Change Internet Explorer settings programmatically?

Question

Any idea how do I do the following using C#?

1. Going to Tools -> Internet Options -> Security
2. Select the Security ta

Answer 1

The "cheat" way to do this is to change the value

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1609

Where 0-4 are Zone identifiers and the value is 0 to Allow, 1 to Prompt, and 3 to Block. Keep in mind that if your code does this on anyone's machine but your own, you're likely to find your code blocked as malware.

The "proper" way to do this is to use the APIs to create an IInternetZoneManager and call SetZoneActionPolicy to adjust the settings for URLACTION_HTML_MIXED_CONTENT in the zones you want to adjust.

Answer 2

You aren't supposed to do this "programmatically". That's why there isn't an API for it. Only the user can change their security settings, and they do it using the built-in interface that you've already discovered.

The poor IE team has been working overtime trying to tighten up the security of their browser. They're not going to throw in something like this that would nullify all of their efforts in a matter of seconds.
Recall that even once this option is selected, there's a confirmation dialog presented. How do you propose to "click" that programmatically? (Hmm, on second thought, don't tell me. That's probably the next question you'll be asking.)

Give up on trying to do this programmatically, and ask the user to do it themselves. Provide a complete help file or other documentation that explains why you're requesting that they make this change, what features will be unavailable if they do not choose to make this change, and what the possible security risks of making such a change are. And, of course, specific instructions on how the change is made.

Or, better yet, redesign your app so that it doesn't require a system-wide modification of IE's security settings. It's hard to imagine a legitimate case for this. A better solution might be asking the user to add your site to their "trusted sites". Remember that local pages have different security settings than remote pages by default.

Answer 3

Also do not forget Group Policies. Most (if not all) IE settings may also be specified in Group Policies. According to Local group policy setting for IE security page vs Internet options security page the Group Policy settings override user-defined settings. So, on my home PC (works without domain controller) I have a choice to define IE settings either via Local Group Policy Editor or via Internet Options. For example, if I run gpedit.msc to open Local Group Policy Editor, select Computer Configuration\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone change "Display mixed content" setting to "Enabled", then select "Enable" in drop down box, click Apply, then open Security Settings for Internet Zone in IE - I will see that "Display mixed content" changed to Enable and the selection is disabled because it is overriden by Policy. For the entire list of supported policies download WindowsServer2012andWindows8GroupPolicySettings.xlsx from http://www.microsoft.com/en-us/download/details.aspx?id=25250

Now back to the question how to change settings programmatically. EricLaw correctly suggested using SetZoneActionPolicy from IInternetZoneManager. But it is hard to find samples for calling it from C#. I ended up copying http://www.pinvoke.net/default.aspx/Interfaces.IInternetZoneManager into my code and then doing:

//This will disable "Download signed ActiveX" (IE setting # 0x1001) for Internet Zone (zone #3)
IInternetZoneManager izm = Activator.CreateInstance(Type.GetTypeFromCLSID(new Guid("7b8a2d95-0ac9-11d1-896c-00c04Fb6bfc4"))) as IInternetZoneManager;
IntPtr pPolicy = Marshal.AllocHGlobal(4);
Marshal.Copy(new int[] { 3 }, 0, pPolicy, 1);//3 means "Disable"
int result = izm.SetZoneActionPolicy((uint)UrlZone.Internet, (uint)0x1001, pPolicy, 4, (uint)UrlZoneReg.CurrentUserKey);
Marshal.ReleaseComObject(izm);
Marshal.FreeHGlobal(pPolicy);

I also tried changing group policy programmatically. I used library from https://bitbucket.org/MartinEden/local-policy and then:

//This will disable "Download signed ActiveX controls" computer policy for Internet Zone (zone #3)
const string keyPath = @"SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3";
var gpo = new LocalPolicy.ComputerGroupPolicyObject();
using (var machine = gpo.GetRootRegistryKey(LocalPolicy.GroupPolicySection.Machine))
{
    using (var terminalServicesKey = machine.CreateSubKey(keyPath))
    {
        terminalServicesKey.SetValue("1001", 3, Microsoft.Win32.RegistryValueKind.DWord);
    }
}
gpo.Save();

After successfully testing the code above on Win7 SP1 with IE 11 I decided to go back to the original suggestion from EricLaw: modify HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\*\1001 directly because this is what Microsoft is recommending. See, for example How to strengthen the security settings for the Local Machine zone in Internet Explorer or Enhanced Browsing Security

Answer 4

I am not sure but I think you can find all these settings in "registry". You need to find out the appropriate key. And to change those values you need to have proper rights. Registry can be accessed from .net code