URL Action Flags
The following list contains values associated with the actions that can be taken in a URL security zone. The possible URL policy values for each of the listed URL action flags can be found in About URL Security Zones.
| Constant/value | Description |
|---|---|
|
|
| URLACTION_ACTIVEX_CONFIRM_NOOBJECTSAFETY 0x00001204 | User can decide whether to load and script a ActiveX control that is not safe. |
| URLACTION_ACTIVEX_CURR_MAX 0x0000120B | Current maximum value of the URL action ActiveX flags. |
| URLACTION_ACTIVEX_DYNSRC_VIDEO_AND_ANIMATION 0x0000120A | Internet Explorer 7. Determines whether to allow native playback of video and animation in Web pages that specify media files in the DYNSRC attribute of the IMG element. Users may still be able to view non-native video and animation because animation and video can be created in the context of an external player application using the OBJECT tag. As of Internet Explorer 8, this setting also applies to HTML+TIME elements. |
| URLACTION_ACTIVEX_MAX 0x000013ff | Maximum value of the URL action ActiveX flags. |
| URLACTION_ACTIVEX_MIN 0x00001200 | Minimum value of the URL action ActiveX flags. |
| URLACTION_ACTIVEX_NO_WEBOC_SCRIPT 0x00001206 | Controls the ability to script the Web browser ActiveX control. |
| URLACTION_ACTIVEX_OVERRIDE_DATA_SAFETY 0x00001202 | Determines whether ActiveX safety for untrusted data can be overridden. |
| URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY 0x00001201 | Determines whether the ActiveX control object safety is overridden or enforced for pages in the URL security zone. Object safety should be overridden only if all ActiveX Controls and scripts that might interact with them on pages in the zone can be trusted not to breach security. This is an aggregate of URLACTION_ACTIVEX_OVERRIDE_DATA_SAFETY, URLACTION_ACTIVEX_OVERRIDE_SCRIPT_SAFETY, URLACTION_ACTIVEX_CONFIRM_NOOBJECTSAFETY, and URLACTION_SCRIPT_OVERRIDE_SAFETY. |
| URLACTION_ACTIVEX_OVERRIDE_OPTIN 0x00001208 | Internet Explorer 7. Applications can opt in to bypass the ActiveX prompt mode to prevent security prompts from appearing out of context. This action determines whether to override this setting. |
| URLACTION_ACTIVEX_OVERRIDE_REPURPOSEDETECTION 0x00001207 | Internet Explorer 6 for Windows XP SP2 and later. Determines whether to perform ActiveX repurpose detection, which tests if the control is safe to be hosted. Internet Explorer checks for the IObjectSafety interface on ActiveX controls in the Internet zone to identify how the author intends for the control to be reused. (See KB909738 for more information.) The default policy for this action is set by security update and should not be modified. Requires that the feature control FEATURE_ACTIVEX_REPURPOSEDETECTION is enabled. |
| URLACTION_ACTIVEX_OVERRIDE_SCRIPT_SAFETY 0x00001203 | Determines whether ActiveX safety for scripting is overridden. |
| URLACTION_ACTIVEX_RUN 0x00001200 | Manages the execution of ActiveX Controls and plug-ins from HTML pages in the zone. |
| URLACTION_ACTIVEX_SCRIPTLET_RUN 0x00001209 | Internet Explorer 7. Determines whether scriptlets are allowed to run. This action has no effect if URLACTION_ACTIVEX_RUN is disabled. |
| URLACTION_ACTIVEX_TREATASUNTRUSTED 0x00001205 | Not implemented. |
| URLACTION_ACTIVEX_OVERRIDE_DOMAINLIST 0x0000120B | Internet Explorer 8. When enabled, allows ActiveX controls to run without prompting in approved domains. The Per-Site ActiveX feature can be enabled and disabled under Internet Options; to do so, click the Security tab, select a security zone, click the Custom Level button, and then select one of the option buttons under "Only allow approved domains to use ActiveX without prompt." |
