G
Guest
All,
I am still working out Policies to allow McAfee VirusScan Professional 8 to
run with my desired XP Professional computer's settings for the Internet and
Local Intranet Security Zone settings.
McAfee uses an embedded Interent Explorer control to support their web
interface and their primary McAfee Security Center screen uses Microsoft's
Vector Markup Language (VML) binary behavior and will come up just fine with
my current Local Intranet Security Zone settings, if I "Enable" that zone's
"Binary and script behaviors" policy option. However, I would like to set
this option to its "Administrator approved" setting.
Need and Desired Security Architecture: You see I set my Internet Security
zone to high and then place those sites I want to trust to run JavaScript and
signed ActiveX controls in my Local Intranet security zone. This means I may
have many third party sites added that require this to view PDFs and just to
show scripted web pages. However, I do not want them to use all Binary
Behaviors, rather just Trusted Sites security zone web sites will have this
privilege. My XP Professional computer is standalone and not part of any
Windows Active Directory domain. I currently use a combination of registry
settings set by a script and no special machine specific local policies to
secure my computer.
I have used Regmon to verify the following successful reading of the
registry entry that should enable any security zone set to "Admin approved"
to operate successfully:
---
10.44895678 mghtml.exe:3536 EnumerateValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedBehaviors\#default#VML SUCCESS 0x1
----
Unfortunately, the McAfee Security Center screen comes up blank after just
displaying its heading when its "Binary and script behaviors" policy option
is set to "Administrator approved" and the above registry value set to 0x1 as
proved by the above RegMon output.
The article excerpt I used to to know what to do was:
----
If you are a desktop administrator you can decide which Binary Behaviors to
allow in the Locked-down Local Machine Zone. To enable a behavior in the
Locked-down Local Machine Zone, you can add it to the list of
administrator-approved behaviors as follows, replacing the namespace and
behavior variables as appropriate to your environment:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\Internet Settings\AllowedBehaviors
#%Namespace%#%Behavior%=dword:00000001
Behaviors that are defined in this list will also be used for any other zone
where the Binary Behavior restriction setting is configured to
“Admin-Allowed†(65536).
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx#EOAA
----
What am I forgetting to do.
Please note again that if I set the "Binary and script behaviors" policy
option to "Enable" the McAfee Security Center screen renders successfully
with no problems. So I know this is the only option preventing the proper
rendering of the screen.
I am still working out Policies to allow McAfee VirusScan Professional 8 to
run with my desired XP Professional computer's settings for the Internet and
Local Intranet Security Zone settings.
McAfee uses an embedded Interent Explorer control to support their web
interface and their primary McAfee Security Center screen uses Microsoft's
Vector Markup Language (VML) binary behavior and will come up just fine with
my current Local Intranet Security Zone settings, if I "Enable" that zone's
"Binary and script behaviors" policy option. However, I would like to set
this option to its "Administrator approved" setting.
Need and Desired Security Architecture: You see I set my Internet Security
zone to high and then place those sites I want to trust to run JavaScript and
signed ActiveX controls in my Local Intranet security zone. This means I may
have many third party sites added that require this to view PDFs and just to
show scripted web pages. However, I do not want them to use all Binary
Behaviors, rather just Trusted Sites security zone web sites will have this
privilege. My XP Professional computer is standalone and not part of any
Windows Active Directory domain. I currently use a combination of registry
settings set by a script and no special machine specific local policies to
secure my computer.
I have used Regmon to verify the following successful reading of the
registry entry that should enable any security zone set to "Admin approved"
to operate successfully:
---
10.44895678 mghtml.exe:3536 EnumerateValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedBehaviors\#default#VML SUCCESS 0x1
----
Unfortunately, the McAfee Security Center screen comes up blank after just
displaying its heading when its "Binary and script behaviors" policy option
is set to "Administrator approved" and the above registry value set to 0x1 as
proved by the above RegMon output.
The article excerpt I used to to know what to do was:
----
If you are a desktop administrator you can decide which Binary Behaviors to
allow in the Locked-down Local Machine Zone. To enable a behavior in the
Locked-down Local Machine Zone, you can add it to the list of
administrator-approved behaviors as follows, replacing the namespace and
behavior variables as appropriate to your environment:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\Internet Settings\AllowedBehaviors
#%Namespace%#%Behavior%=dword:00000001
Behaviors that are defined in this list will also be used for any other zone
where the Binary Behavior restriction setting is configured to
“Admin-Allowed†(65536).
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx#EOAA
----
What am I forgetting to do.
Please note again that if I set the "Binary and script behaviors" policy
option to "Enable" the McAfee Security Center screen renders successfully
with no problems. So I know this is the only option preventing the proper
rendering of the screen.