Programmatically add trusted sites to Internet Explorer

13
votes

I'm doing an IE automation project using WatiN.

When a file to be downloaded is clicked, I get the following in the Internet Explorer Information bar:

To help protect your security, Internet Explorer has blocked this site from downloading files to you computer.

In order to download the report, I can manually add the site to Internet Explorer's list of trusted sites, but I would prefer to check programmatically in .NET to see if the site is trusted and add it to the list if it is not.

FYI, I'm currently using IE7.

7
.netinternet-explorerautomationwatintrusted-sites
I don't think that you can... But if you can I'd love to see how!marcgg
I don't think you can either, for security reasons. Having said that, they must be stored somewhere. Knowing Microsoft, in the registry...Powerlord
@R. Bemrose, theres's no security reason to not allow it. If a malicious program has write access to HKCU, this is hardly the worst it could do. If a website could add itself to the trusted sites, now that would be bad.Ben Schwehn

7 Answers

15
votes

Have a look at this

Basically it looks as if all you have to do is create registry key in 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\DOMAINNAME

then a REG_DWORD value named "http" with value==2

10
votes

Here's the implementation that I came up with for writing the registry keys in .NET.

Thanks for setting me in the right direction, Ben.

using System;
using System.Collections.Generic;
using Microsoft.Win32;


namespace ReportManagement
{
    class ReportDownloader
    {
        [STAThread]
        static void Main(string[] args)
        {

            const string domainsKeyLocation = @"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains";
            const string domain = @"newsite.com";
            const int trustedSiteZone = 0x2;

            var subdomains = new Dictionary<string, string>
                                 {
                                     {"www", "https"},
                                     {"www", "http"},
                                     {"blog", "https"},
                                     {"blog", "http"}
                                 };

            RegistryKey currentUserKey = Registry.CurrentUser;

            currentUserKey.GetOrCreateSubKey(domainsKeyLocation, domain, false);

            foreach (var subdomain in subdomains)
            {
                CreateSubdomainKeyAndValue(currentUserKey, domainsKeyLocation, domain, subdomain, trustedSiteZone);
            }

            //automation code
        }

        private static void CreateSubdomainKeyAndValue(RegistryKey currentUserKey, string domainsKeyLocation, 
            string domain, KeyValuePair<string, string> subdomain, int zone)
        {
            RegistryKey subdomainRegistryKey = currentUserKey.GetOrCreateSubKey(
                string.Format(@"{0}\{1}", domainsKeyLocation, domain), 
                subdomain.Key, true);

            object objSubDomainValue = subdomainRegistryKey.GetValue(subdomain.Value);

            if (objSubDomainValue == null || Convert.ToInt32(objSubDomainValue) != zone)
            {
                subdomainRegistryKey.SetValue(subdomain.Value, zone, RegistryValueKind.DWord);
            }
        }
    }

    public static class RegistryKeyExtensionMethods
    {
        public static RegistryKey GetOrCreateSubKey(this RegistryKey registryKey, string parentKeyLocation, 
            string key, bool writable)
        {
            string keyLocation = string.Format(@"{0}\{1}", parentKeyLocation, key);

            RegistryKey foundRegistryKey = registryKey.OpenSubKey(keyLocation, writable);

            return foundRegistryKey ?? registryKey.CreateSubKey(parentKeyLocation, key);
        }

        public static RegistryKey CreateSubKey(this RegistryKey registryKey, string parentKeyLocation, string key)
        {
            RegistryKey parentKey = registryKey.OpenSubKey(parentKeyLocation, true); //must be writable == true
            if (parentKey == null) { throw new NullReferenceException(string.Format("Missing parent key: {0}", parentKeyLocation)); }

            RegistryKey createdKey = parentKey.CreateSubKey(key);
            if (createdKey == null) { throw new Exception(string.Format("Key not created: {0}", key)); }

            return createdKey;
        }
    }
}
6
votes

Glad I came across your postings. The only thing I can add to the excellent contributions already is that a different registry key is used whenever the URI contains an IP address i.e. the address isn't a fully qualified domain name.

In this instance you have to use an alternative approach:

Imagine I wish to add an IP address to the trusted sites: say 10.0.1.13 and I don't care what protocol.

Under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges, I create a key e.g. "Range1" and the inside that create the following values:

A DWORD with name "*" and value 0x2 (for all protocols(*) and trusted site(2)) A string with name ":Range" with value "10.0.1.13"

4
votes

Using powershell it is quite easy.

#Setting IExplorer settings
Write-Verbose "Now configuring IE"
#Add http://website.com as a trusted Site/Domain
#Navigate to the domains folder in the registry
set-location "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
set-location ZoneMap\Domains

#Create a new folder with the website name
new-item website/ -Force
set-location website/
new-itemproperty . -Name * -Value 2 -Type DWORD -Force
new-itemproperty . -Name http -Value 2 -Type DWORD -Force
new-itemproperty . -Name https -Value 2 -Type DWORD -Force
2
votes

In addition to adding the domain to the Trusted Sites list, you may also need to change the setting "Automatically prompt for file downloads" for the Trusted Sites zone. To do so programatically, you modify the key/value:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2@2200

Change the value from 3 (Disable) to 0 (Enable). Here's some C# code to do that:

public void DisableForTrustedSitesZone()
{
    const string ZonesLocation = @"Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones";
    const int TrustedSiteZone = 2;

    const string AutoPromptForFileDownloadsValueName = @"2200";
    const int AutoPromptForFileDownloadsValueEnable = 0x00;     // Bypass security bar prompt

    using (RegistryKey currentUserKey = Registry.CurrentUser)
    {
        RegistryKey trustedSiteZoneKey = currentUserKey.OpenSubKey(string.Format(@"{0}\{1:d}", ZonesLocation, TrustedSiteZone), true);
        trustedSiteZoneKey.SetValue(AutoPromptForFileDownloadsValueName, AutoPromptForFileDownloadsValueEnable, RegistryValueKind.DWord);
    }
}
2
votes

Here is the implementation of adding trusted sites programmatically to IE - based on Even Mien's code. It supports domain name and IP address as well. The limitation is no specific protocol could be defined, instead it simply uses "*" for all protocols.

