diematrix125
Goto Top

Unterschied versch. Zonen und Locked-Down Zonen und welche "gewinnt"

Hallo!

Ich kämpfe momentan mit GPOs und dabei ist mir aufgefallen, dass passend zu jeder Zone auch noch eine Locked-Down Zone existiert.
Was ist der Unterschied zwischen den normalen Zonen und den Locked-Down Zonen?


Außerdem würde ich gerne wissen welche Zone gewinnt, wenn ich in der normalen Zone eine Einstellung erlaube und in der Locked-Down Zone verbiete.


Danke!

Content-Key: 309706

Url: https://administrator.de/contentid/309706

Ausgedruckt am: 29.03.2024 um 06:03 Uhr

Mitglied: 129813
Lösung 129813 13.07.2016 aktualisiert um 15:46:29 Uhr
Goto Top
hi.
you mean the internet explorer security zones?
This is explained in detail on the following page:
https://blogs.technet.microsoft.com/fdcc/2008/09/19/fdcc-and-internet-ex ...
The “Locked-Down Local Machine Zone” is very different from the other “Locked-Down” zones.

The Lockdown_Zones settings for the Local Machine zone (zone 0) are used by a feature first introduced in Windows XP Service Pack 2 called “Local Machine Zone Lockdown” (LMZL).  By default, when a page is opened in the Local Machine zone, it runs with the more restrictive policies/preferences in the Lockdown_Zones\0 registry keys, rather than the usual Zones\0 settings.  By default, the LMZL settings disable ActiveX and script.  If the content in the page tries to use ActiveX or script, the information bar prompts the user whether to allow them to run.  If the user allows the blocked content, Internet Explorer then uses the less-restrictive, normal Local Machine zone policies/preferences from that point forward for the lifetime of that browser tab (for IE7+) or browser window (IE6).
Here is also a tool for comparing the different settings for the zones:
https://blogs.technet.microsoft.com/fdcc/2009/10/01/viewing-and-comparin ...

Regards
Mitglied: diematrix125
diematrix125 14.07.2016 um 16:24:47 Uhr
Goto Top
Thank you very much for the link. Yes it's for the different IE zones.

From my understanding, the "normal" zones are for traffic like http and https and the Locked-Down zones are for other traffic like ftp, mailto etc
So normally there should not be any conflict in zone settings between normal zone and locked down zone when I set different settings in them.

Correct?
Mitglied: 129813
Lösung 129813 14.07.2016 um 16:30:41 Uhr
Goto Top
So normally there should not be any conflict in zone settings between normal zone and locked down zone when I set different settings in them.
Read the above, especially this:
By default, when a page is opened in the Local Machine zone, it runs with the more restrictive policies/preferences in the Lockdown_Zones\0 registry keys, rather than the usual Zones\0 settings.
When the user then clicks on the yellow banner he gets the settings used in the normal zone ...
Mitglied: diematrix125
diematrix125 14.07.2016 um 16:47:13 Uhr
Goto Top
Ok.

New try. Maybe I understand it now. ;)

A user is navigating to a URL. This URL has been assigned to the Intranet Zone. In this case the Locked-Down Intranet Zone rules are applied. When the user is then clicking on the yellow banner, the Intranet Zone rules will be applied.
Mitglied: 129813
Lösung 129813 14.07.2016 um 17:11:48 Uhr
Goto Top
Zitat von @diematrix125:
A user is navigating to a URL. This URL has been assigned to the Intranet Zone. In this case the Locked-Down Intranet Zone rules are applied. When the user is then clicking on the yellow banner, the Intranet Zone rules will be applied.
Correct.
Mitglied: diematrix125
diematrix125 14.07.2016 um 17:22:14 Uhr
Goto Top
Perfect!

So in best case I would set the Locked Down Intranet and the normal Intranet Zone to the same settings.

As I currently deny a setting in the Locked Down Zone and allow the same setting in the normal Zone, I better would allow the
setting in both zones.