Chapter 7Chapter image

Setting Up Security Zones

You can use security zones to easily provide the appropriate level of security for the various types of Web content that users are likely to encounter. For example, because you can fully trust sites on your company's intranet, you probably want users to be able to run all types of active content from this location. To provide this capability, set the Local intranet zone to a low level of security. You might not feel as confident about sites on the Internet, so you can assign a higher level of security to the entire Internet zone. This higher level prevents users from running active content and downloading code to their computer. However, if there are specific sites you trust, you can place individual URLs or entire domains in the Trusted sites zone. For other sites on the Internet that are known to be sources of potentially harmful Web content, you can select the highest restrictions.

Note Outlook Express shares zone settings with Internet Explorer. You can also select zone settings in Outlook Express. For more information, see the Outlook Express Help files.

You can accept the default security settings for each zone, or you can configure the settings based on the needs of your organization and its users. The options for configuring security zones are the same whether you access them from Internet Explorer 5, the Internet Explorer Customization wizard, or the IEAK Profile Manager. For more information about using the Internet Explorer Customization wizard and the IEAK Profile Manager, see Chapter 15, "Running the Internet Explorer Customization Wizard" and Chapter 22, "Keeping Programs Updated."

Important Internet Explorer 5 maintains the existing security zone settings from previous browser versions.

Configuring Security Zones

You can configure security zones by using the following methods:

The following sections describe how to configure zone settings from within Internet Explorer.

To configure security zone settings
  1. On the Tools menu, click Internet Options, and then click the Security tab.

    The following illustration shows the Security tab.

    Security tab

  2. Click a security zone to select it and view its current settings.
  3. As necessary, change the following settings:

The process required for setting up each security zone is described in the following sections.

Setting Up the Internet Zone

The Internet zone consists of all sites that are not included in the other zones. By default, the Internet zone is set to a Medium security level. If you are concerned about possible security problems when users browse the Internet, you might want to change the setting to High. If you raise the security setting, Internet Explorer prevents some Web pages from performing certain potentially harmful operations. As a result, some pages might not function or be displayed properly. Rather than use a High security setting, you might want to choose a Custom Level so that you can control each individual security decision for the zone.

Note You cannot add Web sites to the Internet zone.

Setting Up the Local Intranet Zone

To ensure a secure environment, you must set up the Local intranet zone in conjunction with the proxy server and firewall. All sites in this zone should be inside the firewall, and proxy servers should be configured so that an external Domain Name System (DNS) name cannot be resolved to this zone. Configuring the Local intranet zone requires that you have a detailed knowledge of your existing networks, proxy servers, and firewalls. For more information, see the MSDN Online Web site.

By default, the Local intranet zone consists of local domain names, as well as domains that are specified to bypass the proxy server. You should confirm that these settings are secure for the installation, or adjust the settings to be secure. When you set up the zone, you can specify the categories of URLs that should be considered. You can also add specific sites to the zone.

To set up sites in the Local intranet zone
  1. On the Tools menu, click Internet Options, and then click the Security tab.
  2. Click the Local intranet zone.
  3. Click Sites, and then select the following check boxes that apply:

    The following illustration shows the Local intranet zone settings.

    Local intranet zone settings

  4. Click Advanced.
  5. Type the address of the site you want to include in this zone, and then click Add.

    The following illustration shows where you would type the address to add a site to the Local intranet zone.

    Adding a site to the Local intranet zone

  6. To require that server verification be used, select the Require server verification (https:) for all sites in this zone check box.

The Local intranet zone is intended to be configured by using the Internet Explorer Customization wizard or the IEAK Profile Manager, although you can also access Local intranet options by clicking Internet Options on the Tools menu, and then clicking the Security tab. After the Local intranet zone is confirmed secure, consider changing the zone's security level to Low so that users can perform a wider range of operations. You can also adjust individual security settings by using a Custom Level of security for this zone. If parts of your intranet are less secure or otherwise not trustworthy, you can exclude the sites from this zone by assigning them to the Restricted sites zone.

Setting Up the Trusted and Restricted Sites Zones

You can add trusted and untrusted Web sites to the Trusted sites and Restricted sites security zones. These two zones enable you to assign specific sites that you trust more or less than those in the Internet zone or the Local intranet zone. By default, the Trusted sites zone is assigned a Low security level. This zone is intended for highly trusted sites, such as the sites of trusted business partners.

If you assign a site to the Trusted sites zone, the site will be allowed to perform a wider range of operations. Also, Internet Explorer will prompt you to make fewer security decisions. You should add a site to this zone only if you trust all of its content never to perform any harmful operations on your computer. For the Trusted sites zone, Microsoft strongly recommends that you use the HTTPS protocol or otherwise ensure that connections to the site are completely secure.

By default, the Restricted sites zone is assigned a High security level. If you assign a site to the Restricted sites zone, it will be allowed to perform only minimal, very safe operations. This zone is for sites that you do not trust. To ensure a high level of security for content that is not trusted, pages assigned to this zone might not function or be displayed properly.

Note A user could copy content from one zone to another, potentially increasing or decreasing the level of security intended for that zone's content.

