Registry Zone Map question

D

Durth

Hello, I have a user on a network that is being accused of surfing porn on
the organizations computer. He cleared out all of his logs and histories. I
found almost 200 porn sites in his registry under HKeyCurrentUser...ZoneMap.
Am I mistaken in assuming that someone (with his login/password) has visited
these sites? Is there another possibilty? Thank you in advance. BTW, he is
that someone put those entries in to get him busted. How I found out about
this was by checking event logs and finding MANY viruses being reported by
SYmantec. Thank you in advance.

Aaron
 
W

Wesley Vogel

You may very well be mistaken.

If you mean here >>

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains

If they have a Value Data of 4 they are in the Restricted Sites Zone.

Example >>
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\008i.com
Value Name: *
Value Type: REG_DWORD
Value Data: 4

It's the list of Restricted sites from >>
IE | Tools | Internet Options | Security tab | Restricted Sites |
Sites button | Web sites

Description of Internet Explorer security zones registry entries
http://support.microsoft.com/default.aspx?scid=kb;en-us;182569
 
D

Durth

Thank you very much. I am a little confused still. So what proves that these
site were visited?

Aaron
 
W

Wesley Vogel

Durth,

Those sites may be included in the registry by SpywareBlaster or Spybot S&D.
The only things that *may* prove that sites were visited are History and
Index.dat.

C:\Documents and Settings\User Name\Local Settings\History

Or if the fellow was not clever enough:
C:\Documents and Settings\Default User\Local Settings\Temporary Internet
Files\Content.IE5

Content.IE5 is a Hidden Folder.
 
D

Durth

O.K. Thank you very much. This was very helpful. My other
problem is that he uses Kazaa (against the rules) and I
also have one other computer that eh has access to that I
know the stuff was downloaded on by Kazaa (Symantec
files). I will check it out some more.

Aaron
 
D

Durth

Wel, I screwed the pooch on this one. The latest version
of Spybot S&D does insert at least most of these into the
registry. Thank you for your help. Now I gotta find a way
to see who did download this crap from Kazaa. I think my
night just got longer or that I will have to disappoint
the bosses. Thank you again. You were a great help.

Aaron
 
D

Durth

Update. I found out that one of them brought in a unprotected computer
andconnected it to the network. It got infected with netsky.p@mm and the
files that I found in my Symantec history was from that computer trying to
infect the server via a mapped drive. Now I have that user blaming me for
leaving a "gaping security hole" and them not wanting to pay me for my time.
I think that Iam going to just become a forest ranger.

Aaron
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

comctl32.dll 4
"My Recent Documents" empty despite registry changes 4
Accessing Shares of Users that shouldnt be possible! :( 5
Many Problems after User Profile Migration via Registry SID "flip" 0
Would like to identify this 2
The Man Who Spilled the Secrets =haxored 5
how to clear the URL list in IE / Windows Explorer? 1
AD,Group Policy & Login Script issue 1

Top