| URLACTION_ALLOW_ACTIVEX_FILTERING 0x00002702 | Internet Explorer 9. Determines whether ActiveX Filtering is allowed for the security zone. No filtering occurs until the user enables ActiveX Filtering on the Safety menu. ActiveX Filtering is disabled by default in the Local intranet zone. |
| URLACTION_ALLOW_APEVALUATION 0x00002301 | Internet Explorer 7 and later. Determine whether Phishing Filter evaluation is enabled. |
| URLACTION_ALLOW_AUDIO_VIDEO 0x00002701 | Internet Explorer 9. Determines whether media elements (audio and video) are allowed. For the element to appear, both the security zone of the host webpage and the media source must allow media. By default, this URLAction permits playback of resources from all zones except the Restricted Sites zone. This means that pages in the restricted zone cannot play media from anywhere, and that pages in other zones do not permit media that is loaded from restricted sites. |
| URLACTION_ALLOW_RESTRICTEDPROTOCOLS 0x00002300 | Internet Explorer 6 for Windows XP SP2 and later. Determines whether content loaded over a particular protocol should be restricted. Requires that the feature control FEATURE_PROTOCOL_LOCKDOWN is enabled. |
| URLACTION_ALLOW_STRUCTURED_STORAGE_SNIFFING 0x00002703 | Internet Explorer 9. Determines whether to return the CLSID from a structured storage file when calling GetClassFileOrMime. Enabled by default in the Local intranet and Trusted sites security zone. To disallow sniffing across all zones, enable the |
| URLACTION_ALLOW_XDOMAIN_SUBFRAME_RESIZE 0x00001408 | Internet Explorer 7. Prevents content from an different domain from executing a resize command on a subframe (frame/iframe). The following methods are blocked: window.IHTMLWindow2::moveTo(x,y), window.IHTMLWindow2::moveBy(x,y), window.IHTMLWindow2::resizeTo(x,y), window.IHTMLWindow2::resizeBy(x,y). There is no UI to modify this behavior. |
| URLACTION_AUTHENTICATE_CLIENT 0x00001A01 | Not currently used. |
| URLACTION_AUTOMATIC_ACTIVEX_UI 0x00002201 | Internet Explorer 6 for Windows XP SP2 and later. Determines whether to display the Information Bar for ActiveX control installations rather than the ActiveX control prompt. Requires that the feature control FEATURE_RESTRICT_ACTIVEXINSTALL for code downloads is enabled. |
| URLACTION_AUTOMATIC_DOWNLOAD_UI 0x00002200 | Internet Explorer 6 for Windows XP SP2 and later. Determines whether to display the file download dialogs or the Information Bar for downloads that are not initiated by the user. Requires that the feature control FEATURE_RESTRICT_FILEDOWNLOAD for file downloads is enabled. |
| URLACTION_AUTOMATIC_DOWNLOAD_UI_MIN 0x00002200 | Internet Explorer 6 for Windows XP SP2 and later. Minimum value of the URL action download UI flags. |
| URLACTION_BEHAVIOR_MIN 0x00002000 | Internet Explorer 6 for Windows XP SP2 and later. Minimum value of the URL action behavior flags. |
| URLACTION_BEHAVIOR_RUN 0x00002000 | Internet Explorer 6 for Windows XP SP2 and later. Determines whether to allow DHTML behaviors and binary behaviors to run securely. Requires that the feature control FEATURE_BEHAVIORS is enabled. |
| URLACTION_CHANNEL_SOFTDIST_MAX 0x00001Eff | Maximum value for a URL action Software Update Channel flag. |
| URLACTION_CHANNEL_SOFTDIST_MIN 0x00001E00 | Minimum value for a URL action Software Update Channel flag. |
| URLACTION_CHANNEL_SOFTDIST_PERMISSIONS 0x00001E05 | Determines the level of trust placed on Software Update Channels. |
