Collaboration

Lock IT Down: Protect your network with Internet Explorer 6's Security Zones

Make IE more secure by setting security zones


Malicious active content on the Internet has always been a cause for concern for the IT professional. The Security Zones feature of Internet Explorer 6 (IE6) is designed to protect users from inadvertently downloading this type of content from the Internet. I'll explain IE6's Security Zones feature and discuss the default settings. I’ll examine some of the settings you can change to adjust the level of security applied to each of these zones. I’ll then show you how to easily roll out the IE6 Security Zones settings to users on a network of Windows 2000 and Windows XP Professional clients with Group Policy editor and a local intranet server.

The Security Zones overview
IE6 includes four predefined Security Zones:
  • Internet—The Internet zone is an all-inclusive zone designed to include all Web sites on the Internet.
  • Local Intranet—The Local Intranet zone is designed to include all computers that are connected to a local network.
  • Trusted Sites—The Trusted Sites zone can be configured to include any sites containing active content that you completely trust.
  • Restricted Sites—The Restricted Sites zone can be configured to include any sites containing active content that you absolutely do not trust.

Note
There is actually a hidden, fifth zone, the My Computer zone, which includes most of the files on your computer. This special zone doesn’t appear in the dialog box with the others and can only be reconfigured by editing the registry or by using the Internet Explorer Administration Kit. As a general rule, the default security level in the My Computer zone is sufficient for most situations.

Each of these Security Zones is by default configured to use one of four predefined security levels. For example, the Restricted Sites zone is set at High, the Internet zone is set at Medium, the Local Intranet zone is set at Medium-low, and the Trusted Sites zone is set at Low. The level of protection provided by each of these security level settings is summarized in Table A. (I’ll go into more detail on the security level settings in a moment.)
Table A

Security level

Summary

High

The safest way to browse, but also the least functional.
Less secure features are disabled.
Appropriate for sites that might have harmful content.

Medium

Safe browsing and still functional.
Prompts before downloading potentially unsafe content.
Unsigned ActiveX controls will not be downloaded.
Appropriate for most Internet sites.

Medium-low

Same as Medium without prompts.
Most content will run without prompts.
Unsigned ActiveX controls will not be downloaded.
Appropriate for sites on your local network (intranet).

Low

Minimal safeguards and warning prompts are provided.
Most content is downloaded and run without prompts.
All active content can run.
Appropriate for sites that you absolutely trust.

The Security Zone’s predefined security levels

In most circumstances, these default Security Zone settings are sufficient, but you do have a lot of latitude—possibly more than you’re comfortable with. IE6’s Security Zone feature is highly customizable and gives you a mechanism for adjusting the amount of security in each of the Security Zones at a granular level. In other words, you can configure each and every active content feature that IE6 is capable of processing by choosing to enable or disable the feature and configuring Internet Explorer to prompt the user for a choice before accessing the active feature.

A total of 23 active content features are divided into six main categories. These active content features are listed in Table B, along with the default settings in each of the four Security Zones. You can browse through the settings listed in Table B and compare them with the predefined security levels listed in Table A, and begin to get a more specific idea of how much protection is offered by each of the predefined security levels. You can then decide if these default settings offer the level of protection that you’re comfortable with providing for your organization or if you want to tighten or loosen the security in certain areas.
Table B

Active feature

Internet

Local intranet

Trusted sites

Restricted sites

ActiveX Controls and plug-ins

Download signed ActiveX controls

Prompt

Prompt

Enable

Disable

Download unsigned ActiveX controls

Disable

Disable

Prompt

Disable

Initialize and script ActiveX controls not marked as safe

Disable

Disable

Prompt

Disable

Run ActiveX controls and plug-ins

Enable

Enable

Enable

Disable

Script ActiveX controls marked safe for scripting

Enable

Enable

Enable

Disable

Downloads

File download

Enable

Enable

Enable

Disable

Font download

Enable

Enable

Enable

Prompt

Microsoft VM

Java permissions

High safety

Medium safety

Low safety

Disable Java

Miscellaneous

Access data sources across domains

Disable

Prompt

Enable

Disable

Allow META REFRESH

Enable

Enable

Enable

Disable

Display mixed content

Prompt

Prompt

Prompt

Prompt

Don't prompt for client certificate when no certificates or only one certificate exists

Disable

Enable

Enable

Disable

Drag and drop or copy and paste files

Enable

Enable

Enable

Prompt

Installation of desktop items

Prompt

Prompt

Enable

Disable

Launching programs and files in an IFRAME

Prompt

Prompt

Enable

Disable

Navigate subframes across domains

Enable

Enable

Enable

Disable

Software channel permissions

Medium safety

Medium safety

Low safety

High safety

Submit nonencrypted for data

Enable

Enable

Enable

Prompt

Userdata persistence

Enable

Enable

Enable

Disable

Scripting

Active scripting

Enable

Enable

Enable

Disable

Allow paste operations via script

Enable

Enable

Enable

Disable

Scripting of Java applets

Enable

Enable

Enable

Disable

User Authentication

Logon

Anonymous logon

Auto logon only in intranet zone

Auto logon with current username and password

Prompt for username and password

The active content features and their default settings

The Security Zones user interface
The user interface for configuring IE6’s Security Zones feature is very straightforward. To begin configuring IE6’s Security Zones, pull down the Tools menu and select the Internet Options command. When you see the Internet Options dialog box, select the Security tab, as shown in Figure A.

