Created
June 25, 2024 19:40
-
-
Save Bill-Stewart/09cebc77943377a3deda5aefa2dac22d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // ZoneConfig.js | |
| // Configures browser security zone settings. | |
| // Written by Bill Stewart (bstewart AT iname.com) | |
| // Designed to run as a logon script from a GPO; example: | |
| // Script: %SystemRoot%\System32\cscript.exe | |
| // Parameters: \\<domainname>\NETLOGON\ZoneConfig.js | |
| // For details on settings, see: | |
| // https://learn.microsoft.com/en-US/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries | |
| //----------------------------------------------------------------------------- | |
| // GLOBAL VALUES AND OBJECTS - DO NOT MODIFY CODE IN THIS SECTION | |
| //----------------------------------------------------------------------------- | |
| // Everything we configure in registry is subkey of this | |
| var IE_ROOT_KEY = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"; | |
| // Used by StdRegProv class methods | |
| var HKEY_CURRENT_USER = 0x80000001; | |
| // Registry value constants | |
| var IE_FLAGS_ALLOW_CHANGES_TO_CUSTOM_SETTINGS = 0x01; // 1 | |
| var IE_FLAGS_ALLOW_USER_TO_ADD_TO_ZONE = 0x02; // 2 | |
| var IE_FLAGS_REQUIRE_HTTPS = 0x04; // 4 | |
| var IE_FLAGS_INCLUDE_SITES_THAT_BYPASS_PROXY = 0x08; // 8 | |
| var IE_FLAGS_INCLUDE_SITES_NOT_IN_OTHER_ZONES = 0x10; // 16 | |
| var IE_FLAGS_HIDE_FROM_INTERNET_PROPERTIES = 0x20; // 32 | |
| var IE_FLAGS_SHOW_REQUIRE_HTTPS_OPTION = 0x40; // 64 | |
| var IE_FLAGS_TREAT_UNC_AS_INTRANET = 0x80; // 128 | |
| var IE_FLAGS_ALL = 0xFF; // 255 | |
| var IE_LOGON_AUTOMATIC = 0x00000; // 0 | |
| var IE_LOGON_PROMPT = 0x10000; // 65536 | |
| var IE_LOGON_AUTOMATIC_INTRANET_ONLY = 0x20000; // 131072 | |
| var IE_LOGON_ANONYMOUS = 0x30000; // 196608 | |
| var IE_ZONE_LOCAL_INTRANET = "1"; | |
| var IE_ZONE_TRUSTED_SITES = "2"; | |
| var IE_ZONE_INTERNET = "3"; | |
| var IE_ZONE_RESTRICTED_SITES = "4"; | |
| var StdRegProv = GetObject("winmgmts:{impersonationlevel=impersonate}!root/default:StdRegProv"); | |
| //----------------------------------------------------------------------------- | |
| // END GLOBAL VALUES | |
| //----------------------------------------------------------------------------- | |
| //----------------------------------------------------------------------------- | |
| // FUNCTION DEFINITIONS - DO NOT MODIFY CODE IN THIS SECTION | |
| //----------------------------------------------------------------------------- | |
| // Returns true if the specified subkey exists, or false otherwise | |
| function registrySubkeyExists(defKey, subKeyName) { | |
| try { | |
| return StdRegProv.GetStringValue(defKey, subKeyName, "") == 0; | |
| } | |
| catch ( err ) { | |
| return false; | |
| } | |
| } | |
| // Returns 0 if able to create the specified registry subkey | |
| function createRegistrySubkey(defKey, subKeyName) { | |
| try { | |
| // CreateKey method creates all subkeys in a path if necessary | |
| return StdRegProv.CreateKey(defKey, subKeyName); | |
| } | |
| catch ( err ) { | |
| return err.number; | |
| } | |
| } | |
| // Removes a registry subkey (and any subkeys within it) | |
| function removeRegistrySubkey(defKey, subKeyName) { | |
| try { | |
| // Use alternate WMI method call convention because JScript does not | |
| // support output parameters | |
| var wmiMethod = StdRegProv.Methods_("EnumKey"); | |
| var inParameters = wmiMethod.InParameters.SpawnInstance_(); | |
| inParameters.hDefKey = defKey; | |
| inParameters.sSubKeyName = subKeyName; | |
| var outParameters = StdRegProv.ExecMethod_(wmiMethod.Name, inParameters); | |
| if ( (outParameters.ReturnValue == 0) && (outParameters.sNames != null) ) { | |
| // sNames property is a VBArray object | |
| for ( var i = 0; i <= outParameters.sNames.ubound(1); i++ ) { | |
| removeRegistrySubkey(defKey, subKeyName + "\\" + outParameters.sNames.getItem(i)); | |
| } | |
| } | |
| StdRegProv.DeleteKey(defKey, subKeyName); | |
| } | |
| catch ( err ) { | |
| } | |
| } | |
| // Sets a DWORD in the registry (creates subkey first if it doen't exist) | |
| function setRegistryDWORDValue(defKey, subKeyName, valueName, valueData) { | |
| var result = 0; | |
| if ( ! registrySubkeyExists(defKey, subKeyName) ) { | |
| result = createRegistrySubkey(defKey, subKeyName); | |
| } | |
| if ( result == 0 ) { | |
| try { | |
| result = StdRegProv.SetDWORDValue(defKey, subKeyName, valueName, valueData); | |
| } | |
| catch ( err ) { | |
| result = err.number; | |
| } | |
| } | |
| return result; | |
| } | |
| // Configures a zone setting: | |
| // HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\<zone> | |
| function configureZoneSetting(zone, valueName, valueData) { | |
| setRegistryDWORDValue( | |
| HKEY_CURRENT_USER, | |
