flags" (REG_DWORD) registry key to a value of 47 (hexadecimal). The default value is 21. On pre-Windows XP SP2 systems, the Flags key is located in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 registry container, which is where IE stores all configuration information related to the Local Computer security zone. On Windows XP SP2 systems the Flags key is in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 registry container.