How to Determine the Security Zone with the GetSecZone Utility

Sunday, December 9, 2018 Solutions
Here’s another great utility from our friend Jacques Bensimon.

Over the years, the security zone to which the current page belongs has disappeared from the Internet Explorer status bar, as has the current folder's security zone from the Windows/File Explorer status bar.  With IE, it's a mere inconvenience, as the security zone can still be determined from the page's Properties dialog, but no such information is available for the current folder in Windows Explorer, nor can a folder's security zone be determined using any built-in Windows tool (okay, that I'm aware of – I don't need grief from the PowerShell crowd!)
Why does this matter?  For one thing, by default, Windows still considers any network location containing dots in its server specification (for example an IP address or a fully qualified DNS name, such as a DFS share) as belonging to the Internet security zone, which depending on the applicable security settings in a given situation may either block or issue a warning when any user attempts to open a document or launch an executable or script from such a location.   Note that in many cases the reason for the block or warning may not be obvious even to a knowledgeable user because a drive letter (that happens to have been mapped to, say, a DFS share) is being accessed.  Other reasons to care about an item’s security zone include the possibility that the location may have been miscategorized via some central policy (as for example Trusted rather than Intranet), or in the case of a single file that it may bear a “Mark-of-the-Web” (MOTW), for example the NTFS Alternate Data Stream named Zone.Identifier attached to files downloaded from sites in the Internet or Restricted zones.
This is where the new IPM command line utility GetSecZone comes in:  it reports the security zone associated with any URL or fully specified file system object, both displayed by name and number and as a return code (%ErrorLevel%) for scripting purposes.  The following screenshot shows some examples:
  • *** Yup, custom security zones are a thing!
  • The GetSecZone ZIP download contains both 32-bit and 64-bit versions of the utility.  The only practical difference between the two is that the 64-bit version can access the contents of %SystemRoot%\System32 without having to resort to the “SysNative” trick.
  • The reason for the need to fully specify file system objects on the command line is to avoid having to instead use a file:// protocol specification (which does by the way also work).
  • I may get around to wrapping GetSecZone into a GUI utility for use with SendTo, but a quick and (very) dirty way to use it now is via a SendTo shortcut with target  %ComSpec% /K path\GetSecZone.exe.
  • There don’t appear to be any C-style Zone-related API functions in Win32, so I had to wade into C++ COM-based functions for this one – may the Lord help us all! ;-)

Follow JB on Twitter @JacqBens

Next Post »