Working with Domain Name Suffixes

You can address Web content by using either the DNS name or the Internet Protocol (IP) address. You should assign sites that use both types of addresses to the same zone. In some cases, the sites in the Local intranet zone are identifiable either by local name or by IP addresses in the proxy bypass list. However, if you enter the DNS name but not the IP address for a site in the Trusted sites or Restricted sites zone, that site might be treated as part of the Internet zone if it is accessed by using the IP address.

If you want to reference a Web server by using a shorter version of its address that does not include the domain, you can use a domain name suffix. For example, you can reference a Web server named sample.microsoft.com as sample. Then you can use either http://sample.microsoft.com or http://sample to access that content.

To set up this capability, you must add the domain name suffix for TCP/IP properties to the domain suffix search order.

To add the domain name suffix for TCP/IP properties to the domain suffix search order
  1. Right-click the Network Neighborhood icon, and then click Properties.
  2. On the Configuration tab, click TCP/IP, and then click Properties.
  3. Click the DNS Configuration tab, and then select Enable DNS if it is not already selected.
  4. In the Domain Suffix Search Order box, add the search order that you want.

    The following illustration shows the DNS Configuration tab.

    DNS Configuration tab

It is important to set up security zones correctly for this capability. By default, the URL without dots (http://sample) is considered to be in the Local intranet zone, while the URL with dots (http://sample.microsoft.com) is considered to be in the Internet zone. Therefore, if you use this capability and no proxy server bypass is available to clearly assign the content to the proper zone, you need to change the zone settings.

Depending on whether the content accessed by the domain name suffix is considered to be intranet or Internet content, you need to assign the ambiguous site URLs to the appropriate zones. To assign URLs, such as http://sample, to the Internet zone, clear the Include all local (intranet) sites not listed in other zones check box for the Local intranet zone, and include the site in the Internet zone.

Selecting Custom Level Settings

The Custom Level button on the Security tab gives you additional control over zone security. You can enable or disable specific security options depending on the needs of your organization and its users. For more information about how to use Custom Level security options, see "Setting Up Security Zones" earlier in this chapter.

The Custom Level security options for Internet Explorer are grouped into the following categories:

The following table identifies the default value for each Custom Level security option at each level of security.

Security option Low Medium-low Medium High

ActiveX controls and plug-ins

Download signed ActiveX controls Enable Prompt Prompt Disable
Download unsigned ActiveX controls Prompt Disable Disable Disable
Initialize and script ActiveX controls not marked as safe Prompt Disable Disable Disable
Run ActiveX controls and plug-ins Enable Enable Enable Disable
Script ActiveX controls marked safe for scripting Enable Enable Enable Disable

Cookies

Allow cookies that are stored on your computer Always Always Always Disable
Allow per-session cookies (not stored) Always Always Always Disable

Downloads

File download Enable Enable Enable Disable
Font download Enable Enable Enable Prompt

Java

Java permissions Low safety Medium safety Medium safety High safety

Miscellaneous

Access data sources across domains Enable Prompt Disable Disable
Drag and drop or copy and paste files Enable Enable Enable Prompt
Installation of desktop items Enable Enable Prompt Disable
Launching applications and files in an IFRAME Enable Enable Prompt Disable
Software channel permissions Low safety Medium safety Medium safety High safety
Submit non-encrypted form data Enable Enable Prompt Prompt
Userdata persistence Enable Enable Enable Disable

Scripting

Active scripting Enable Enable Enable Enable
Allow paste operations via script Enable Enable Enable Disable
Scripting of Java applets Enable Enable Enable Disable

User authentication

User Authentication - Logon Automatic Automatic Prompt Prompt

These Custom Level security options apply to Internet Explorer; other programs might not accept them. These security options are for Microsoft Windows 32-bit platforms, but some options might also apply to Microsoft Windows 16-bit or UNIX platforms. The following sections describe these settings in greater detail.

ActiveX Controls and Plug-ins

These options dictate how Internet Explorer approves, downloads, runs, and scripts ActiveX controls and plug-ins.

Note If a user downloads an ActiveX control from a site that is different from the page on which it is used, Internet Explorer applies the more restrictive of the two sites' zone settings. For example, if a user accesses a Web page within a zone that is set to permit a download, but the code is downloaded from another zone that is set to prompt a user first, Internet Explorer uses the prompt setting.

Cookies

These options determine the settings for per-session cookies (text files that store the user's preferences) and cookies that are stored on the client computer.

Downloads

These options specify how Internet Explorer handles downloads.

Java

These options control the permissions that are granted to Java applets when they are downloaded and run in this zone. Depending on the Internet Explorer components that you install, you might not be able to view or set these options.

Each option determines the following:

Note If a Java applet is downloaded from a different site than the page on which it is used, the more restrictive of the two sites' zone settings is applied. For example, if a user accesses a Web page within a zone that is set to allow a download, but the code is downloaded from another zone that is set to prompt a user first, Internet Explorer uses the prompt setting.

Miscellaneous

These options control whether users can access data sources across domains, submit non-encrypted form data, launch applications and files from IFRAME elements, install desktop items, drag and drop files, copy and paste files, and access software channel features from this zone.

Scripting

These options specify how Internet Explorer handles scripts.

User Authentication

This option controls how HTTP user authentication is handled.



Arrow: Top of page