A critical step in protecting your network is to prevent users from accessing unauthorized Web sites. Malicious code on these sites can wreak havoc on crucial network systems and can destroy mission-critical information. But although there are several options for blocking this access, they are not always foolproof.

Some network administrators add a list of forbidden Web sites to the company’s firewall, but it’s impossible to catch all of the sites that should be blocked. Plus, using a firewall for this purpose could seriously degrade its performance.

Running special third-party software designed to block certain types of content on a dedicated server is a better method, because the vendor usually provides a database containing a listing of all prohibited Web sites. But the software can be expensive, and because all outbound requests must be compared against the database, it can drastically decrease your company’s Internet access speed.

Perhaps the easiest method of blocking access to restricted sites is done directly through Internet Explorer (IE), by using IE to filter content from your network and prohibit certain malicious scripts from running.

Second in a series

Last week’s installment explored customizing IE’s security zones to block harmful content from infiltrating your network. Next week’s article will discuss more methods of customizing IE’s security.

Getting started
Selecting the Internet Options command from IE’s Tools menu will bring up the Internet Options properties sheet. Select the Content tab, and click the Enable button in the Content Advisor section to bring up the Content Advisor properties sheet.

The first tab you’ll encounter on this properties sheet is the Ratings tab, shown in Figure A.

Figure A

Many Web sites are rated by the Recreational Software Advisory Council (RSACi), in the same manner that movies and television shows are rated. The Ratings tab allows you to set the RSACi rating that you’ll permit in the categories of Language, Nudity, Sex, and Violence.

You can break down each category to determine the level that you think is acceptable. For example, you could break down the Nudity category to permit none, revealing attire, partial nudity, frontal nudity, or a provocative display of frontal nudity (Figure B).

Figure B

The only problem with going by RSACi ratings is that not all sites are rated. If you aren’t too wild about the idea of an unapproved site slipping through the cracks, then you can use the Approved Sites tab (Figure C) to specifically tell IE which sites should be allowed and which sites should never be allowed. Because this tab works based on a site’s URL, it’s totally independent of any ratings.

Figure C

Of course, if you’d rather stick to playing the ratings game, then you have some more options. The General tab (Figure D) allows you to use other Internet rating systems, such as SafeSurf, to either replace RSACi or work in conjunction with it.

Figure D

Protect against malicious code
Now that you’ve got an idea of how to limit access to some sites and control how Internet Explorer responds to potentially harmful content, it’s time to take a closer look at that dangerous content. While IE’s security zones settings can block access to ActiveX controls, why would you need to prohibit such access?

Obviously, you can use—and I recommend—antivirus programs like Symantec’s Norton AntiVirus or McAfee’s VirusScan. Unfortunately, antivirus software isn’t designed to detect all types of malicious scripts. It also takes a relatively destructive script to trigger an antivirus alert.

The threat you’ll more likely encounter while surfing is a Web-based Trojan horse, a program that contains harmful code or malicious scripts designed to control or damage your computer or network. Fortunately, you can configure IE to prevent such scripts from running.

On the Security tab of the Internet Options properties sheet, you might have noticed a Custom Level button. If you click this button, you can take full control over every aspect of Internet Explorer’s security settings.

For most of the options that are available (such as allowing Java scripting), you may either enable or disable the operation. You can also use the Prompt option to allow users to decide if they want the script to run or not.

The primary type of potentially destructive script is a Java applet, which can unleash pure evil upon your system. I once encountered a Java applet that attempted to modify my Windows registry. Had Norton AntiVirus not intercepted the operation, I might have never known that anything was wrong until it was too late.

While Internet Explorer’s security zones can determine the types of scripts that are allowed to run, if you haven’t added a site to a security zone, Internet Explorer will simply use the default settings. These default settings allow fairly liberal Java applet behavior, but I recommend placing the Java Permissions into the High Safety category (Figure E).

Figure E

If you’re still leery of Java applets, you could completely disable Java for the Internet security zone. You might also choose to disable scripted paste operations, disable scripting altogether, or simply disable scripting of Java applets.

Of course, Internet Explorer doesn’t limit you to enabling or disabling an option. You always have the choice of prompting the user as to whether or not to run a script.

What security level do you recommend?

As a consultant or network administrator, do you have a recommended security level for IE users? Do you customize browsers to keep Java, for example, from running? Send us an e-mail or post a comment in the discussion below.