| IE_ROOT_KEY + "\\Zones\\" + zone, | |
| valueName, | |
| valueData | |
| ); | |
| } | |
| // Configures settings that define which sites are included in local intranet zone: | |
| // HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap | |
| function configureZoneMapSetting(valueName, valueData) { | |
| setRegistryDWORDValue( | |
| HKEY_CURRENT_USER, | |
| IE_ROOT_KEY + "\\ZoneMap", | |
| valueName, | |
| valueData | |
| ); | |
| } | |
| // Configures a zone mapping: | |
| // HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\<sitePath> | |
| function configureZoneMapping(sitePath, protocol, zone) { | |
| setRegistryDWORDValue( | |
| HKEY_CURRENT_USER, | |
| IE_ROOT_KEY + "\\ZoneMap\\Domains\\" + sitePath, | |
| protocol, | |
| zone | |
| ); | |
| } | |
| // Removes a zone mapping: | |
| // HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\<siteName> | |
| function removeZoneMapping(siteName) { | |
| var subKeyName = IE_ROOT_KEY + "\\ZoneMap\\Domains\\" + siteName; | |
| removeRegistrySubkey(HKEY_CURRENT_USER, subKeyName); | |
| } | |
| //----------------------------------------------------------------------------- | |
| // END FUNCTION DEFINITIONS | |
| //----------------------------------------------------------------------------- | |
| //----------------------------------------------------------------------------- | |
| // MAIN SCRIPT BODY - ONLY MODIFY CODE BELOW | |
| //----------------------------------------------------------------------------- | |
| //----------------------------------------------------------------------------- | |
| // Configure zone settings: | |
| // HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\<zone> | |
| //----------------------------------------------------------------------------- | |
| // EXAMPLE: Configure automatic user authentication logon for Local Intranet zone | |
| // configureZoneSetting( | |
| // IE_ZONE_LOCAL_INTRANET, | |
| // "1A00", | |
| // IE_LOGON_AUTOMATIC_INTRANET_ONLY | |
| // ); | |
| // EXAMPLE: Configure flags for Local Intranet zone--All settings enabled | |
| // except for requiring https and hiding from properties | |
| // configureZoneSetting( | |
| // IE_ZONE_LOCAL_INTRANET, | |
| // "Flags", | |
| // IE_FLAGS_ALL & (~ IE_FLAGS_REQUIRE_HTTPS) & (~ IE_FLAGS_HIDE_FROM_INTERNET_PROPERTIES) | |
| // ); | |
| // EXAMPLE: Configure flags for Trusted Sites zone--Allow changes to custom | |
| // settings, allow user to add to zone, and show "Require https" option | |
| // configureZoneSetting( | |
| // IE_ZONE_TRUSTED_SITES, | |
| // "Flags", | |
| // IE_FLAGS_ALLOW_CHANGES_TO_CUSTOM_SETTINGS | IE_FLAGS_ALLOW_USER_TO_ADD_TO_ZONE | IE_FLAGS_SHOW_REQUIRE_HTTPS_OPTION | |
| // ); | |
| //----------------------------------------------------------------------------- | |
| // Configures settings that define which sites are included in local intranet zone: | |
| // HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap | |
| //----------------------------------------------------------------------------- | |
| // EXAMPLE: Disable "Automatically detect intranet network" | |
| // configureZoneMapSetting("AutoDetect", 0); | |
| // EXAMPLE: Enable "Include all local (intranet) sites not listed in other zones" | |
| // configureZoneMapSetting("IntranetName", 1); | |
| // EXAMPLE: Enable "Include all sites that bypass the proxy server" | |
| // configureZoneMapSetting("ProxyBypass", 1); | |
| // EXAMPLE: Enable "Include all network paths (UNCs)" | |
| // configureZoneMapSetting("UNCAsIntranet", 1); | |
| //----------------------------------------------------------------------------- | |
| // ADD AND/OR REMOVE ZONE MAPPINGS BELOW | |
| // | |
| // To ADD a zone mapping, use: | |
| // configureZoneMapping(domain, protocol, zone); | |
| // Where: | |
| // * domain = domain or server name in quotes; example: "fabrikam.local" | |
| // * protocol = protocol name in quotes; example: "https" (or "*" for "all") | |
| // * zone = zone name (no quotes); example: IE_ZONE_TRUSTED_SITES | |
| // To add a zone mapping for a specific hostname in a domain, specify | |
| // domain as "domain\\hostname". Example: | |
| // configureZoneMapping("fabrikam.local\\test", "https", IE_ZONE_TRUSTED_SITES); | |
| // The above line adds https://test.fabrikam.local/ to Trusted Sites zone. | |
| // | |
| // To REMOVE a zone mapping, use: | |
| // removeZoneMapping(domain); | |
| // domain = domain or server name in quotes; e.g.: "fabrikam.local\\test" | |
| //----------------------------------------------------------------------------- | |
| // EXAMPLE: Configure "fabrikam.local" as trusted for all protocols | |
| // configureZoneMapping("fabrikam.local\\*", "*", IE_ZONE_LOCAL_INTRANET); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment