Configuring Internet Explorer for Practical Security and Privacy – Part 2
Understanding the Security Zones
Internet Explorer provides a mechanism to customize security by controlling what different sites can do by putting them into security zones. These zones are grouped into four categories: Restricted Sites, Trusted Sites, Local Intranet, and Internet. By default, all web sites are in the Internet zone but you can move sites you feel safe with to the trusted sites zone or add those sites where you feel not so safe to the Restricted zone.
When a Web page is opened in Internet Explorer, Internet Explorer puts restrictions on what the page can do, based on where that Web page came from: the Internet, a local intranet server, a trusted or a restricted site. For example, pages on the Internet have stricter security restrictions than pages on a users local intranet. Web pages on a users computer are in the Local Machine security zone, where they have the fewest security restrictions.
Whenever you visit those sites you will see an icon in the status bar showing which zone that particular site is in. You can double click the icon to open the security properties dialog and add a site to a zone, by coping and pasting the URL in the appropriate zone.
A handy utility, Internet Explorer 5 Power Tweaks Web Accessories from Microsoft makes adding sites to Trusted or Restricted zone easier by adding two new menu options to the Tools menu. Though it is specified for IE 5, it works fine in IE 6 also. Try it at your own risk!
Trusted sites zone: This zone contains websites you trust, from which you believe that you can download and run software without worrying about damage to your computer or data such as sites maintained by your bank, stockbroker or even Windows update site. By default, only secure sites (those with the https:// prefix) can be added to the Trusted Sites group. To add other sites, clear the checkbox that reads "Require Server Verification (https:) for All Sites in This Zone". The default setting for this zone is "Low", it is recommended that you move the slider to Medium. This sets the security level for all of the sites that you trust to Medium. (If no slider is visible, click the Default Level button and then move the slider up to Medium.)
Restricted sites zone: This zone contains websites you don't trust, from which you are not sure whether you can download or run files without damage to your computer or data. The settings can be left at the default level "High".
Please note that Internet Explorer will not by itself put any site in the above zones. This has to be done by the user manually.
Local Intranet Zone: This zone contains sites from local intranet servers not included in other zones, all network paths and all sites that bypass proxy server. The default level of protection is "Medium-low", which is generally sufficient for this zone.
Internet Zone: By default, this zone contains anything that is not on your computer or an intranet, or assigned to any other zone. Thus, the settings for this zone control most of the sites that you will go to on the Internet. The default level of protection assigned to this zone by Internet Explorer is "Medium". This is generally considered insufficient and often customized to increase the security of the Internet Explorer.
Customizing Internet Zone
Customizing this zone for maximum security may cause many Web sites to work improperly. If you have difficulty using a Web site after you change these settings and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work properly even with the maximum security setting.
Open Internet Explorer. Click "Tools" in the menu and "Options" to enter the "Internet Options" window.
Select the "Security" tab to modify the Internet Explorer security tab settings. Click on "Internet" icon to open the configuration window for Internet zone. Click on "Custom Level" button customize the security level for this zone.
This will bring up a long list of settings, depending on your setup you may not have all of the options shown here. I recommend the following settings. You can view a brief description about each setting at the end of the list.
.NET Framework-reliant components
This setting may not be available unless .NET framework is installed in your system.
Run components not signed with Authenticode
Authenticode is a digital signature system which verifies only that the code has not changed since it was signed and that the certificate was originally issued by the certificate authority. Enabling it gives unknown web site owners or companies permission to run .NET applications. Disable it or set it to prompt if you want to review it case by case.
Run components signed with Authenticode
This setting allows well known web sites to run .NET applications, which means the content may be trusted not to maliciously harm your system.
ActiveX controls and plug-ins
This section deals with ActiveX controls and plug-ins. ActiveX controls can do anything a normal visual basic program can, a control can even erase your hard disk. As a measure of protection Microsoft put in place a signature scheme, which lets a control is verified by a signature authority.
Automatic prompting for ActiveX controls
This setting is available only in Internet Explorer 6 when used with XP SP2. This setting controls the behaviour of the new Information Bar when ActiveX controls are blocked from being downloaded when you visit a web site. The following text appears on the Information Bar:
Your security settings do not allow ActiveX controls to run on this page. This page may not display correctly. Click here for more options…
The " enable " setting turns off the notification by Information Bar and will allow web sites to directly prompt you when downloading ActiveX controls.
Binary and script behaviors
This setting is available only in Internet Explorer 6 when used with XP SP2. This new setting controls script and binary behaviors for HTML rendering by web sites. "Users can only be impacted by applications that do not completely render HTML content with this new setting. These applications will typically alert the user that some active behavior has been blocked from display. For example, when Outlook Express encounters this situation, it informs the user that it has restricted active content in the email."
Download signed ActiveX controls
Download unsigned ActiveX controls
This setting controls how IE deals with signed ActiveX controls. A signed ActiveX control indicates that it is safe, secure and has a digital ID (or certificate) issued by a Certificate Authority, such as VeriSign, Inc. A signed control can be traced back to the software publisher or developer who created it, indicating that the control can be trusted and downloaded onto your computer.
Initialize and script ActiveX controls
This setting controls the behavior of IE as to whether it should block or allow unmarked ActiveX controls (not marked as safe) to interact with scripts.