Figure A
Configure IE6’s Security Zones feature from the Security tab.


Each of the four Security Zones is represented by an icon in the panel at the top of the tab. As you click each icon, you’ll see the preset security level setting that applies to that zone. You can adjust the security level by moving the slider to the notches that apply to each of the four predefined settings.

The Sites button is unavailable in the Internet zone; clicking that button in any of the other zones will display another dialog box with which you can add specific sites to that zone. For example, selecting the Trusted Sites zone and clicking the Sites button will display the dialog box shown in Figure B. You can then easily add sites to the zone by typing the address and then clicking the Add button.

Figure B
This dialog box lets you add specific Web sites to the Trusted Sites zone.


At the bottom of the Security Level For This Zone panel in Figure A, notice the Custom Level button. When you click this button, you’ll see the Security Settings dialog box, as shown in Figure C, where you can configure each of the security settings listed in Table B.

Figure C
The Security Settings dialog box lets you specify your security settings at the granular level.


Studying the Custom Security Settings
The process of adding sites to the Local Intranet, Trusted Sites, and Restricted Sites zones is easy. So, too, is selecting one of the four broad security level settings. The tricky part is adjusting the individual options in the Security Settings dialog box, because you really need to have a thorough understanding of what each of these settings controls. Let’s take a closer look at each of those settings.

ActiveX Controls And Plug-ins
The settings in the ActiveX Controls And Plug-ins category allow you to control whether signed or unsigned controls are downloaded and executed. An ActiveX control or plug-in is basically a program object that can be inserted into a Web page by the developer and used to provide some interactive function on the page. For example, an ActiveX control could be used to insert a live stock ticker in a Web page.

A signed ActiveX control is one that includes a certificate stating who created the control and which Certification Authority, such as VeriSign, has credentialed the control. A signed ActiveX control can be considered safe under most circumstances. An unsigned ActiveX control contains neither the author’s name nor a credential. The five settings in this category are:
  • Download Signed ActiveX Controls
  • Download Unsigned ActiveX Controls
  • Initialize And Script ActiveX Controls Not Marked As Safe
  • Run ActiveX Controls And Plug-ins
  • Script ActiveX Controls Marked Safe For Scripting

These can be set to one of three values: Enable, Disable, or Prompt. The latter setting configures Internet Explorer to display a dialog box asking you whether you want to run the control.

It’s important to point out that the Run ActiveX Controls And Plug-ins setting has an additional option called Administrator Approved, which gives corporate administrators the ability to allow specific ActiveX controls to be run, while locking out all others.

Downloads
The settings in the Download category allow you to control how you want the browser to deal with the download of files and fonts. The Font Download option can be set to Enable, Disable, or Prompt; the File Download option can only be set to Enable or Disable.

Microsoft VM
Under the Microsoft VM (Virtual Machine) category, there’s only one setting, Java Permissions. When a Java applet runs, it typically requests permission to access items on your system, such as folders, files, printers, system information, or network connections. Obviously, controlling the amount of security applied to Java applets is very important.

To configure Java security, you’ll use one of five settings: Custom, Disable Java, High Safety, Low Safety, and Medium Safety. Keep in mind that if a Java applet doesn’t need a higher level of permission than what you have set, it will run without requesting permissions. If it does need a higher level of permission, Internet Explorer will display a dialog box that prompts you to grant the necessary additional privileges needed for the applet to run.

If you choose the Custom option, you’ll see a Java Custom Settings button at the bottom of the Security Settings dialog box that will allow you to fine-tune the level for Java permissions on a very granular level. When you click this button, you’ll see a dialog box with two tabs, as shown in Figure D.

Figure D


The first tab, View Permissions, allows you to examine the currently selected permissions, which are divided into three categories:
  • Permissions Given To Unsigned Content
  • Permissions That Signed Content Are Allowed
  • Permissions That Signed Content Are Denied

As you can see, each setting under these categories is marked with a traffic light icon; the color of the light indicates the level of security in place. A green light indicates high security level, a yellow light indicates a medium level of security, and a red light indicates a low level of security. If you select the Edit Permissions tab, you’ll find a series of option buttons that allow you to configure each permission setting to Enable, Disable, or Prompt.

Microsoft has provided a built-in Help system that covers in detail each of the Java Permissions settings on the View Permissions and Edit Permissions pages. To access this Help system for either tab, right-click anywhere in the main area of the page or click the question mark icon and then click anywhere in the main area of the page. A Help screen will appear.

