Browsing the "wild, wild Web" can be dangerous. Combine today’s highly functional Microsoft Internet Explorer (IE) 5.0 with less-than-security-savvy users who visit all types of Web sites, and you take some serious risks. Several methods exist for embedding malicious content into Web pages. To suffer from a security attack, however, you don’t need to land on the Web site of a malicious Web master. Many Web sites such as eBay and Hotmail let users embed HTML and active content into their postings. When you view a Web page that contains active content (e.g., a Java applet), you let untrusted code execute on your computer. Even with the built-in security features in Java and other scripting languages, attackers have found many ways to access files on the local drives of the computer browsing the Web and to access resources on your company's other servers.
In this series of articles, I’ll show you how to reduce the risk of browsing the Web by properly configuring IE’s security options. However, because you can have hundreds or thousands of IE installations, you can’t afford to configure each computer individually—not to mention reconfigure IE installations when users reverse your security settings. I’ll show you how to use Group Policy to securely configure IE and to prevent users from defeating your restrictions. To begin, it's important that you know how to use IE's security zones to apply the appropriate level of security and restrictions to each Web site that you and your users visit.
IE Security Zones
Many of IE's security options can cause inconvenience or loss of functionality, and some Web sites deserve more trust than others. IE uses the concept of Web content zones to let you apply the correct amount of security to each site. To view the security settings, open IE, select Tools, Internet Options, and select the Security tab, as Figure 1 shows. IE has four zones: Internet, Local intranet, Trusted sites, and Restricted sites. Each zone has a preset level of security—Low, Medium-low, Medium, or High. You can change these levels, or you can select Custom Level to specify your own settings. Let's look at each zone—we'll explore the Custom Level settings in Part 2.
The Internet zone includes all Web sites you haven't specified in the other three zones. The default level for the Internet zone is Medium. You can move the slider to change this setting, as Figure 1 shows. For example, if you change the security to Medium-low, a warning dialog box pops up, asking if you really want to change the setting. If you click Yes, the level changes and displays information about the setting. (Any time you change a zone's default setting, you'll get a synopsis about the setting.)
Local Intranet Zone
The Local intranet zone defaults to Medium-low security that typically includes all content on your local computer and on your company's intranet servers within your local network. To fine-tune the sites in this zone, click Sites. IE opens a small dialog box with three check boxes representing different types of Web sites, as Figure 2 shows.
If you check Include all local (intranet) sites not listed in other zones, you include Web sites that start with a drive letter (content on your local computer) and Web sites that don’t include dots (e.g., .com, .org). Typically, you access an intranet Web site with only its base computer name (i.e., //humanresources). If you check Include all sites that bypass the proxy server and your browser uses a proxy server, you include all Web sites that bypass the proxy server. If you don’t use a proxy server, this check box has no effect, regardless of how you set it.
If you check Include all network paths (UNCs), IE considers any Web pages that you access using the Universal Naming Convention (UNC) to be part of this zone (e.g., a UNC path is in the format of \\
If you check Require server verification (https:) for all sites in this zone, this option prevents you from connecting to Web sites using HTTP on TCP port 80. Instead, IE only lets you connect through Secure Sockets Layer (SSL) on port 443. This option is valuable because as part of SSL, the server must authenticate itself to your browser using a certificate signed by a Certificate Authority (CA) that your computer trusts. However, this option typically isn't appropriate for the Local intranet zone because you usually trust Web sites within your internal network and because Web servers must be specially configured with certificates to support SSL.
You can use the Trusted sites zone for highly trusted and functional Web sites where you need active content or sites where you need minimal security. These sites might include internal Web sites or the Web sites of trusted business partners. Trusted sites defaults to a security setting of Low and doesn't include any Web sites. Click Sites to access a dialog box that lets you add and remove specific Web addresses, as Figure 3 shows. If the Web site supports SSL for all Web pages, you should select the Require server verification (https:) for all sites in this zone check box. Unfortunately, most Web sites use SSL only for specific Web pages that display or accept confidential information.
You can use the Restricted sites zone for Web sites that users must visit but that are dangerous. The Restricted sites zone defaults to a security setting of High and doesn’t include any Web sites. You can select Sites to add and remove specific Web addresses, which looks the same as Figure 3 except there is no Require server verification (https) for all sites in this zone check box. Be sure you to set up your zones correctly so that each Web site is subject to the appropriate security level. In Part 2 of this article, I'll explain the settings in Custom Level.