| URLACTION_CLIENT_CERT_PROMPT 0x00001A04 | Internet Explorer 6 and later. Determines whether to suppress the authentication dialog that prompts the user to select a client certificate when no certificate or only one certificate is already installed. |
| URLACTION_COOKIES 0x00001A02 | Determines whether HTTP persistent cookies are allowed. |
| URLACTION_COOKIES_ENABLED 0x00001A10 | Internet Explorer 6 and later. Determines whether HTTP cookies can be set and retrieved. |
| URLACTION_COOKIES_SESSION 0x00001A03 | Determines whether HTTP session cookies are allowed. |
| URLACTION_COOKIES_SESSION_THIRD_PARTY 0x00001A06 | Internet Explorer 6 and later. Determines whether third-party HTTP session cookies are allowed. |
| URLACTION_COOKIES_THIRD_PARTY 0x00001A05 | Internet Explorer 6 and later. Determines whether third-party HTTP persistent cookies are allowed. |
| URLACTION_CREDENTIALS_USE 0x00001A00 | Determines how the user's credentials are used over the network. |
| URLACTION_CROSS_DOMAIN_DATA 0x00001406 | Determines whether the resource is allowed to access data sources across domains. |
| URLACTION_DOTNET_USERCONTROLS 0x00002005 | Internet Explorer 8. Determines whether to load a .NET user control on a Web page. Note that the applicable security zone is that of the control (based on URL), not that of the hosting page. This URL Action can only be set in the registry; no user interface is provided in the Internet Options dialog box. To configure this option with Group Policy, a custom administrative template (ADMX) must be deployed. |
| URLACTION_DOWNLOAD_CURR_MAX 0x00001004 | Maximum value for the URL action download flags. |
| URLACTION_DOWNLOAD_MAX 0x000011FF | Maximum value of a URL action download flag. |
| URLACTION_DOWNLOAD_MIN 0x00001000 | Minimum value of a URL action download flag. |
| URLACTION_DOWNLOAD_SIGNED_ACTIVEX 0x00001001 | Manages the download of signed ActiveX Controls from the URL zone of the HTML page that contains the control. |
| URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX 0x00001004 | Manages the download of unsigned ActiveX Controls from the URL zone of the HTML page that contains the control. |
| URLACTION_FEATURE_BLOCK_INPUT_PROMPTS 0x00002105 | Internet Explorer 7. Determines whether to allow the popup blocker to show input prompt dialogs. Used to mitigate the risk of spoofing. |
| URLACTION_FEATURE_CROSSDOMAIN_FOCUS_CHANGE 0x00002107 | Internet Explorer 9. Determines whether a caller is allowed to steal input focus from a different top-level parent. Normally, only windows with the same top-level parent are allowed to steal input focus from each other. |
| URLACTION_FEATURE_DATA_BINDING 0x00002106 | Internet Explorer 8. Determines whether databinding is supported. By default, this feature is disabled in the Restricted zone, and in the High security template. |
| URLACTION_FEATURE_FORCE_ADDR_AND_STATUS 0x00002104 | Internet Explorer 7. Determines whether to allow sites to open windows without address or status bar. Overrides the setting of FEATURE_FORCE_ADDR_AND_STATUS. This flag also overrides the attempt of a script to hide the status and address bar. |
| URLACTION_FEATURE_MIME_SNIFFING 0x00002100 | Internet Explorer 6 for Windows XP SP2 and later. Allows Internet Explorer to determine a file's type by examining its bit signature. Internet Explorer uses this information to determine how to render the file. Requires that the feature control FEATURE_MIME_SNIFFING is enabled. |
| URLACTION_FEATURE_MIN 0x00002100 | Internet Explorer 6 for Windows XP SP2 and later. Minimum value of the URL action feature control flags. |
| URLACTION_FEATURE_SCRIPT_STATUS_BAR 0x00002103 | Internet Explorer 7. Determines whether scripts can update the text of the status bar. |
