Understanding IE Security Zones

Q: Microsoft Internet Explorer (IE) Security Zones are a powerful browser security feature. However, configuring Security Zones is complex and often users lack the knowledge to configure them correctly. A crucial part of understanding IE Security Zones is knowing how IE classifies Web site URLs (i.e., understanding why IE adds a URL to a particular Security Zone). Can you explain how IE Security Zone classification works and offer some guidance on how to configure it?

A: The IE security settings that are applied to a Web site depend on a Web site's Security Zone classification. This dependence explains the importance of understanding how IE uniquely identifies Web sites.

In a security zone, a Web site is identified using its HTTP or FTP URL. You can manually add sites to all Security Zones except the Internet and Local Computer zones. Remember that a site is automatically added to the Internet zone when it doesn't match any of the other Security Zones; the Local Computer zone applies to all content stored on local machine drives. To add a Web site to a Security Zone, select the appropriate Security Zone in the Security tab of the Internet Options dialog box, then click the Sites… button as Figure 1 shows).

When explicitly adding Web site URLs to the Restricted Sites or Trusted Sites Security Zones, keep in mind that a browser can access Web sites by using both DNS names and plain IP addresses. If you add only Web sites' DNS names to the Restricted Sites or Trusted Sites Security Zones, the site will be classified as part of the Internet Security Zone when it's addressed using its IP address. So make sure that you add both a Web site's DNS name and IP address when classifying it as either a member of the Restricted Sites or Trusted Sites Security Zones.

You can use wildcards to add different Web sites through one administrative action. Adding *.hp.com to Trusted Sites for example, will classify all sites ending in hp.com (e.g., hr.hp.com, emea.hp.com) to the Trusted Sites Security Zone. The configuration of the Local Intranet zone deserves more attention. For the Local Intranet zone, users and administrators will see the following membership configuration options, as Figure 2 shows in the left dialog box):

Include all local (intranet) sites not listed in other zones. When this option is checked, all URLs that don't include dots will be added to the Local Intranet zone. Such is the case for intranet Web sites on which Web content is addressed using plain hostnames (e.g., http://intraweb. Addressing a Web site by using a hostname is possible because the Windows networking logic includes a feature called DNS Domain Suffix Search Order that allows for construction of the Fully Qualified Domain Name (FQDN) if given the hostname. This rule also applies when you address a Web site by using the number-version URL of its IP address; a number also doesn't include dots, and thus, by default the Web site will be classified as Local Intranet content. For example, a Web site with URL http://15.29.34.4 can also be addressed using http://268444164. To obtain this number from the site's IP address use the following formula:

15(256³) + 29(256²) + 34(256) + 4

In short, if you select the Include all local (intranet) sites not listed in other zones option, and users use URLs without dots to access Internet content, you must make sure to explicitly add these URLs to the Trusted Sites or Restricted Sites Security Zones.

Include all sites that bypass the proxy server. Intranet architectures typically use a proxy server to access Internet content. Checking this box automatically categorizes Web content that's accessed while bypassing the proxy server in the Local Intranet zone. Web content that can be accessed while bypassing the proxy server is defined in the Connections tab of the Internet Options configuration dialog box. If you also use proxy servers to access intranet content, you need to clear this box and explicitly define the intranet URLs as being part of the Local Intranet zone. To do so, click the Advanced… pushbutton and then explicitly add the intranet URLs, as Figure 2 shows.

Include all Universal Naming Conventions (UNCs). Network paths that use UNC names are typically used to reference intranet content. An example is \\webserver\webshare\report.doc. Selecting this check box automatically categorizes all UNC-addressed content in the Local Intranet zone. Clear this check box if you also use UNCs to access Internet-based Web content.

Manually add Web site URLs to the Local Intranet zone. To do so, click the Advanced… button in the Local Intranet zone dialog box.

Even more secure than just identifying a Web site for Security Zone classification is authenticating them. Authentication is possible when you use the Secure Sockets Layer (SSL) protocol. The Trusted Sites, the Local Intranet and the Local Computer Security Zones - the zones with the highest security privileges (and thus the lowest security level) You can configure The Trusted Sites, the Local Intranet, and the Local Computer Security Zones-the zones with the highest security privileges (and thus the lowest security level)-to require SSL-based Web site authentication.

The right dialog box in Figure 2 shows how you can configure the Local Intranet Security Zone to require SSL-based authentication for all Web sites that are categorized in this zone. The same option is available for the Trusted Sites and the Local Computer Security Zones. Because these are the three most privileged Security Zones, strong server-side authentication is a welcome security addition. For the Trusted Sites Security Zone, strong SSL-based authentication is a must.

To configure the Local Intranet zone properly, a user must have a detailed knowledge of the organization's network configuration, including proxy servers and firewalls. Because very few users have this knowledge, I recommend you use one of the centralized IE Security Zone configuration options: Group Policy Object (GPO) settings or the Internet Explorer Administration Kit (IEAK).