Internet Features

For the release of Windows XP SP2 and Windows Server 2003 SP1, Microsoft seems to have got very conscious of a need to be seen to do more about security for web browsing. The URLMON.DLL in these service-pack releases introduces a scheme of named security features. Each is a defence of some sort, such that the cautious configuration is to enable the feature. Features may be configured differently for different processes. Provision also exists by which a feature that is enabled in general for some process is disabled for the process’s work with a trusted URL.

These features are made programmatically accessible through functions exported from URLMON, the archetypes being CoInternetIsFeatureEnabled and CoInternetSetFeatureEnabled. They are all documented, and some even have user-interface support.

The following are the features that are supported as of version 7.00 (for Windows Vista).

Constant Name Applicable Versions
0x00 FEATURE_OBJECT_CACHING 6.00 from Windows XP SP2, and higher
0x01 FEATURE_ZONE_ELEVATION 6.00 from Windows XP SP2, and higher
0x02 FEATURE_MIME_HANDLING 6.00 from Windows XP SP2, and higher
0x03 FEATURE_MIME_SNIFFING 6.00 from Windows XP SP2, and higher
0x04 FEATURE_WINDOW_RESTRICTIONS 6.00 from Windows XP SP2, and higher
0x05 FEATURE_WEBOC_POPUPMANAGEMENT 6.00 from Windows XP SP2, and higher
0x06 FEATURE_BEHAVIORS 6.00 from Windows XP SP2, and higher
0x07 FEATURE_DISABLE_MK_PROTOCOL 6.00 from Windows XP SP2, and higher
0x08 FEATURE_LOCALMACHINE_LOCKDOWN 6.00 from Windows XP SP2, and higher
0x09 FEATURE_SECURITYBAND 6.00 from Windows XP SP2, and higher
0x0A FEATURE_RESTRICT_ACTIVEXINSTALL 6.00 from Windows XP SP2, and higher
0x0B FEATURE_VALIDATE_NAVIGATE_URL 6.00 from Windows XP SP2, and higher
0x0C FEATURE_RESTRICT_FILEDOWNLOAD 6.00 from Windows XP SP2, and higher
0x0D FEATURE_ADDON_MANAGEMENT 6.00 from Windows XP SP2, and higher
0x0E FEATURE_PROTOCOL_LOCKDOWN 6.00 from Windows XP SP2, and higher
0x0F FEATURE_HTTP_USERNAME_PASSWORD_DISABLE 6.00 from Windows XP SP2, and higher
0x10 FEATURE_SAFE_BINDTOOBJECT 6.00 from Windows XP SP2, and higher
0x11 FEATURE_UNC_SAVEDFILECHECK 6.00 from Windows XP SP2, and higher
0x12 FEATURE_GET_URL_DOM_FILEPATH_UNENCODED 6.00 from Windows XP SP2, and higher
0x13 FEATURE_TABBED_BROWSING 7.00 and higher
0x14 FEATURE_SSLUX 7.00 and higher
0x15 FEATURE_DISABLE_NAVIGATION_SOUNDS 7.00 and higher
0x16 FEATURE_DISABLE_LEGACY_COMPRESSION 7.00 and higher
0x17 FEATURE_FORCE_ADDR_AND_STATUS 7.00 and higher
0x18 FEATURE_XMLHTTP 7.00 and higher
0x19 FEATURE_DISABLE_TELNET_PROTOCOL 7.00 and higher
0x1A FEATURE_FEEDS 7.00 and higher
0x1B FEATURE_BLOCK_INPUT_PROMPTS 7.00 and higher

Registry Settings

The initial state for each feature is loaded from the registry. As with several other collections of registry settings for Internet Explorer, the feature controls may appear in any of several branches. In order of decreasing precedence, these are:

except that the branches in HKEY_CURRENT_USER are ignored if the following evaluates to 1:

Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Value Security_HKLM_only
Type REG_DWORD

The merit of allowing each setting at the same place with respect to multiple branches is the usual one of establishing policies versus preferences, machine-wide or per user.

Each feature is its own subkey of the FeatureControl key. The (case-insensitive) values in the feature’s key each name a process. A special value * catches processes that aren’t named explicitly. A feature is evaluated for a process by iterating through the applicable branches in order of decreasing precedence and accepting the first value that applies to that process. It does not matter which branch the value comes from. Each feature has a default for when no applicable value is found in any branch.

Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\feature
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\feature
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\feature
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\feature
Value filename for any process whose executable has that filename (subject to note below);
* for all executables
Type REG_SZ in policy branches, else REG_DWORD
Data the string 0 in policy branches, else the dword 0, for false;
the string 1 in policy branches, else the dword 1, for true;
else value is ignored
Default varies with feature and filename

Among the filename values for any feature control, iexplore.exe stands also for any process whose filename is “ieuser.exe”, with the side-effect that values named ieuser.exe are ignored.

Note, by the way, that the pattern of these registry settings is not exclusive to the features that are exposed through exported URLMON functions. There are very many internal features. For a list, see Feature Control in Internet Explorer.

Defaults

Each feature has two types of default.

The Internet Explorer default applies when the feature is requested for a process named EXPLORER.EXE, IEUSER.EXE or IEXPLORE.EXE. The Internet Explorer default has all features enabled except:

For other processes, all features are disabled by default except:

User-Interface Support

Some of the features have user-interface support as administrative policies through the Windows Vista version of the Group Policy Object Editor. The following table lists the folders among the Security Features in the Internet Explorer administrative template (displayed under Windows Components), and shows the feature that corresponds to each. Note that this support isn’t complete even for the original features and doesn’t extend to any of the features added for Windows Vista.

Add-on Management FEATURE_ADDON_MANAGEMENT
Binary Behavior Security Restriction FEATURE_BEHAVIORS
Consistent Mime Handling FEATURE_MIME_HANDLING
Information Bar FEATURE_SECURITYBAND
Local Machine Zone Lockdown Security FEATURE_LOCALMACHINE_LOCKDOWN
Mime Sniffing Safety Feature FEATURE_MIME_SNIFFING
MK Protocol Security Restriction FEATURE_DISABLE_MK_PROTOCOL
Network Protocol Lockdown FEATURE_PROTOCOL_LOCKDOWN
Object Caching Protection FEATURE_OBJECT_CACHING
Protection From Zone Elevation FEATURE_ZONE_ELEVATION
Restrict ActiveX Install FEATURE_RESTRICT_ACTIVEXINSTALL
Restrict File Download FEATURE_RESTRICT_FILEDOWNLOAD
Scripted Window Security Restrictions FEATURE_WINDOW_RESTRICTIONS

One feature is known to have user-interface support through Internet Properties in the Control Panel, in the Security group on the Advanced tab. The support is specific to “iexplore.exe” as the process. Checking “Allow active content to run in files on My Computer” disables FEATURE_LOCALMACHINE_LOCKDOWN.