Run ActiveX controls and plug-ins
This setting controls whether IE should run ActiveX controls and Plug-ins should be run when encountered. If you set this to disable, you won't be able to run any plug- ins, including the likes of flash, shockwave.
Script ActiveX controls marked safe for scripting
This setting controls whether IE should allow an ActiveX control that is marked safe to run on your computer and interact with a script.
This section pertains to setting permissions for downloading files and fonts. File downloads can only be enabled or disabled, there is no option to prompt the user.
Automatic prompting for file downloads
This setting is available only in Internet Explorer 6 when used with XP SP2. This setting controls the behaviour of the new Information Bar when a Website tries to download one or more files that you might not have specifically requested. Internet Explorer blocks the file download but loads the Webpage and intimates the user via the Information Bar by displaying the following message:
To help protect your security, Internet Explorer blocked this site from downloading files to your computer. Click here for options
This allows the user to decide whether the blocked file is needed. The "enable" setting turns off the notification by Information Bar and will allow web sites to directly prompt you when downloading files.
My personal recommendation is to disable the file downloads as default and only enable it whenever you want to download a file.A word of caution, be wary of downloading files from unknown source and never execute files directly, always choose to download the file to your computer, scan it with your on-demand anti-virus application, then execute it.
This Internet Explorer settings determines the level of access given to Java applications. The suggested setting is High safety or custom. Choosing custom allows you to fine tune the java permissions, if you have some expertise on how Java functions.
Access data sources across domains
This setting sets permission for allowing scripts and applets to access databases across multiple domains.
Allow META REFRESH
This setting enables or disables META REFRESH – a mechanism coded in HTML that allows a web page to automatically redirect visitors to another web page on a timer. This could be exploited by a malicious web site owner to impersonate a secure web site among other things. This option is disabled by default in Windows 2003.
Allow scripting of Internet Explorer Webbrowser control
This setting determines whether Websites are allowed to execute scripts that can control the Internet Explorer Webbrowser control.
Allow script-initiated windows without size or position constraints
This setting controls restricts scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other title and status bars.
Allow Web pages to use restricted protocols for active content
This setting Controls whether a resource hosted on a page accessed through a protocol restricted in a particular URL zone can run active content such as script, ActiveX, Java and Binary Behaviors.
Display mixed content
Permission to display both secure and non-secure content in the same page. This setting controls the appearance of the following message when Internet Explorer encounters a Website that contains both secure (https://) and nonsecure (http://) content.
This page contains both secure and nonsecure items.
Do you want to display the nonsecure items?
If the "Display mixed content" setting is set to Enable, you cannot receive the preceding message and nonsecure content can be displayed. If the "Display mixed content" setting is set to Disable, you cannot receive the preceding message and nonsecure content cannot be displayed.
Don't prompt for client certificate selection when no certificates or only one certificate exists
Determines whether users are prompted to select a certificate when no certificate or only one certificate exists. It may be noted here that 'Disable' allows the user to be prompted for the certificate and 'Enable' prevents the user from being prompted for they certificate.
Drag and drop or copy and paste files
This setting controls whether IE should be allowed to drag and drop from Web pages.
Installation of Desktop items
This setting controls whether or not users can download and install active desktop content.
Launching programs and files in an IFRAME
This setting controls whether or not programs and files are launched from IFRAME element in web pages. IFRAME also called floating frames is basically a method to embed other HTML documents within the framework of a regular HTML document structure which might enable a malicious web site to download unauthorized files to your system.
Navigate sub-frames across different domains
This setting helps protect against frame injection vulnerability.
Open files based on content, not file extension
Software Channel permissions
Software distribution channel denotes a method of delivering software to consumers desktops. This setting determines the level of trust placed on Software Update Channels.
Submit non encrypted form data
This setting controls the behavior of IE when non encrypted, i.e., clear text data is posted in web forms.
Use Pop-up Blocker
This setting controls the in-built Pop-up blocker.
User data persistence
User data persistence is a function which allows online forms to save a small file on your system with information about values you have entered in a particular form, thereby allowing you to retrieve a half filled web based form when you revisit. Please note that if this setting is disabled, you cannot save your personalize Windows Update settings. Microsoft Knowledge Base Article – 836914
Web sites in less privileged web content zone can navigate into this zone
This setting determines whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
Active Scripting allows language-independent scripting to be added to application programs. Active scripts are programs written in Java script, or sometimes Microsoft's VBScript and ActiveX. It is the recommendation of many experts to disable active scripting except where absolutely necessary. The reason being that 'Active scripting' is one mechanism through which malware in many forms can enter our system thereby compromising personal information or may be used to launch attacks elsewhere. You need to disable Active scripting for the Internet zone, enable it for the Trusted sites zone, and add sites to the Trusted sites zone as you need access. Frequently Asked Questions About Malicious Web Scripts Redirected by Web Sites Disabling Active Scripting in Internet Explorer.
Allow paste operations via script
This setting controls whether a web site can cut, copy and paste information available in the clipboard without your
Scripting of Java applets
This setting controls whether Web sites can run java applets on your system.
Automatic logon only in Intranet zone
This setting controls how IE responds when a Web server requests authentication.
This concludes the Internet Explorer Security tab settings tutorial.