Custom Search

Secure Windows XP

“Optimize Windows” Column
December, 2000

What about a little Tweak IE?

There's an IE tab in the free Windows Tweak UI applet, but it doesn't help with some tasks that I've found handy to have available. So whenever I find myself doing the same old task repeatedly, I try to come up with a way to make the job a bit easier. With that in mind, here's a few tweaks that work well for me, and might be useful to others who practice the fine art of browser bashing.

An IE Properties Shortcut

If you do a fair amount of offline IE configuration, you can of course right-click the IE desktop icon, select Properties and then the tab you need. But sometimes it's convenient to setup a dedicated shortcut to take you directly to where you want to go, especially if you go there over and over again during a diagnostic session. To do so, just write the following shortcut command line (and note the two commas):

control inetcpl.cpl,,x

Change the “x” to one of the following numbers to go directly to the indicated tab.

0.   General
1.   Security
2.   Content
3.   Connections
4.   Programs
5.   Advanced

Or if the IE browser window is already open, click on the Status Bar's “My Computer” icon (offline) or the IE globe icon (online) to go directly to the Security tab. By the way, the “control” command followed by the name of a CPL file, two commas and a number also works with most of the other CPL files in the C:\Windows\System folder. For example, control sysdm.cpl,,1 opens the System applet's Device Manager tab.

Security Snooping

Back in August, Dave Methvin's “Roll Your Own Zone” column described how to add a fifth security zone to IE's Security tab. The first thing I noticed while exploring this area (the Twilight Zone?) was that although the Security tab on IE's Properties sheet showed only four zones, the Registry suggested there might be five: I found subkeys labeled 0 through 4 under the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones key. Alright, so who's missing? and why? A bit of digging revealed all: The DisplayName entry for Zone 0 is “My Computer” and there's no icon with that name on IE's Security tab, which almost makes sense. After all, who needs protection against their own computer? (Don't answer that.) Also, the long list of mostly 0x00000000 entries in the 0 key's Contents pane suggested that whatever all that stuff was, it was set to a very low level of security.

Bur why even have an invisible do-nothing zone? I guess the short answer is that by remaining hidden, the casual viewer can't “fix” something that isn't broken. But still, the zone is “there” and, being a compulsive fixer anyway, I figured there should be a way to gain admission into this invisible realm for me or anyone else who can't leave things alone. If so, this might even be useful from time to time—especially if I could make other zones come and go on command. It turns out it was easier than I thought, due to a 4-byte Flags entry in each Zone key's Contents pane. The Flags entry in Zone 0 was set at 0x00000021, and that “2” means bit 5 is set to 1. The same bit in every other zone was 0, which was a promising clue. Sure enough, a 1 at this position hides the zone and a 0 displays it, as I discovered when I made a quick change to 0x00000001. A “My Computer” icon showed up on the Security tab, and I could now design a custom security level right here on My Computer—a dubious “feature” at best. However, you can apply the same tip in reverse to any other zone. Thus, once you've customized your Trusted Sites and/or Restricted Sites list, you can hide that zone to prevent others from meddling with your settings when you're not around.

If you'd rather not muck about in the Registry, just write a little text file and save it with a REG extension, as follows:


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\x]


  1. The long string enclosed in brackets must be written as a single line.
  2. Replace the “x” with the zone number (0 through 4, as desired).
  3. Replace “abcdefgh” with the string given below to produce the indicated result.
  4. Press the Enter key at the end of the last line before saving the file, then double-click on it to make the change.
Zone Change this: to this: Result
0 00000021 (no change) “My Computer” remains hidden
0 00000021 00000001 Show “My Computer”
1 000000db 000000fb Hide “Local Intranet”
2 00000047 00000067 Hide “Trusted sites”
3 00000001 00000021 Hide “Internet”
4 00000003 00000023 Hide “Restricted sites”

In the above examples, each edit toggles bit 5 without changing anything else, so verify that the “Change this:” value is the same as yours before continuing. If not, then revise the “to this:” entry as necessary to toggle bit 5 while not changing anything else.

If you do decide to customize your own “My Computer” security zone, first export the present Zone 0 key as LOW.REG. Then make whatever changes you like—including re-hiding the zone—and save it as HIGH.REG. Double-click HIGH.REG whenever you want to protect your PC from the office busybodies, and later on double-click LOW.REG to restore it to normal operation.

