HKLM registry key "//system" for Remote Assistance

[Guest]

Internet Explorer 6 on Windows XP

To take precautions against a potential JavaScript Window() Remote Code
Execution problem, Active Scripting in the Internet Zone was disabled.
However, this broke the ability to invoke Remote Assistance for remote PCs on
Local Intranet.

A workaround was discovered with the creation of a new key "//system" as

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\//system]
"*"=dword:00000001

or in a different hive

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\In
ternet Settings\ZoneMap\Domains

What are the implications of this new registry key, as I failed to find any
info about this key? Norton AV also created a similar "//system" in HKU
subhive but with binary data, e.g. "//" "system"
site:microsoft.public.ineternetexplorer.*

Can this "//system" entry be created for "Zone Assignment List" under the
GPO Administrative Templates of Internet Control Panel ?

Thanks


Hong

 

[Rob Parsons]

Hi Hong.

I am not an XP machine right now so I am only guessing. So here goes

The following is an extract from
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngieps.mspx

The policy settings for controlling URL Actions are available in both the
Computer Configuration and the User Configuration nodes of Group Policy
Object Editor, in Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel\Security Page. The URL Actions policy
settings are written to the following registry locations, in these sub-keys
under Zones, \0, \1, \2, \3, and \4:

Note: The line has been split into multiple lines for readability.
However, while trying it out on a system you must enter it as one line
without breaks.

. HKEY_LOCAL_MACHINE\ Software\Policies\Microsoft\Windows\
CurrentVersion\Internet Settings\Zones

. HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\
CurrentVersion\Internet Settings\Zones


You should also understand the Security Features control policy settings.
Some of the URL Action settings are not valid unless the corresponding
Security Features control policy is enabled. Internet Explorer checks to see
if the Security Feature is enabled, and if it is and the Security Feature
uses URL actions, it looks for the setting for the action based on the
security zone of the URL. See "Security Features Control," earlier in this
document.

Now I should think that you have to create a new sub-key under Zones as \5
which will correspond to your named Zone '\\System'. If you have a look at
the other zone registry entries you will see that there is a value there
that has the Zone name. Just follow the structure of the other Zone entries.

gpedit.msc should pick up the new zone (so long it is in numerical sequence)
and display it in the control panel.

Internet Explorer 6 on Windows XP

To take precautions against a potential JavaScript Window() Remote Code
Execution problem, Active Scripting in the Internet Zone was disabled.
However, this broke the ability to invoke Remote Assistance for remote PCs on
Local Intranet.

A workaround was discovered with the creation of a new key "//system" as

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\//system]
"*"=dword:00000001

or in a different hive

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\In
ternet Settings\ZoneMap\Domains

What are the implications of this new registry key, as I failed to find any
info about this key? Norton AV also created a similar "//system" in HKU
subhive but with binary data, e.g. "//" "system"
site:microsoft.public.ineternetexplorer.*

Can this "//system" entry be created for "Zone Assignment List" under the
GPO Administrative Templates of Internet Control Panel ?

Thanks


Hong