| URLACTION_FEATURE_WINDOW_RESTRICTIONS 0x00002102 | Internet Explorer 6 for Windows XP SP2 and later. Determines whether a window should be constrained to the viewable desktop area and forced to have a status bar. Also, pop-up windows without chrome should be restricted in size and position so that they cannot overlay important information on their parent windows and cannot overlay system dialog box information. Requires that the feature control FEATURE_WINDOW_RESTRICTIONS is enabled. |
| URLACTION_FEATURE_ZONE_ELEVATION 0x00002101 | Internet Explorer 6 for Windows XP SP2 and later. Determines whether to prevent non-user-initiated navigation between a page in a lower security zone to a page in a higher security zone. Requires that the feature control FEATURE_ZONE_ELEVATION is enabled. |
| URLACTION_HTML_CURR_MAX 0x00001609 | Deprecated. Use URLACTION_HTML_MAX instead. |
| URLACTION_HTML_FONT_DOWNLOAD 0x00001604 | Determines whether HTML font downloads are allowed. |
| URLACTION_HTML_INCLUDE_FILE_PATH 0x0000160A | Internet Explorer 7. Controls whether file pathnames are submitted during a file upload. |
| URLACTION_HTML_JAVA_RUN 0x00001605 | Determines whether Java applets are allowed to run. |
| URLACTION_HTML_MAX 0x000017ff | Maximum value of the URL action HTML flags. |
| URLACTION_HTML_META_REFRESH 0x00001608 | Internet Explorer 6 and later. Determines whether an HTML page can refresh in the security zone where the page is hosted. |
| URLACTION_HTML_MIN 0x00001600 | Minimum value of the URL action HTML flags. |
| URLACTION_HTML_MIXED_CONTENT 0x00001609 | Internet Explorer 6 and later. Indicates that a secure HTTPS document contains unsecure elements, such as frames, HTTP image sources, and so forth. |
| URLACTION_HTML_SUBFRAME_NAVIGATE 0x00001607 | Internet Explorer 5 and later. Determines whether subframes are allowed to navigate across different domains. |
| URLACTION_HTML_SUBMIT_FORMS 0x00001601 | Determines whether HTML forms on pages in the URL security zone, or submitted to servers in the zone, are allowed. Aggregate of the URLACTION_HTML_SUBMIT_FORMS_FROM and URLACTION_HTML_SUBMIT_FORMS_TO flags. |
| URLACTION_HTML_SUBMIT_FORMS_FROM 0x00001602 | Determines whether form submissions from pages in the security zone are allowed. This flag is part of the URLACTION_HTML_SUBMIT_FORMS aggregate flag. |
| URLACTION_HTML_SUBMIT_FORMS_TO 0x00001603 | Determines whether form submissions to a server in the security zone are allowed. This flag is part of the URLACTION_HTML_SUBMIT_FORMS aggregate flag. |
| URLACTION_HTML_USERDATA_SAVE 0x00001606 | Internet Explorer 5 and later. Determines whether user data persistence is enabled. |
| URLACTION_INFODELIVERY_CURR_MAX 0x00001D06 | Reserved. |
| URLACTION_INFODELIVERY_MAX 0x00001Dff | Reserved. |
| URLACTION_INFODELIVERY_MIN 0x00001D00 | Reserved. |
| URLACTION_INFODELIVERY_NO_ADDING_CHANNELS 0x00001D00 | Reserved. |
| URLACTION_INFODELIVERY_NO_ADDING_SUBSCRIPTIONS 0x00001D03 | Reserved. |
| URLACTION_INFODELIVERY_NO_CHANNEL_LOGGING 0x00001D06 | Reserved. |
| URLACTION_INFODELIVERY_NO_EDITING_CHANNELS 0x00001D01 | Reserved. |
| URLACTION_INFODELIVERY_NO_EDITING_SUBSCRIPTIONS 0x00001D04 | Reserved. |
| URLACTION_INFODELIVERY_NO_REMOVING_CHANNELS 0x00001D02 | Reserved. |
| URLACTION_INFODELIVERY_NO_REMOVING_SUBSCRIPTIONS 0x00001D05 | Reserved. |
| URLACTION_INPRIVATE_BLOCKING 0x00002700 | Internet Explorer 8. Enables third-party URL tracking in the security zone, also known as InPrivate Browsing. |
| URLACTION_JAVA_CURR_MAX 0x00001C00 | Current maximum value of the URL action Java flags. |
