Changing the Security Level of IE 11 via the Registry looks to be implemented, but changes to 0 once IE Internet Options Security tab is opened

Question

This is Windows 7 SP1 After being updated to the most current version

So I've been trying change the security level for trusted sites and it just doesn't want to stick. I modify the current level value to 10000 hexadecimal and when i open up IE11 an go to the internet options and look at trusted sites, it says nothing and when I check the registry the value is reset to zero

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel

I wondered if this was because of the overall settings in Zones\0\CurrentLevel and it said zero so it's not enforcing anything on the other users (I think)?

I've tried reading about how to change the security level but everyone just says change that value and it works but mine just keeps resetting to zero and it has to be changed from within the internet options.

EDIT: So what I have done for testing is, first I go in and change the value using internet options via IE11 to low. Record the values of both the hexadecimal and decimal just for clarity. Go back change it to medium. Close IE11, manually change the value back to low security using regedit the values being Hex 10000, decimal 65536, go into internet options to see if changes work. I see a blank area where the bar normally is and if i refresh regedit i see the value is reset to 0. To note I only change currentLevel no other values, all other values in internetsettings have not been touched other than current level, I've tested this on multiple machines and the samething happens. Also this is always done in zone 2, I can verify it's the trusted sites zone because firstly I see a blank when I look at that section in internet options after doing tests where a value is previously set and secondly in zone 2 the registry value PMDisplayName also says trusted sites.

EDIT2: So it looks like there are 2 ways to do this, Either manually record each value in the zone with the proper security setting, then change all the values in the same zone on another machine to match. Or just do an import export, it's really unfortunate that it has to be done this way as it seems as though you can change settings simply editing the values but apparently not. I also don't believe the settings are enforced if done improperly even if you don't open up the security tab and cause the values to get reset.

I changed it using regedit, also the value only resets when i open up that tab in internet options via IE11. So I'm not sure if the settings are being enforced if i just don't open the tab? — gzimmers, Nov 14 '14 at 23:16
Are you sure there isn't a GPO or something else resetting that value? — Zoredache, Nov 14 '14 at 23:25
Hm I would think that's maybe a possibility but I've been testing it on multiple machines with clean installs of Windows 7 SP1 updated to it's most current version. I go in do nothing other than change that value, open up IE internet options and the reset still occurs so unless it's a default sort of thing I don't think its a GPO. It's odd because I feel like my machines behavior is inconsistent with other peoples so I'm wondering if I'm doing anything wrong......but all I'm doing is changing the value of that one entry.... — gzimmers, Nov 14 '14 at 23:27

030 · Accepted Answer · 2014-11-15T01:05:25.897

0

Changing the CurrentLevel is not sufficient. The Security Level need to be changed in IE and an export of HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 need to be created of every Level, e.g. low, high and medium.

To change the level, close IE, import a certain Security Level file, e.g., medium, start IE and the Security Level of a zone will be changed.

The export:

c:\>reg export "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" "C:\medium.reg"
The operation completed successfully.

and import can be done via CMD as well:

c:\>reg import "C:\security-level-zones\medium.reg"
The operation completed successfully.

validation:

c:\>reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v CurrentLevel

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    CurrentLevel    REG_DWORD    0x11000

edited Nov 15 '14 at 01:05

answered Nov 15 '14 at 00:39

030

5,731
12
61
107

Oh so create an export, then just do an import of that for the entire zone folder and it will properly load that security level? – gzimmers Nov 15 '14 at 00:42
@gzimmers Correct. I did a test and it works. – 030 Nov 15 '14 at 00:42
@gzimmers I did a second test. Changed the level to medium, did an export, changed to high, checked whether the registry contain 12000, closed ie, imported medium key, started ie and the level is medium again – 030 Nov 15 '14 at 00:45

Changing the Security Level of IE 11 via the Registry looks to be implemented, but changes to 0 once IE Internet Options Security tab is opened

1 Answers1