Event 1023 - Zone Elevation Restrictions

Applies To: Windows 7, Windows Vista

Zone elevation is an attempt to gain access to a security zone with stronger security from a security zone with weaker security. Web pages on a user's computer run in the Local Machine zone, which has fewer security restrictions than pages on the Internet. This makes the Local Machine zone a prime destination for malicious users.

Zone Elevation Restrictions prevent the overall security context of any link on a page from being higher than the security context of the root URL. This means, for example, that a page in the Internet zone cannot navigate to a page in the Local intranet zone except as the result of a user-initiated action. A script cannot automatically make this sort of navigation without user interaction, such as a mouse click or a keystroke. Zone Elevation Restrictions also disable JavaScript navigation if there is no security context.

Note

The security ranking of the zones, from highest security to lowest, is Restricted sites zone, Internet zone, Local intranet zone, Trusted sites zone, and Local Machine zone.

When Is This Event Logged?

This event is logged when a weaker security-enabled zone attempts to access a stronger security-enabled zone.

Note

For more information and examples, see the Event 1023-Zone Elevation Restrictions topic from Internet Explorer Application Compatibility.

Remediation

You manage the Zone Elevation Restrictions through a security feature-control registry key (FEATURE_ZONE_ELEVATION). Windows® Internet Explorer® (Iexplore.exe) and Windows Explorer (Explorer.exe) run under this feature control by default. The following shows the registry keys and enabled processes:

  • HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\iexplore.exe= 0x00000001

  • HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\explorer.exe= 0x00000001

  • HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\process name.exe=0x00000001

Applications that host the WebBrowser control can also take advantage of the security feature control by adding their process to the same registry locations. You can do this programmatically, using the CoInternetSetFeatureEnabled function.

Note

If an application does not run under this security feature control, the WebBrowser control behaves the same as previous versions of Internet Explorer.

Applications can also use the CoInternetIsFeatureZoneElevationEnabled function to determine whether to enable navigation from one URL to another. The function returns an HRESULT based on the value of the URL policy for the URL action flag URLACTION_FEATURE_ZONE_ELEVATION in the zone of the specified URL.

To modify the security zone settings

  1. In Internet Explorer, click Tools, point to Internet Options, and then click the Security tab.

  2. Select the required zone, and then click Custom Level.

  3. Scroll down under Miscellaneous and then select the check box for Web sites in less restricted web content zone can navigate into this zone.

How Can I Work Around This Problem?

If you need to open a local file from the Internet or local intranet zone, you can add a Mark of the Web comment in the HTML code. This Internet Explorer feature forces your HTML files into a zone other than the Local Machine zone, based on the URL identified in the comment.

To insert a Mark of the Web comment into your HTML file, add the following comment:

<!-- saved from url= <(0022)http://www.fabrikam.com>-->

Where http://www.fabrikam.com is the URL of the Internet or intranet domain hosting the page, and 0022 is the length of the URL.

You can use the Mark of the Web comment with .mht, .xml, or .htc files; however, if you use a version prior to Internet Explorer 6 for Windows XP with Service Pack 2 (SP2), the Mark of the Web is ignored.

If you need to access local resource files, such as .doc or .xls files, you can disable the zone elevation feature for the Local Machine zone, by using the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\2101 = 0

What Happens If I Disable This Security Feature?

The Local Machine zone is a prime target for malicious users attempting to gain access to a more secure zone. Disabling this feature reduces security in the Local Machine zone.

See Also

Concepts

Known Internet Explorer Security Feature Issues