One of the biggest threats to a network is content that’s been acquired from the Internet. When users are working within the contained environment of your private network, they are relatively safe from threats such as viruses and malicious scripts. However, there’s nothing stopping a user from accidentally visiting a malicious Web page and having such content pushed onto their machine. As a consultant, your clients are generally aware of such risks. But what are some simple methods to help your clients keep their networks secure?
In this article, I’ll explain how to configure Internet Explorer (IE) to ensure content that users acquire on the Internet won’t harm your network.
First in a series
This first installment of this series on securing Internet Explorer (IE) covers the browser’s security settings and how they affect use and network security. Other installments will discuss filtering Internet content and additional ways to increase IE’s security.
While a corporate intranet or an approved Web page pose little risk to a network’s security, some sites can run malicious code or scripts designed to steal passwords and other information. The trick to securing IE is distinguishing between Internet sites based on the risk that they pose to your network.
You can use IE’s security zones to differentiate between such sites and to control the way that IE behaves when a user accesses such a site. IE contains four built-in security zones—Restricted sites, Trusted sites, Local intranet, and Internet—that allow you to select the browser’s security level. Each of the built-in security zones contains its own preconfigured but customizable security settings.
You can access IE’s security settings by clicking on Tools in the menu bar and selecting Internet Options | Security. You should see the window shown here in Figure A:
The Restricted sites zone contains Web sites that could potentially damage your systems. Contrary to the name, sites that you place in the Restricted sites category aren’t blocked. Instead, IE simply limits the types of content that it will allow the site to display.
For example, When you visit a Restricted site, IE will disable things like ActiveX controls, cookies, file downloads, and Java applets. Basically, when you place a site into the Restricted sites zone, you’re telling IE that it’s okay to go to the site, but that you don’t trust it, so don’t let the site do anything that could be the least bit harmful.
To designate a site as restricted, click on the Restricted sites icon and click on the “Sites…” button. This will bring up a menu (Figure B) that allows you to add or remove sites that you want to label restricted.
The next security zone is the Trusted sites zone. The Trusted sites zone is intended for sites that you consider absolutely safe. For the most part, IE will accept just about any type of content from such sites, without considering potential harm. The only exception is that users will be prompted before downloading unsigned ActiveX controls or ActiveX controls that haven’t been marked as safe.
You can access the Trusted sites menu the same way you found the Restricted sites list: Click on the Trusted sites icon and the ensuing “Sites…” button. In this menu (Figure C), you can add or remove sites you want to designate as Trusted.
The next type of security zone is the Local intranet zone. This zone is designed to contain sites that exist on your local network. Oddly enough, IE places more security restrictions on the Local intranet zone than it does on the Trusted sites zone, if you stick with the default settings. However, the Local intranet zone is still fairly permissive. It allows most types of content, but doesn’t allow unsigned ActiveX controls or ActiveX controls that haven’t been marked as safe.
This security zone will also prompt you before installing desktop items, launching programs in an IFRAME, or accessing content that exists in a different domain.
Opening the Local intranet zone setting will bring up a window (Figure D) that asks the user to define which Web sites are included in the Local intranet zone.
Clicking on the “Advanced” button will bring up a menu (Figure E) that allows you to add or remove Web sites from this zone.
The final built-in security zone is the Internet zone, IE’s default security setting. Any sites that you haven’t specifically added to other security zones are assumed to be a part of the Internet security zone.
The Internet zone is appropriate for most Web sites, allowing users to browse freely but prompting them before downloading potentially dangerous content. Likewise, sites within this security zone won’t download unsigned or unsafe ActiveX controls.
You can also customize the security settings for any of the zones by selecting the zone and clicking the Custom Level button. When you do, you’ll see a dialog box that allows you to select a variety of options that control IE’s behavior.
For example, if your client has asked you to prohibit users from being able to download files from the Internet, you could click on the “Custom Level…” button, which would open a Security Settings window. Scroll down to Downloads | File Download and engage the Disable radio button (see Figure F).
Then confirm your choice by clicking “OK.” A warning window will ask whether you want to keep the changes you’ve made before taking you back to the Internet Options window.
Have you customized IE?
As a consultant, have you customized the security settings in IE? Tell us what, if any, restrictions your client wanted placed on users. Share your experiences in a discussion below or send us an e-mail.