| URLACTION_JAVA_MAX 0x00001Cff | Maximum value for URL action Java flags. |
| URLACTION_JAVA_MIN 0x00001C00 | Minimum value for URL action Java flags. |
| URLACTION_JAVA_PERMISSIONS 0x00001C00 | Determines the Java permissions for the zone. |
| URLACTION_MANAGED_SIGNED 0x00002001 | Windows XP SP2 and later. Determines whether to run Framework-reliant components that have been signed with Authenticode. This constant is not defined in Urlmon.h nor is it used directly by Internet Explorer; it is created by the CLR. |
| URLACTION_MANAGED_UNSIGNED 0x00002004 | Windows XP SP2 and later. Determines whether to run Framework-reliant components that have not been signed with Authenticode. This constant is not defined in Urlmon.h nor is it used directly by Internet Explorer; it is created by the CLR. |
| URLACTION_LOOSE_XAML 0x00002402 | Internet Explorer 7. Determines whether to process Loose XAML files, which are markup-only files that are not compiled into a browser application. See also URLACTION_WINDOWS_BROWSER_APPLICATIONS. |
| URLACTION_LOWRIGHTS 0x00002500 | Internet Explorer 7. Determines whether Protected Mode is enabled in the security zone. Available on Windows Vista only. |
| URLACTION_MIN 0x00001000 | The minimum value of URLACTIONS. |
| URLACTION_NETWORK_CURR_MAX 0x00001A10 | Current maximum value for URL action network flags. |
| URLACTION_NETWORK_MAX 0x00001Bff | Maximum value for URL action network flags. |
| URLACTION_NETWORK_MIN 0x00001A00 | Minimum value for URL action network flags. |
| URLACTION_SCRIPT_CURR_MAX 0x00001408 | Current maximum value for a URL action script flag. |
| URLACTION_SCRIPT_JAVA_USE 0x00001402 | Determines whether script code on HTML pages in the URL security zone is allowed to use Java applets if the properties, methods, and events of the applet are exposed to scripts. |
| URLACTION_SCRIPT_MAX 0x000015ff | Maximum value for a URL action script flag. |
| URLACTION_SCRIPT_MIN 0x00001400 | Minimum value for a URL action script flag. |
| URLACTION_SCRIPT_OVERRIDE_SAFETY 0x00001401 | Do not use ActiveX safety for objects created by scripts. |
| URLACTION_SCRIPT_PASTE 0x00001407 | Internet Explorer 5 and later. Determines whether scripts can do paste operations. |
| URLACTION_SCRIPT_RUN 0x00001400 | Determines whether script code on the pages in the URL security zone is run. |
| URLACTION_SCRIPT_SAFE_ACTIVEX 0x00001405 | Determines whether scripting of safe ActiveX Controls is allowed. |
| URLACTION_SCRIPT_XSSFILTER 0x00001409 | Internet Explorer 8. Enables or disables cross-site scripting (XSS) filter. This security setting determines the default behavior of the browser if the |
| URLACTION_SHELL_CURR_MAX 0x0000180C | Current maximum value for a URL action Shell flag. |
| URLACTION_SHELL_ENHANCED_DRAGDROP_SECURITY 0x0000180B | Internet Explorer 6 for Windows XP SP2 and later. Determines whether to allow drag-and-drop operations that originate from Internet Explorer. |
| URLACTION_SHELL_EXECUTE_HIGHRISK 0x00001806 | Internet Explorer 6 for Windows XP SP2 and later. Determines whether launching dangerous files (file types known to be used by viruses and other malicious code) is permitted from the URL security zone. |
| URLACTION_SHELL_EXECUTE_LOWRISK 0x00001808 | Internet Explorer 6 for Windows XP SP2 and later. Determines whether launching typically safe files (data only) is permitted from the URL security zone. |
| URLACTION_SHELL_EXECUTE_MODRISK 0x00001807 | Internet Explorer 6 for Windows XP SP2 and later. Determines whether launching ambiguous files (file types that could be used by viruses or other malicious code) is permitted from the URL security zone. |
