Understanding Security Zones

Security zones offer you a convenient and flexible method for managing a secure environment. You can use security zones to enforce your organization's Internet security policies based on the origin of the Web content. Security zones enable you to:

• Group sets of sites together.
• Assign a security level to each zone.

Group Sets of Sites Together

Zone security is a system that enables you to divide online content into four categories, or zones. You can assign specific Web sites to each zone, depending on how much you trust the site's content. The Web content can be anything from an HTML or graphic file to an ActiveX control, Java applet, or executable file.

Important You should configure the Local intranet zone to correspond to the particular network and firewall configuration of your organization. The default settings for the Local intranet zone cannot be guaranteed to match your network configuration, and there is no method for automatically detecting your firewall and configuring the zone based on your specific settings. For more information, see "Setting Up the Local Intranet Zone" later in this chapter.

Internet Explorer includes the following predefined security zones:

• Local intranet zone - The Local intranet zone includes all sites inside an organization's firewall (for computers connected to a local network). The Local intranet zone also contains Web applications that need access to a computer's hard disk.
• Trusted sites zone - The Trusted sites zone can include all Internet sites that you know are trusted. For example, the Trusted sites zone might contain corporate subsidiaries' sites or the site of a trusted business partner.
• Internet zone - The Internet zone includes all sites on the Internet that are not in the Trusted sites or Restricted sites zones.
• Restricted sites zone - The Restricted sites zone can include all sites that you know are trusted.
• My Computer zone - The My Computer zone includes everything on the client computer, which is typically the hard disk and removable media drive contents. This zone excludes cached Java classes in the Temporary Internet Files folder.

  You cannot configure the My Computer zone through the security zone settings in Internet Explorer. However, you can configure My Computer zone settings by using the Microsoft Internet Explorer Administration Kit (IEAK).

Assign a Security Level to Each Zone

A security level assigned to each zone defines the level of browser access to Web content. You can choose to make each zone more or less secure. In this way, security zones can control access to sites based on the zone in which the site is located and the level of trust assigned to that zone. Also, you can choose a custom level of security, which enables you to configure settings for ActiveX controls, downloading and installation, scripting, cookie management, password authentication, cross-frame security, and Java capabilities. A custom level of security also enables you to assign administrator-approved control, which runs only those ActiveX controls and plug-ins that you have approved for your users.

Zone Architecture

When Internet Explorer opens an HTML page, a dynamic-link library named Urlmon.dll determines the zone from which the page was loaded. To do this, Urlmon.dll performs these two steps:

1. Determines whether a proxy server retrieved the HTML page. If it did, Urlmon.dll automatically recognizes that the page originated from the Internet.
2. Checks the registry to see whether the page is from a trusted or restricted location, and whether the security zone is set appropriately. If no proxy server is involved, the URL is then parsed to determine the origin of the page.