Powershell – IE zones Protected Mode state

Internet Explorer has a notion of security zones. Security properties are accordingly configured for every zone. Internet zone is more restrictive comparing to the Intranet, which is a very trusted location.
There is one more setting called “Protected Mode”. You can see it on the screenshot:
IE1

It can be enabled or disabled. The recommended state for each of the zones is this:

  • Internet: Enabled
  • Local Itranet: Disabled
  • Trusted Sites: Disabled
  • Restricted Sites: Enabled

IE executes with more restrictive priviliges when Protected mode is Enabled.
If this tick was not disabled by the Group Policy then there is a great chance that your users made their own IE security improvements πŸ™‚
So, the question is – can we find out how security zones are curently configured for every user in our environment? And the answer is of course yes πŸ™‚

The configuration is stored in the registries – HKEY_USERS\”SID”\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
IE2“2500” is the value name representing “Protected Mode” tick. 3 means Disabled, 0 – Enabled.
Zones are represented by the numbers:

  • Zone 0 – My Computer
  • Zone 1 – Local Intranet Zone
  • Zone 2 – Trusted sites Zone
  • Zone 3 – Internet Zone
  • Zone 4 – Restricted Sites Zone

Now, if you can not see “2500” value in the users registry heap then it only means that the setting was never changed and machine default is used. Defaults are kept here: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
IE3Now we know everything to make a script that would walk through every computer in our domain [line 10] and collect above registry values:

cls
# This script collects IE zones "Protected Mode" state
# Information is collected in a comma separated text file - C:\Temp\IE_Zones_Modes.txt

#Reseting a comma separated file
'User,Computer,Zone 0,Zone 1,Zone 2,Zone 3,Zone 4' > C:\Temp\IE_Zone_Modes.txt

# Lets collect all computer names from the specified location and store them in an array
Import-Module ActiveDirectory
$PCs = Get-ADComputer -SearchBase 'OU=COMPUTERS,dc=DOMAIN,dc=COM' -Filter '*' | Select-Object -ExpandProperty Name
$PCs
''

'Processing ' + $PCs.length + ' computers'
''

foreach ($PC in $PCs)
{
    '==============='
    $PC
    #'==============='

    #Test connectivity first
    $Connected = Test-Connection -computer $PC -quiet -count 2

    ''

    if ($Connected)
    {

        # Collecting all users that are currently having Registry hives loaded
        $reg = Get-WmiObject -List -Namespace root\default -ComputerName $PC | Where-Object {$_.Name -eq "StdRegProv"}
        $HKEY_USERS = 2147483651
        $Users = $reg.EnumKey($HKEY_USERS," ").sNames
        #$Users

        foreach ($User in $Users)
        {
            #$User.Length

            # We are only intersted in AD users. Their SID lengh is 44 or 45 symbols
            if (($User.Length -eq 45) -or ($User.Length -eq 44))
            {
                $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($HKEY_USERS, $PC)
                $pathV = $User + "\Volatile Environment"
                $regkey = $reg.OpenSubkey($pathV)

                # If a user does not have the registry key, then we are not going to check him
                if ($regkey -ne $null)
                {

                    # Getting User name
                    $Username = $regkey.GetValue("USERNAME")
                    "User:" + $Username

                    # Getting Zones
                    $pathZ = $User + "\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"
                    $regkey11 = $reg.OpenSubkey($pathZ)
                    $Zones = $regkey11.GetSubKeyNames()

                    # For each zone extract "Protected Mode" state
                    if ($regkey11 -ne $null)
                    {
                        $Modes = @()
                        foreach ($Zone in $Zones)
                        {
                            $DPath = $pathZ + '\' + $Zone;
                            $regN = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($HKEY_USERS, $PC).OpenSubkey($DPath)
                            'Zone ' + $Zone + ': ' + $regN.GetValue("2500")
                            $Modes += $regN.GetValue("2500")
                        }
                    ''
                    }

                    # Saving the rezults in a log file
                    '' + $Username + ',' + $PC + ',' + $Modes[0] + ',' + $Modes[1] + ',' + $Modes[2] + ',' + $Modes[3] + ',' + $Modes[4] >> C:\Temp\IE_Zone_Modes.txt
                }
            }
        }
    }
    else
    {
    'Not Connected'
    'N/C,' + $PC >> C:\Temp\IE_Zone_Modes.txt
    }
}
Advertisements

Leave a Comment here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s