| URLACTION_SHELL_EXTENSIONSECURITY 0x0000180C | Internet Explorer 7. Determines whether extensions to the shell are allowed to load. Blocked extensions are never loaded. Approved shell extensions are not affected by this action. |
| URLACTION_SHELL_FILE_DOWNLOAD 0x00001803 | Determines whether file downloads are permitted from the URL security zone of the HTML page with the link that is causing the download. |
| URLACTION_SHELL_INSTALL_DTITEMS 0x00001800 | Determines whether desktop items can be installed. |
| URLACTION_SHELL_MAX 0x000019ff | Maximum value for a URL action Shell flag. |
| URLACTION_SHELL_MIN 0x00001800 | Minimum value for a URL action Shell flag. |
| URLACTION_SHELL_MOVE_OR_COPY 0x00001802 | Determines whether Move or Copy operations are allowed. |
| URLACTION_SHELL_POPUPMGR 0x00001809 | Internet Explorer 6 for Windows XP SP2 and later. Determines whether to apply pop-up window management to Internet Explorer. |
| URLACTION_SHELL_PREVIEW 0x0000180F | Windows 7. Determines whether a URL can be rendered as a preview for a federated search query in Windows Explorer. |
| URLACTION_SHELL_REMOTEQUERY 0x0000180E | Windows 7. Determines whether a URL can be used as a federated search query source in Windows Explorer. If denied, the remote server cannot be searched. |
| URLACTION_SHELL_RTF_OBJECTS_LOAD 0x0000180A | Internet Explorer 6 for Windows XP SP2 and later. Determines whether OLE objects are allowed to load in WordPad. |
| URLACTION_SHELL_SECURE_DRAGSOURCE 0x0000180D | Internet Explorer 7 and later. Determines whether files can be moved or copied to and from the specified location. |
| URLACTION_SHELL_SHELLEXECUTE 0x00001806 | Internet Explorer 6 for Windows XP SP2 and later. See URLACTION_SHELL_EXECUTE_HIGHRISK. |
| URLACTION_SHELL_VERB 0x00001804 | Determines whether launching of applications and files is permitted from the URL security zone. |
| URLACTION_SHELL_WEBVIEW_VERB 0x00001805 | Determines whether executable files and HTML pages can be launched from WebView. There is no user interface that affects this URL action. |
| URLACTION_WINDOWS_BROWSER_APPLICATIONS 0x00002400 | Internet Explorer 7. Determines whether to launch .NET Framework 3.0 browser applications, which are built on the .NET Framework 3.0 platform. |
| URLACTION_WINFX_SETUP 0x00002600 | Internet Explorer 7. Determines whether .NET Framework 3.0 Runtime Components Setup is allowed. |
| URLACTION_XPS_DOCUMENTS 0x00002401 | Internet Explorer 7. Determines whether to allow XPS Documents, which are files that are designed to provide users with a consistent document appearance regardless of where and how the document is viewed or printed. |
Remarks
The .NET Framework 3.5 installs an additional value that is not yet included in the standard list of URL Action Flags. The URLACTION value is equal to 0x00002007, and maps to "Permissions for .NET Framework-reliant components with manifests" in the Security Settings for the selected zone. This setting allows you to add a ClickOnce-style manifest to a control in the browser. It does not apply to ClickOnce applications.
The following two policy values are supported by components with manifests:
- High Safety (0x00010000) - manifested controls can run with the permissions it requests, but only if those permissions are a subset of the permissions it would have been granted by CAS policy or if the manifests are signed by a trusted publisher.
- Disabled (0x03) - manifested controls may not run at all. This is the default behavior for unrecognized URL Policy Flags.
Requirements
Minimum supported client |
Windows XP |
Minimum supported server |
Windows 2000 Server |
Product |
Internet Explorer 4.0 |