Most Web browsers offer the option of controlling a wide
variety of potential security issues and annoyances, yet each browser takes a
different approach to handling these issues. Let’s take a look at the method
that Microsoft’s Internet Explorer (IE) uses to provide a secure browser
experience.
When it comes to the newer versions of Windows (including
Windows XP, Windows Server 2003, and Windows 2000), IE 6 is an extension and
integral part of the operating system. Using IE 6, you can block pop-ups,
disable Java and ActiveX
controls, and protect yourself from cross-site scripting.
You can access these options by going to Tools | Internet Options
in Internet Explorer and selecting the Security tab. This area also allows you
to configure security zones for different levels of trust for different Web
sites.
The security settings you select here control the security
for each zone. Here’s a look at the default security settings for IE.
|
Security option |
Low |
Medium-Low |
Medium |
High |
|
ActiveX Controls |
||||
|
Download signed ActiveX controls |
Enable |
Prompt |
Prompt |
Disable |
|
Download unsigned ActiveX controls |
Prompt |
Disable |
Disable |
Disable |
|
Initialize and script ActiveX controls not |
Prompt |
Disable |
Disable |
Disable |
|
Run ActiveX controls and plug-ins |
Enable |
Enable |
Enable |
Disable |
|
Script ActiveX controls marked safe for |
Enable |
Enable |
Enable |
Disable |
|
Downloads |
||||
|
File download |
Enable |
Enable |
Enable |
Disable |
|
Font download |
Enable |
Enable |
Enable |
Prompt |
|
Miscellaneous |
||||
|
Access data sources across domains |
Enable |
Prompt |
Disable |
Disable |
|
Allow |
Enable |
Enable |
Enable |
Disable |
|
Display mixed content |
Prompt |
Prompt |
Prompt |
Prompt |
|
Don’t prompt for client certificate selection |
Enable |
Enable |
Disable |
Disable |
|
Drag and drop or copy and paste files |
Enable |
Enable |
Enable |
Prompt |
|
Installation of desktop items |
Enable |
Prompt |
Prompt |
Disable |
|
Launching programs and files in an IFRAME |
Enable |
Prompt |
Prompt |
Disable |
|
Navigate sub-frames across different domains |
Enable |
Enable |
Enable |
Disable |
|
Software channel permissions |
Low safety |
Medium safety |
Medium safety |
High safety |
|
Submit non-encrypted form data |
Enable |
Enable |
Prompt |
Prompt |
|
Userdata persistence |
Enable |
Enable |
Enable |
Disable |
|
Scripting |
||||
|
Active scripting |
Enable |
Enable |
Enable |
Disable |
|
Allow paste operations via script |
Enable |
Enable |
Enable |
Disable |
|
Scripting of Java applets |
Enable |
Enable |
Enable |
Disable |
|
User |
||||
|
Logon |
Automatic logon with current username and |
Automatic logon only in Intranet zone |
Automatic logon only in Intranet zone |
Prompt for user name and password |
Let’s take a look at how you can best apply these default
settings in each zone to ensure security:
- Internet: When it comes to
security risks for your computer and your network, consider this to be the
Wild West. I recommend selecting the Medium level, which disables most
ActiveX content (unless signed by a trusted publisher). - Local Intranet: This zone controls
internal corporate Web pages, and you should set the security setting for
Low. This provides all of the functionality that the browser has to offer
with the most permissive security settings. - Trusted Sites: This zone controls the
Web sites, external to your own network, that you trust. Such sites
typically include your bank, your personal e-mail site, etc. I suggest setting
this zone to Medium-Low or Low if required to properly display all of the
content of these select trusted sites. - Restricted Sites: This zone
addresses the Web sites that you probably
shouldn’t be visiting anyway. The default setting for this zone is
High—and for good reason. I don’t recommend modifying this setting under
any circumstances.
While these are the suggested security settings, you can also
modify and create a custom setting for each zone if you prefer. However, the
four default settings generally provide the balance of security and
functionality that you’re looking for.
In a corporate environment, you can deploy these settings
throughout the enterprise. You can do so by using the Internet
Explorer Administration Kit and deploying those settings through a package
delivery system such as Systems Management Server (SMS).
Final thoughts
IE has the ability to provide a secure browsing experience. However,
it’s the responsibility of the organization or the user to configure it
properly. Most important, apply security measures against those sites that aren’t
in your security zone.
Miss a column?
Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.
Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.
Daily Tech Insider Newsletter
Stay up to date on the latest in technology with Daily Tech Insider. We bring you news on industry-leading companies, products, and people, as well as highlighted articles, downloads, and top resources. You’ll receive primers on hot tech topics that will help you stay ahead of the game.
Delivered Weekdays