There's Security in Numbers

The Registry keeps track of each security zone's settings via a series of DWORD data values, each given a four-character “name” in hexadecimal notation. The following table shows each such name, followed by the text seen in the Settings window for any zone. The list is arranged in the order that the options appear in the Settings window:

1001   Download signed ActiveX Controls
1004   Download unsigned ActiveX Controls
1201   Initialize and script ActiveX controls not marked as safe
1200   Run ActiveX controls and plug-ins
1405   Script ActiveX controls marked safe for scripting
1A02   Allow cookies that are stored on your computer
1A03   Allow per-session cookies (not stored)
1803   File download
1604   Font download
1C00   Java permissions
1406   Access data sources across domains
1A04   Don't prompt for client certificate . . .
1802   Drag and drop or copy and paste files
1800   Installation of desktop items
1804   Launching applications and files in an IFRAME
1607   Navigate sub-frames across different domains
1E05   Software channel permissions
1601   Submit non-encrypted form data
1606   Userdata persistence
1400   Active scripting
1407   Allow paste operations via script
1402   Scripting of Java applets
1A00   Logon
1605   HTML Java Run
1805   Webview verb invoke, clobber since no UI

Although the last two numbers in the list appear in the Registry's Zones subkeys, equivalent options don't appear in the Settings list. Therefore the text lines shown here were found by snooping through some of the DLL files associated with Internet properties.

Changing a Security Zone Icon

If you added Dave's “Tracking Sites” zone, you probably see two icons with a white horizontal line in a red circle. To change either or both to something else, just edit the Icon entry in the appropriate zone's Contents pane. Although elsewhere in the Registry a specified icon gets its own DefaultIcon key, needless to say IE does things a bit differently (act surprised). Rather than writing a (Default) entry of say, PIFMGR.DLL,38 in the contents pane of a DefaultIcon key, re-write the Icon entry line as PIFMGR.DLL#38 instead. In other words, specify the name of the file containing the icon, followed by a pound sign and the icon position within that file. This works for the icons in a file that are numbered 1 through 47. But if the number is 48 or higher, the icon seems to be ignored in favor of icon 21 in the INETCPL.CPL file—even if you've specified a different file. This icon also shows up if the Icon entry is completely missing, so I guess it's the fallback icon when Windows gets confused. If you encounter an 8-digit number (#00004480 in Zone 2, for example), this appears to be written in the “icon resource number” format which is used for all zones except the Local Intranet. Needless to say Microsoft provides no information about such numbers, so you'd have to do some reverse engineering to figure out the relationship between this apparently meaningless string and the icon it represents.

This expanded view of the IE Properties Security tab shows Dave Methvin's new Tracking Sites zone with a distinctive icon taken from the PIFMGR.DLL file. Also, the My Computer zone is now visible. The large number next to each icon (not seen in the actual Settings box) indicates the zone number.

Easy HTML Edits

There's good news and bad news about HTML editing while viewing an offline page in IE. The good news is it's easy to view the underlying code because a simple click of the Edit button brings up the page in the default HTML editor. The bad news is that the editor is often Notepad or MS Word-one a bit too limited, the other too complex to do the job right. I've said it before: I prefer WordPad for its refreshing lack of brain-power. It doesn't try to figure out what I really want to do and then “fix” things for me. It just does what its told, nothing more, nothing less. But perhaps Mr. Bill doesn't approve: if you look for WordPad among the HTML editor options on IE's Programs tab, it may not be there. In that case, here's how to add it to the list.

If you're using Word 97 or earlier, open the Registry and write the key structure shown here, or take the easy route—download my little WORDPAD.REG file (// and double-click on it to add all this to the Registry. But if Word 2000 is installed, don't bother with this. Just add an empty subkey named WORDPAD.EXE under the OpenWithList key instead.

The WordPad key structure shown here adds WordPad to the list of IE editor options.

In either case you can now make WordPad the default HTML editor by doing the following:

  1. Open the IE Tools menu and select Internet Options.
  2. Select the Programs tab.
  3. Click the down-arrow next to the HTML editor box and select WordPad.
  4. Click the Apply button and the OK button to exit.

If Word 2000 still tries to do your HTML editing, you may want to kill it (at least as the default HTML editor). It's as easy as 1-2 ... 7.

  1. Open Word 2000.
  2. Open the Tools menu and select Options.
  3. Select the General tab.
  4. Click the Web Options button.
  5. Select the Files tab.
  6. Clear the check box next to “Check if Word is the default editor for all other Web pages.”
  7. Exit Word.

If you want to remove Word from the IE Edit list, go back to the OpenWithList key and delete the WINWORD.EXE subkey. Make this the final step, because if you kill the key while Word is still the Default editor, it will just be re-written and you'll have to kill it again later on.

2001, John Woram