1.1.4.1.6 Ensure 'Local Machine Zone Lockdown Security' is set to 'Enabled'

Information

This setting allows for configuration of policy settings in the zone consistent with a selected security level; for example, Low, Medium Low, Medium, or High.

When Internet Explorer opens a Web page, it places restrictions on what the page can do, based on the page's Internet Explorer security zone. There are several possible security zones, each with different sets of restrictions. The security zone for a page is determined by its location. For example, pages that are located on the Internet will normally be in the more restrictive Internet security zone. They might not be allowed to perform some operations, such as accessing the local hard drive. Pages that are located on your corporate network would normally be in the Intranet security zone, and therefore have fewer restrictions.

The recommended state for this setting is: Enabled: groove.exe, excel.exe, mspub.exe, powerpnt.exe, pptview.exe, visio.exe, winproj.exe, winword.exe, outlook.exe, spDesign.exe, exprwd.exe, msaccess.exe, onent.exe, mse7.exe.

Rationale:

Local Machine zone security applies to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is used as an attack vector to load malicious HTML code.

Impact:

If you enable this policy setting, the Local Machine zone security applies to all local files and content processed by the specified applications. If you disable or do not configure this policy setting, Local Machine zone security is not applied to local files or content processed by the specified applications.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: check all applications:

Computer Configuration\Administrative Templates\Microsoft Office 2016 (Machine)\Security Settings\IE Security\Local Machine Zone Lockdown Security

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: 4d7662210672cf676b056f1bf566515324df1eb936d2c03cb0a8debef9bdd3cf