HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
AND
HKEY_Local_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
The values that are located in both keys are additive. If a Web site is added to both keys, only the HKCU sites can be seen in the GUI, but both settings are enforced.
If you only want machine based settings to be enforced, copy and paste the following to a HKLM_Only.reg file and Merge it with the computers registry:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"Security_HKLM_only"=dword:00000001
The sub-keys of the Internet Settings key, for both HKLM and HKCU paths, are:
TemplatePolicies
ZoneMap
Zones
The Zones sub-key contains a sub-key for each zone defined. The defaults are:
| Key | Meaning |
| 0 | My Computer, NOT available in the Zone box of the Security tab. |
| 1 | Local Intranet Zone. |
| 2 | Trusted sites Zone. |
| 3 | Internet Zone. |
| 4 | Restricted Sites Zone |
These sub-keys contain the following Value Names:
| Value Name | Data Type | Meaning |
| Description | REG_SZ | Displayed when you select a Zone in the Zone box of the |
| DisplayName | REG_SZ | Displayed when you select a Zone in the Zone box of the |
| Icon | REG_SZ | The icon that is displayed. |
| CurrentLevel | REG_DWORD | The current Security setting. |
| MinLevel | REG_DWORD | The lowest Security level allowed before a warning is issued. |
| RecommendedLevel | REG_DWORD | The recommended Security level. |
| Flags | REG_DWORD | Controls the users ability to modify the Security settings. |
The data values for the CurrentLevel, MinLevel, and RecommendedLevel Value Names are:
| Data value | Meaning |
| 0x00010000 | Low Security. |
| 0x00011000 | Medium Security. |
| 0x00012000 | High Security. |
The data values for the Flags value Name are additive:
| Data value | Meaning |
| 1 | Allow changes to custom settings. |
| 2 | Allow users to add Web sites to this zone. |
| 4 | Require HTTPS Web sites. |
| 8 | Include Web sites that bypass the proxy server. |
| 16 | Include Web sites not listed in other zones. |
| 32 | Do NOT show security zone in Internet Properties. |
| 64 | Show the Requires Server Verification dialog. |
| 128 | UNCs are treated as Intranet connections. |
NOTE: The My Computer zone does NOT contain the CurrentLevel, MinLevel, and RecommendedLevel Value Names.
The following Value Names are all REG_DWORD data types. Their data values are:
| Data value | Meaning |
| 0 | This action is allowed. |
| 1 | This action will generate a prompt. |
| 3 | This action is prohibited. |
Value Setting Name 1001 Download signed ActiveX controls 1004 Download unsigned ActiveX controls 1200 Run ActiveX controls and plug-ins 1201 Initialize and run ActiveX controls and plug-ins not marked as safe 1400 Active scripting 1402 Scripting of Java programs 1405 Script ActiveX controls marked as safe for scripting 1406 Access data sources across domains 1407 Allow paste operations via script 1601 Submit non-encrypted form data 1604 Font download 1605 Unknown 1606 User Data persistence 1607 Navigate sub-frames across different domains 1800 Installation of desktop items 1802 Drag and drop or copy and paste of files 1803 File Download. No prompt setting as download is either allowed or NOT allowed. 1804 Load applications and files in an IFRAME 1805 Unknown 1806 Launching applications and unsafe files 1A02 Allow cookies that are stored on your computer 1A03 Allow per-session cookies (not stored)The 1A00 Value Name, a REG_DWORD data type, has the following possible data values:
| Decimal Data value | Meaning |
| 0 | Automatically logon with current username and password. |
| 65536 | Prompt for user name and password. |
| 131072 | Automatic logon only in the Intranet zone. |
| 196608 | Anonymous logon. |
The 1C00 Value Name, a REG_DWORD data type, has the following possible JAVA data values:
| Decimal Data value | Meaning |
| 0 | Disable Java. |
| 65536 | High safety. |
| 131072 | Medium safety. |
| 196608 | Low safety. |
| 8388608 | Custom. |
The 1E05 Value Name, a REG_DWORD data type, specifies software channel permissions.
The TemplatePolicies sub-key of the Internet Settings key has the default security zones settings. The Low, Medium, and High sub-keys contains Value Names that represents the Zones default values.
The ZoneMap sub-key of the Internet Settings key has the following sub-keys:
Domains - Contains domains and protocols that have been added. Each added domain is a sub-key of Domains. Sub-domains are sub-keys of the the domain that they belong to. Each domain has a protocol Value Name (ftp, http, https, etc.) whose data value is the numerical value of the security zone (0x00012000 is High Security) to which it is added.
The ProtocolDefaults sub-key of the Internet Settings key defines the default security zone for a given protocol, by adding a Value Name (file, ftp, http, https, etc.), with NO colons (:) or slashes (/). These REG_DWORD data types the following possible data values:
| Key | Meaning |
| 0 | My Computer, NOT available in the Zone box of the Security tab. |
| 1 | Local Intranet Zone. |
| 2 | Trusted sites Zone. |
| 3 | Internet Zone. |
| 4 | Restricted Sites Zone |
The Ranges sub-key of the Internet Settings key contain arbitrary sub-keys that define the ranges of the TCP/IP address. The :Ranges Value Name of these arbitrary sub-keys, a REG_SZ data type, contains the range affected (192.168.0.*). A * Value Name, a REG_DWORD data type, contains the security zone that the range falls within (0x1 is Local Intranet).