//  Source : http://support.microsoft.com/kb/182569
static class IeTrustedSite
{
    const string DOMAINS_KEY = @"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains";
    const string RANGES_KEY = @"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges";

    const int TRUSTED_SITE_CODE = 0x2;
    const string ALL_PROTOCOL = "*";
    const string RANGE_ADDRESS = ":Range";

    public static void AddSite(string address)
    {
        string[] segmentList = address.Split(new string[] {"."}, StringSplitOptions.None);
        if (segmentList.Length == 4)
            AddIpAddress(segmentList);
        else
            AddDomainName(segmentList);
    }

    static void AddIpAddress(string[] segmentList)
    {
        string ipAddress = segmentList[0] + "." + segmentList[1] + "." + segmentList[2] + "." + segmentList[3];
        RegistryKey rangeKey = GetRangeKey(ipAddress);

        rangeKey.SetValue(ALL_PROTOCOL, TRUSTED_SITE_CODE, RegistryValueKind.DWord);
        rangeKey.SetValue(RANGE_ADDRESS, ipAddress, RegistryValueKind.String);
    }

    static RegistryKey GetRangeKey(string ipAddress)
    {
        RegistryKey currentUserKey = Registry.CurrentUser;
        for (int i = 1; i < int.MaxValue; i++)
        {
            RegistryKey rangeKey = currentUserKey.GetOrCreateSubKey(RANGES_KEY, "Range" + i.ToString());

            object addressValue = rangeKey.GetValue(RANGE_ADDRESS);
            if (addressValue == null)
            {
                return rangeKey;
            }
            else
            {
                if (Convert.ToString(addressValue) == ipAddress)
                    return rangeKey;
            }
        }
        throw new Exception("No range slot can be used.");
    }

    static void AddDomainName(string[] segmentList)
    {
        if (segmentList.Length == 2)
        {
            AddTwoSegmentDomainName(segmentList);
        }
        else if (segmentList.Length == 3)
        {
            AddThreeSegmentDomainName(segmentList);
        }
        else
        {
            throw new Exception("Un-supported server address.");
        }
    }

    static void AddTwoSegmentDomainName(string[] segmentList)
    {
        RegistryKey currentUserKey = Registry.CurrentUser;

        string domain = segmentList[0] + "." + segmentList[1];
        RegistryKey trustedSiteKey = currentUserKey.GetOrCreateSubKey(DOMAINS_KEY, domain);

        SetDomainNameValue(trustedSiteKey);
    }

    static void AddThreeSegmentDomainName(string[] segmentList)
    {
        RegistryKey currentUserKey = Registry.CurrentUser;

        string domain = segmentList[1] + "." + segmentList[2];
        currentUserKey.GetOrCreateSubKey(DOMAINS_KEY, domain);

        string serviceName = segmentList[0];
        RegistryKey trustedSiteKey = currentUserKey.GetOrCreateSubKey(DOMAINS_KEY + @"\" + domain, serviceName);

        SetDomainNameValue(trustedSiteKey);
    }

    static void SetDomainNameValue(RegistryKey subDomainRegistryKey)
    {
        object securityValue = subDomainRegistryKey.GetValue(ALL_PROTOCOL);
        if (securityValue == null || Convert.ToInt32(securityValue) != TRUSTED_SITE_CODE)
        {
            subDomainRegistryKey.SetValue(ALL_PROTOCOL, TRUSTED_SITE_CODE, RegistryValueKind.DWord);
        }
    }
}

static class RegistryKeyExtension
{
    public static RegistryKey GetOrCreateSubKey(this RegistryKey registryKey, string parentString, string subString)
    {
        RegistryKey subKey = registryKey.OpenSubKey(parentString + @"\" + subString, true);
        if (subKey == null)
            subKey = registryKey.CreateSubKey(parentString, subString);

        return subKey;
    }

    public static RegistryKey CreateSubKey(this RegistryKey registryKey, string parentString, string subString)
    {
        RegistryKey parentKey = registryKey.OpenSubKey(parentString, true);
        if (parentKey == null)
            throw new Exception("BUG : parent key " + parentString + " is not exist."); 

        return parentKey.CreateSubKey(subString);
    }
}
-2
votes

If a website could add itself to the trusted sites, now that would be bad.

I don't quite agree- as long as the browser asks the user for permission, the ability of a site to add itself to trusted sites can greatly simplify the user experience, where the user trusts the domain and wants correct page display.

The alternative is the user must manually go into internet options to add the domain, which is, for my users, not viable.

i'm looking for a php or javascript method for the site to add itself, either through some IE api, or through the registry as you've so helpfully explained above!

have found these possible solutions so far:

  • php via shell
  • others i'm not allowed to list here because i don't have enough points