Issue/Introduction:
This issue can occur when the following prerequisites are met:
- An administrator has configured set the value data of the Registry value Security_HKLM_only to 1. This value is located here: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Please see Microsoft support article 833633 (http://support.microsoft.com/kb/833633) for more information on this Registry value.
- An administrator has enabled the setting "Automatically trust any file downloaded from a trusted Internet or intranet site." within the Download Protection portion of the Virus and Spyware Protection policy for Symantec Endpoint Protection (SEP)
- A user has added a internet or intranet site to Trusted sites within Internet Explorer.
Expected behavior: Websites added by users should not be automatically trusted by Symantec Endpoint Protection 12.1 since the Registry value Security_HKLM_only is set to 1.
Actual behavior: Websites added by users can sometimes be automatically trusted by Symantec Endpoint Protection 12.1, even when Security_HKLM_only is set to 1.
Cause:
Some versions of Internet Explorer save the URL entered by a user into Trusted Sites to both the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\Domains and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\Domains Registry locations.
When Security_HKLM_only is set to 0 or does not exist, SEP will read from both Registry locations respectively to determine which sites should be trusted. When Security_HKLM_only is set to 1, SEP will only read from the first Registry location (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\Domains), however, since Internet Explorer has written the website's URL to this location, SEP will trust it.
Resolution:
This is not a Symantec issue. Please upgrade Internet Explorer to a version which does not exhibit this behavior.