Registry Zone Map question

  • Thread starter Thread starter Durth
  • Start date Start date
D

Durth

Hello, I have a user on a network that is being accused of surfing porn on
the organizations computer. He cleared out all of his logs and histories. I
found almost 200 porn sites in his registry under HKeyCurrentUser...ZoneMap.
Am I mistaken in assuming that someone (with his login/password) has visited
these sites? Is there another possibilty? Thank you in advance. BTW, he is
that someone put those entries in to get him busted. How I found out about
this was by checking event logs and finding MANY viruses being reported by
SYmantec. Thank you in advance.

Aaron
 
You may very well be mistaken.

If you mean here >>

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains

If they have a Value Data of 4 they are in the Restricted Sites Zone.

Example >>
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\008i.com
Value Name: *
Value Type: REG_DWORD
Value Data: 4

It's the list of Restricted sites from >>
IE | Tools | Internet Options | Security tab | Restricted Sites |
Sites button | Web sites

Description of Internet Explorer security zones registry entries
http://support.microsoft.com/default.aspx?scid=kb;en-us;182569
 
Thank you very much. I am a little confused still. So what proves that these
site were visited?

Aaron
 
Durth,

Those sites may be included in the registry by SpywareBlaster or Spybot S&D.
The only things that *may* prove that sites were visited are History and
Index.dat.

C:\Documents and Settings\User Name\Local Settings\History

Or if the fellow was not clever enough:
C:\Documents and Settings\Default User\Local Settings\Temporary Internet
Files\Content.IE5

Content.IE5 is a Hidden Folder.
 
O.K. Thank you very much. This was very helpful. My other
problem is that he uses Kazaa (against the rules) and I
also have one other computer that eh has access to that I
know the stuff was downloaded on by Kazaa (Symantec
files). I will check it out some more.

Aaron
 
Wel, I screwed the pooch on this one. The latest version
of Spybot S&D does insert at least most of these into the
registry. Thank you for your help. Now I gotta find a way
to see who did download this crap from Kazaa. I think my
night just got longer or that I will have to disappoint
the bosses. Thank you again. You were a great help.

Aaron
 
Update. I found out that one of them brought in a unprotected computer
andconnected it to the network. It got infected with netsky.p@mm and the
files that I found in my Symantec history was from that computer trying to
infect the server via a mapped drive. Now I have that user blaming me for
leaving a "gaping security hole" and them not wanting to pay me for my time.
I think that Iam going to just become a forest ranger.

Aaron
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

repair corrupt user account/registry? 5
Fax and Scan Question (using computer in domain) 2
Search History 2
Find PST mapping in Registry 1
Policy Removal Qustion. 6
XP batch file scripting / registry question 7
comctl32.dll 4
Need to monitor one computer's web surfing. 6

Back
Top