Certain Web sites and HTML Help features may not work after you install security update 896358 or security update 890175

Warning The symptoms are an expected and intended effect of installing the security updates. This section provides examples for administrators who must re-enable the HTML Help ActiveX control for business-critical programs. The workarounds may make the computer more vulnerable to the threats the security updates address. The safest course is not to use the registry workarounds. If you must use workarounds, set the registry values to be as restrictive as possible.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

The first of the following examples is the most restrictive example. The next examples are successively less restrictive.

Example 1: Use the UrlAllowList entry to enable specific URLs

Warning Include only URLs for sites that you trust.

The .reg file in this example re-enables hosting of the HTML Help ActiveX control in the following remote content:

• Any .chm files that are in the \\productmanuals\helpfiles folder
• A Web application that located at http://www.wingtiptoys.com/help.

Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.You cannot use wildcard characters in the URL string of any site that is added to the UrlAllowList registry key. For example, you cannot use the following URL string: However, you can use the following URL string: This string lets the following sites host the HTML Help ActiveX control:

• http://help.wingtiptoys.com/research
• http://help.wingtiptoys.com/sales

Example 2: Use the MaxAllowedZone entry to enable a security zone

Warning The MaxAllowedZone entry enables all sites in a particular zone. Using the UrlAllowList entry may be safer. If you must use the MaxAllowedZone entry, set the value no higher than is required. If you set the MaxAllowedZone value to 3 or higher, you expose systems to attack from the Internet.

Note By default, the value for the MaxAllowedZone entry is set to zero. The following table summarizes how different entries are interpreted by the value for the MaxAllowedZone entry.
Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension. This .reg file lets all content in the Intranet zone host the HTML Help ActiveX control.

Example 3: Use the UrlAllowList entry and the MaxAllowedZone entry

Warning The MaxAllowedZone entry enables all sites in a particular zone. Using the UrlAllowList entry may be safer. If you must use the MaxAllowedZone entry, set the value no higher than is required. If you set the MaxAllowedZone value to 3 or higher, you expose systems to attack from the Internet.

Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension. The following .reg file lets all content in the Intranet zone host the HTML Help ActiveX control. This .reg file also lets two Internet sites host the control.

Deploying the registry keys across a domain

We recommend that you use Group Policy to deploy the settings that are mentioned in the examples in this article as startup scripts. You can also deploy these settings as logon scripts. However, this method is less desirable because of permissions constraints.

The following steps are an example of how to deploy the settings in Example 1 as a Group Policy startup script.

1. Paste the following text into a text editor such as Notepad:

   REGEDIT4
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
   "UrlAllowList"="http://myintranetapplication/help/helpfiles;http://www.wingtiptoys.com/help/helpdocuments"

2. Save the file as a .reg file. Name the file AllowTrustedSites.reg.
3. Paste the following text into a text editor such as Notepad:

   REGEDIT.EXE /S AllowTrustedSites.reg

4. Save the file as a batch file. Name the file AllowTrustedSites.bat.
5. Import the batch file into the Group Policy object (GPO). To do this, follow these steps:
   
   1. Paste the batch file that you created in step 4 and the .reg file that you created in step 2 to the \\DomainName\SysVol\DomainName\Policies\GUID of the selected GPO\Machine\Scripts\Startup folder.
   2. On the computer on which you want to run the Group Policy object, click Start, click Run, type
      dsa.msc, and then click OK.
   3. Right-click your domain, and then click
      Properties.
   4. Click Group Policy, and then click
      New.
   5. Type the name that you want to use for this policy, and then press ENTER.
   6. Click Edit.
   7. Expand Computer Configuration, expand
      Windows Settings, and then click Scripts (Startup/Shutdown).
   8. In the right panel, double-click
      Startup, and then click Add.
   9. Locate and then click the batch file that you created in step 4.
   10. Click Add.
   11. Click OK, click Yes, and then click OK two times.