Miscellaneous
The Miscellaneous category contains a hodgepodge of settings, most of which were added as the result of various security patches and fixes that have been integrated into Internet Explorer over the last couple of years. Each of these settings can be configured as Enable, Disable, or Prompt.
  • Access Data Sources Across Domains: Controls cross-domain data access, which can open the door to various spoofing attacks.
  • Allow META REFRESH: Controls whether Web pages can use meta-refreshes to reload pages after a preset delay.
  • Display Mixed Content: Controls whether Web pages can display content from both secure and nonsecure servers.
  • Don't Prompt For Client Certificate When No Certificates Or Only One Certificate Exists: Controls whether users are prompted to select a certificate when no trusted certificate or only one trusted certificate has been installed on the computer.
  • Drag And Drop Or Copy And Paste Files: Controls whether users can drag and drop files or copy and paste files.
  • Installation Of Desktop Items: Controls whether users can download and install Active Desktop content.
  • Launching Programs And Files In An IFRAME: Controls whether applications may be run and files may be downloaded from within a floating frame (IFRAME).
  • Navigate Subframes Across Domains: Designed to prevent frame spoofing, which is defined as inserting a page containing malicious content within a frame on a legitimate Web site.
  • Software Channel Permissions: Controls whether an e-mail message can be sent with notification of available software for download or whether that software can be installed.
  • Submit Nonencrypted For Data: Controls whether data in HTML forms may be submitted. (Keep in mind that this only affects non-SSL form data—any data submitted with SSL encryption is always allowed.)
  • Userdata Persistence: Controls how objects persist to data, such as page state in user data. Used within an XML store.

Scripting
The Scripting category contains three settings, which allow you to clamp down on malicious scripting activities. Each of these settings can be configured as Enable, Disable, or Prompt.
  • Active Scripting: Used to expose the contents of local files.
  • Allow Paste Operations Via Script: Provides access to the contents of the clipboard.
  • Scripting Of Java Applets: Allowing a script to access an existing Java applet opens the door to all kinds of mischief since Java applets can have a wide range of access to the file system.

User authentication
Many Web sites and intranet sites require user authentication to gain access. The Logon security setting allows you to control the transmission of authentication information via Internet Explorer with the selection of one of four options.
  • Anonymous Logon: Disables authentication and uses guest access.
  • Automatic Logon Only In Intranet Zone: Automatically logs on all sites in the Intranet zone with the current session username and password; also issues prompts for username and password for sites in all other zones.
  • Automatic Logon With Username And Password: Configures Internet Explorer with the current session username and password.
  • Prompt For Username And Password: Configures Internet Explorer to always prompt for a username and a password.

Distributing Security Zone settings via the Group Policy editor
Once you’ve configured your browser’s Security Zone settings, you’ll need to distribute them to your users. While you can use the Internet Explorer Administration Kit’s Profile Manager to do the job, you can avoid having to install additional software if you use the method provided by the Group Policy editor.

Doing so is a two-step procedure that involves exporting the Security Zone settings as an INS configuration file and then configuring your Windows 2000 and Windows XP Professional clients to use the Automatic Browser Configuration feature to import those settings. The beauty of this distribution method is that you can regularly update the Security Zone settings and then easily distribute the updates.

Exporting the Security Zone settings
To begin, launch the Group Policy editor by typing Gpedit.msc in the Run dialog box. When you see the Group Policy editor window, go to the tree view and open the following branch: User Configuration | Windows Settings | Internet Explorer Maintenance. Right-click on the Security icon and select the Export Browser Settings command from the shortcut menu. When you see the Save .INS File And .CAB Files dialog box, type the full path and name of the .INS file and click OK, as shown in Figure E. Once you save the INS file, copy it to the root directory of a local intranet server.

Figure E
You can save your Security Zone settings to an INS file.


Enabling the Automatic Browser Configuration feature
At this point, you’ll need to enable Automatic Browser Configuration on all of your Windows 2000 and Windows XP Professional clients. You can e-mail these instructions to your users or deploy them manually.

Launch the Group Policy editor by typing Gpedit.msc in the Run dialog box. When you see the Group Policy editor window, go to the tree view and open the following branch: User Configuration | Windows Settings | Internet Explorer Maintenance | Connection. Double-click Automatic Browser Configuration.

In the Automatic Browser Configuration dialog box, select both the Automatically Detect Configuration Settings and the Enable Automatic Configuration check boxes. Then, type the URL to the INS configuration file in the Auto-config URL (.INS File) text box, as shown in Figure F.

Figure F
Enable Automatic Browser Configuration on all of your Windows 2000 and Windows XP Professional clients.


Peace of mind with IE6's Security Zones
The Internet has always been a risky network for IT professionals in charge of a large user base. When users connect to the Internet, you’re fighting a losing battle if you haven’t taken the necessary precautions to lock down the browser. If your network’s Windows 2000 or Windows XP Professional users access the Internet with IE6, you need to learn how to employ the Security Zones feature to protect systems from inadvertently downloading malicious active content from the Internet.

About Greg Shultz

Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.

Editor's Picks

Free Newsletters, In your Inbox