Warning The symptoms are an expected and intended effect of installing the security updates. This section provides workarounds to re-enable features of business-critical programs. The workarounds may make the computer more vulnerable to the threats that the security updates address. The safest course is not to use the registry workarounds. If you must use workarounds, set the registry values to be as restrictive as possible.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 How to back up and restore the registry in Windows
The first of the following examples is the most restrictive example. The next examples are successively less restrictive.
Example 1: How to use UrlAllowList to enable specific URLs
Warning Include only URLs to sites that you trust completely.
The following .reg file re-enables use of the InfoTech protocol to open remote content from the following locations:
- .chm files on \\productmanuals\helpfiles
- A Web application at the following URL:
http://www.wingtiptoys.com/help/
Note You can paste the following text in a text editor such as Notepad. Then, you can save the file that uses the .reg file name extension.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"UrlAllowList"="\\\\productmanuals\\helpfiles;file://\\\\productmanuals\\helpfiles;http://www.wingtiptoys.com/help/"
As you can see from the example, to enable a UNC path to a network shared folder, you must add the following two entries:
\\productmanuals\helpfiles\;file://\\productmanuals\helpfiles
You cannot use wildcard characters in the URL string of any site that is added to the UrlAllowList registry key. For example, the following string does not work:
"UrlAllowList"="http://*.wingtiptoys.com"
However, the following string works:
"UrlAllowList"="http://help.wingtiptoys.com"
This string lets the following sites serve content by using the InfoTech protocol:
- http://help.wingtiptoys.com/research
- http://help.wingtiptoys.com/sales
You still cannot access .chm files by using a URL. Although we do not recommend that you do this, you can access the files by following example 2 and setting the "MaxAllowedZone" to three or larger. This is because the .chm file uses the Internet Explorer cache and every page that comes from the cache uses the Internet zone. Therefore, we highly recommend that you use the UNC path to access the Help files as previously described.
Example 2: How to use the MaxAllowedZone value to enable a security zone
Warning The MaxAllowedZone value enables all sites in a specific zone. Using UrlAllowList as described in example 1 may be safer. If you must use the MaxAllowedZone value, set it no higher than you must. If you set the value to 3 or higher, you expose your systems to attack from the Internet.
Note By default, the
MaxAllowedZone value is set to zero. The following table summarizes how different entries are interpreted by the
MaxAllowedZone value.
| MaxAllowedZone | Local Machine zone | Local intranet zone | Trusted sites zone | Internet zone | Restricted sites zone |
|---|
| 0 | Allowed | Blocked | Blocked | Blocked | Blocked |
| 1 | Allowed | Allowed | Blocked | Blocked | Blocked |
| 2 | Allowed | Allowed | Allowed | Blocked | Blocked |
| 3 | Allowed | Allowed | Allowed | Allowed | Blocked |
| 4 | Allowed | Allowed | Allowed | Allowed | Allowed |
The following .reg file re-enables use of the InfoTech protocol to connect to all systems in the Intranet zone.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"MaxAllowedZone"=dword:00000001
Example 3: How to use both UrlAllowList and the MaxAllowedZone value
Warning The MaxAllowedZone value enables all sites in a specific zone. Using UrlAllowList as described ini example 1 may be safer. If you must use the MaxAllowedZone value, set it no higher than you must. If you set the value to 3 or higher, you expose your systems to attack from the Internet.
The following .reg file re-enables use of the InfoTech protocol to connect to all content in the Intranet zone and to two Internet sites.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"MaxAllowedZone"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"UrlAllowList"="http://www.wingtiptoys.com/;http://www.contoso.com/"
Example 4: Use NestedProtocolList to enable nested protocols within a URL
Certain Web applications may use nested protocols within a URL. This feature was removed from HTML Help with security update 840315. After you install this security update, Web applications that use nested protocols within a URL may not work correctly.
For example, the following URL may not work:
ms-its:http://www.proseware.com/helpfiles/help.chm::about.htm
After you install security update 896358, the following .reg file re-enables the HTTP and FTP protocols to be nested in a URL.
Note You can paste the following text in a text editor such as Notepad. Then, you can save the file that uses the .reg file name extension.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"NestedProtocolList"="http:;ftp:"
How to deploy the registry keys across a domain
We recommend that you deploy the settings in the previously mentioned examples as startup scripts by using Group Policy. You can also deploy these settings as logon scripts. However, this method is less desirable because of permission constraints.
The following steps are an example of how to deploy the settings in "Example 1" as a Group Policy startup script.
- Paste the following text into a text editor such as Notepad.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"UrlAllowList"="\\\\productmanuals\\helpfiles;file://\\\\productmanuals\\helpfiles;http://www.wingtiptoys.com/help/"
- Save the file as a .reg file named AllowTrustedSites.reg.
- Copy the following text, and then paste the text into a text editor such as Notepad.
REGEDIT.EXE /S AllowTrustedSites.reg
- Save the file as a batch file named AllowTrustedSites.bat.
- Import the batch file into the Group Policy object (GPO). To do this, follow these steps:
- Copy the batch file that you created in step 4 and the .reg file that you created in step 2 to the \\DomainName\SysVol\DomainName\Policies\GUID of the selected GPO\Machine\Scripts\Startup folder.
- On the computer where you want to run the Group Policy object, click Start, click Run, type
dsa.msc, and then click OK. - Right-click your domain, and then click
Properties. - Click Group Policy, and then click
New. - Type the name that you want to use for this policy, and then press ENTER.
- Click Edit.
- Expand Computer Configuration, expand
Windows Settings, click Scripts (Startup/Shutdown), double-click Startup in the right panel, and then click Add in the Startup Properties dialog box. - Locate and then click the AllowTrustedSites.bat file, and then click Add.
- Click OK, click Yes, click OK, and then click OK again.