Manually Removing Certain Registry Key Types

[Scott]

What are the possible consequences of manually removing the following type
of registry key:

hkey_local_machine \software\microsoft\windows\currentversion\internet
settings\zonemap\domains\ (website)

If my understanding is correct, the values of this key will set the
security/privacy settings of the IE browser for the specified website. For
the case of malware, the malware would create this key and set the security
level to "Trusted" for the website. It would then direct the browser to the
website and run more malicious code from that site.

Using REGEDIT, I looked to see how many keys I had of this type and found a
huge amount. I estimate about 500. None of the websites are those that I
visit regularly, or maybe never visited at all. A lot of them seem to have
foreign domains. I want to get rid of them. It seems like the registry saves
everything.

There is also the potential embarrassment factor. A worst case scenario is
that a computer savy girlfriend inspects my registry and demands to know why
I have a key from moscowwhores.com. I don't remember ever visiting this site
and it's not really the way I roll.

These keys have two parameters: REG_SZ (value not set) and REG_DWORD =
0x00000004 (4)
Can anyone tell me what these values mean?

What could go wrong if I engage in mass deletement of these type of keys.

Thanks
Scott
Los Angeles

 

[Alan Edwards]

If you remove them, you won't have any sites there and I suspect they
are Restricted sites as indicated by REG_DWORD = 0x00000004 (4), not
Trusted sites and probably put there by one of your security programs
(Spybot perhaps?)

The key,
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains" is empty by default.

Read here for a bit more information:

Description of IE Security Zones Registry Entries [182569]
http://support.microsoft.com?kbid=182569

or here:
Adding unwanted sites to the Internet Explorer Restricted Zone
http://mvps.org/winhelp2002/restricted.htm

....Alan

 

[PA Bear [MS MVP]]

You'll totally reset most of your settings in IE Tools | Internet Options |
Security | [zone] | Sites, including sites put in Restricted Sites zone by
your security applications (e.g., Spybot).

If running IE7 and rather than going & messing about in the Registry, use
this option instead: IE Tools | Internet Options | Security | Reset all
zones to default level
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

What are the possible consequences of manually removing the following type
of registry key:

hkey_local_machine \software\microsoft\windows\currentversion\internet
settings\zonemap\domains\ (website)

<snip>

 

[Alec S.]

Scott wrote (in

What are the possible consequences of manually removing the following type
of registry key:

hkey_local_machine \software\microsoft\windows\currentversion\internet
settings\zonemap\domains\ (website)

That key is good, don’t delete it. SpyBot and SpywareBlaster regularly add
things to it to protect you from those bad websites. Of course if you don’t go
to them, then there’s no problem, but even if you don’t go on purpose, you never
know when a rogue hyperlink or script redirect will send you to one. It’s just
like the HOSTS file. SpyBot adds entries to that as well to block bad sites.

As Martha Stweart would say, it’s a good thing.

If my understanding is correct, the values of this key will set the
security/privacy settings of the IE browser for the specified website. For
the case of malware, the malware would create this key and set the security
level to "Trusted" for the website. It would then direct the browser to the
website and run more malicious code from that site.

SpyBot and its ilk check to see if any of the keys they know are set to trusted
and set them back to blocked.

Using REGEDIT, I looked to see how many keys I had of this type and found a
huge amount. I estimate about 500. None of the websites are those that I
visit regularly, or maybe never visited at all. A lot of them seem to have
foreign domains. I want to get rid of them. It seems like the registry saves
everything.

Yup, some security app added them to protect you. Unfortunately a lot of the bad
sites are indeed foreign (to North America). McAfee recently released a list of
the most dangerous places on the web and foreign domains dominated.

http://www.mcafee.com/us/about/press/corporate/2008/20080604_181010_g.html

There is also the potential embarrassment factor. A worst case scenario is
that a computer savy girlfriend inspects my registry and demands to know why
I have a key from moscowwhores.com. I don't remember ever visiting this site
and it's not really the way I roll.

What’s embarrassing about Moscow Whores? A computer savvy girlfriend who
inspects your registry would be savvy enough to know about security software,
and would be a heck of a catch.

I just checked moscowwhores.com and was blocked by Spybot; it didn’t even give
the option to allow, only deny was enabled. (I’ve always wondered what the
block-pages-in-IE option of Spybot is, but I’d never seen it in action before.
Now, I finally know what it does. Thanks!)

These keys have two parameters: REG_SZ (value not set) and REG_DWORD =
0x00000004 (4)
Can anyone tell me what these values mean?

The string is not actually a value, that’s just part of every registry key and
unless it’s specifically set, it means nothing. The * value determines IE’s
security setting for that domain. You can view a list of domains the “safe way”
by going to IE->Tools->Options->Security->Restricted Sites->Sites.

What could go wrong if I engage in mass deletement of these type of keys.

You won’t be protected. It’s like uninstalling your anti-virus/firewall/etc.;
chances are that nothing will happen, but chances are you will get infected.

 

[Anteaus]

These settings only affect IE in any case. Get a better browser would be my
advice, then the issue is academic.

 

[Alec S.]

Anteaus wrote (in

These settings only affect IE in any case. Get a better browser would be my
advice, then the issue is academic.

First of all, “better” is subjective; I have recently stopped using FireFox and
gone back to IE for most things because FireFox was a huge pita and has recently
started locking up when I exit it—not to mention that it becomes slow and
bloated once you start adding extensions to make it useful.

Second, your statement is not really true anyway; the policies affect the IE web
engine which is used in things other than just the IE browser. For example, any
app that uses the CHtmlView class would be subject to these security policies
and any vulnerabilities.

--
Alec S.
news/alec->synetech/cjb/net