WinXPSP2 IE 7 Security Zones - security concern

[v2win]

I recently noticed that in my Trusted Sites zone, there is an entry,
"HTTP://", with no further domain identifier. I did not make this entry and
when I attempt to remove it, I get a system error beep and the entry is then
greyed out.

I checked a number of other WinXPSP2 machines in my network, all subject to
the same GPOs, and none of them have this entry. (NOTE:The subject machine is
a dual-boot with Vista Ultimate the problem is absent from that instance of
IE 7 and from another instance of XPSP2 I have running under VPC 2004 SP1,
all on the same machine).

As a test, I uninstalled IE 7. When the machine was rolled back to IE 6,
the entry was still there but I could delete it - or so it appeared. Upon
reopening IE after the apparent delete, the HTTP:// entry had reappeared.

Is this some kind of security attack? (possibly trying to wildcard all
websites as though they were trusted?).

Because the roll back to IE 6 did not solve the problem, I reinstalled IE 7
and the entry persists, with the same behaviour as before.

I ran a full system AV scan with up-to-the-minute AVG and no threats were
found.

Nevertheless, how can I remedy this problem?
--
V2

 

[Arkadiusz 'Black Fox' Artyszuk]

v2win wrote:

> I recently noticed that in my Trusted Sites zone, there is an entry,
> "HTTP://", with no further domain identifier. I did not make this entry and
> when I attempt to remove it, I get a system error beep and the entry is then
> greyed out. /.../
> Because the roll back to IE 6 did not solve the problem, I reinstalled IE 7
> and the entry persists, with the same behaviour as before.
> I ran a full system AV scan with up-to-the-minute AVG and no threats were
> found.
> Nevertheless, how can I remedy this problem?

Have you tried to remove that entry directly in registry? Look for it in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\

--
Regards
Arkadiusz 'Black Fox' Artyszuk

 

[v2win]

Yes, with no success.
--
V2


"Arkadiusz 'Black Fox' Artyszuk" wrote:

> v2win wrote:
>
> > I recently noticed that in my Trusted Sites zone, there is an entry,
> > "HTTP://", with no further domain identifier. I did not make this entry and
> > when I attempt to remove it, I get a system error beep and the entry is then
> > greyed out. /.../
> > Because the roll back to IE 6 did not solve the problem, I reinstalled IE 7
> > and the entry persists, with the same behaviour as before.
> > I ran a full system AV scan with up-to-the-minute AVG and no threats were
> > found.
> > Nevertheless, how can I remedy this problem?
>
> Have you tried to remove that entry directly in registry? Look for it in
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
>
> --
> Regards
> Arkadiusz 'Black Fox' Artyszuk
>

 

[Arkadiusz 'Black Fox' Artyszuk]

v2win wrote:

> Yes, with no success.

Seems a little strange. You have not found any such entry in "ZoneMap"
sub key? Maybe it's an effect of some browser extension? Have you tried
to disable IE adds? Doing system scan using malware detecting tools is
also recommended. Antivirus scanners may not be able to detect some
malware. Use Spyware Doctor, Spybot Search&Destroy, AdAware, Windows
Defender, Spyware Blaster or other tool of this kind.
Talking about security risk IMO that kind of wildcard is not correct and
should not be proceeded by browser. Internet Explorer does not allow to
enter such string because it doesn't containing any domain name.

--
Regards
Arkadiusz 'Black Fox' Artyszuk

 

[Brian Komar]

Are you in a domain environment? This could be an IE security zone passed
down through GPO.
You can run rsop.msc to see the resultant policy set
brian

"v2win" <v2win@discussions.microsoft.com> wrote in message
news:967ABBD8-AACD-4D9F-9A78-AC318EBD1E9D@microsoft.com...
> Yes, with no success.
> --
> V2
>
>
> "Arkadiusz 'Black Fox' Artyszuk" wrote:
>
>> v2win wrote:
>>
>> > I recently noticed that in my Trusted Sites zone, there is an entry,
>> > "HTTP://", with no further domain identifier. I did not make this
>> > entry and
>> > when I attempt to remove it, I get a system error beep and the entry is
>> > then
>> > greyed out. /.../
>> > Because the roll back to IE 6 did not solve the problem, I reinstalled
>> > IE 7
>> > and the entry persists, with the same behaviour as before.
>> > I ran a full system AV scan with up-to-the-minute AVG and no threats
>> > were
>> > found.
>> > Nevertheless, how can I remedy this problem?
>>
>> Have you tried to remove that entry directly in registry? Look for it in
>> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
>> Settings\
>>
>> --
>> Regards
>> Arkadiusz 'Black Fox' Artyszuk
>>

 

[v2win]

Yes, it is in a domain environment, but so are the other machines I used to
check this one against. Even so, I isolated this machine to a labbing OU and
applied only the Default Domain Policy (as-built settings right after
DCPROMO) and the HTTP:// entry in the Trusted Zones sites list persists.
There is no human-readable entry in the registry the zones settings are
binary values. I copied the zones settings for the machine and user from a
clean installation of XP on a virtual machine and imported them into the
registry - still no luck.
--
V2


"Brian Komar" wrote:

> Are you in a domain environment? This could be an IE security zone passed
> down through GPO.
> You can run rsop.msc to see the resultant policy set
> brian
>
> "v2win" <v2win@discussions.microsoft.com> wrote in message
> news:967ABBD8-AACD-4D9F-9A78-AC318EBD1E9D@microsoft.com...
> > Yes, with no success.
> > --
> > V2
> >
> >
> > "Arkadiusz 'Black Fox' Artyszuk" wrote:
> >
> >> v2win wrote:
> >>
> >> > I recently noticed that in my Trusted Sites zone, there is an entry,
> >> > "HTTP://", with no further domain identifier. I did not make this
> >> > entry and
> >> > when I attempt to remove it, I get a system error beep and the entry is
> >> > then
> >> > greyed out. /.../
> >> > Because the roll back to IE 6 did not solve the problem, I reinstalled
> >> > IE 7
> >> > and the entry persists, with the same behaviour as before.
> >> > I ran a full system AV scan with up-to-the-minute AVG and no threats
> >> > were
> >> > found.
> >> > Nevertheless, how can I remedy this problem?
> >>
> >> Have you tried to remove that entry directly in registry? Look for it in
> >> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
> >> Settings\
> >>
> >> --
> >> Regards
> >> Arkadiusz 'Black Fox' Artyszuk
> >>
>

 

[v2win]

I hadn't thought about disabling add-ons I'll try and report back. As you
pointed out, the "HTTP://" is not an allowed entry for a zone's site list,
yet it is there and can't be deleted. I ran a full AV and Rootkit scan -
nothing detected.
--
V2


"Arkadiusz 'Black Fox' Artyszuk" wrote:

> v2win wrote:
>
> > Yes, with no success.
>
> Seems a little strange. You have not found any such entry in "ZoneMap"
> sub key? Maybe it's an effect of some browser extension? Have you tried
> to disable IE adds? Doing system scan using malware detecting tools is
> also recommended. Antivirus scanners may not be able to detect some
> malware. Use Spyware Doctor, Spybot Search&Destroy, AdAware, Windows
> Defender, Spyware Blaster or other tool of this kind.
> Talking about security risk IMO that kind of wildcard is not correct and
> should not be proceeded by browser. Internet Explorer does not allow to
> enter such string because it doesn't containing any domain name.
>
> --
> Regards
> Arkadiusz 'Black Fox' Artyszuk
>