|
How to configure Internet Explorer 7 Security Zones for high security
This article describes how to achieve the highest possible security in Internet Explorer 7 . There are basic instructions for beginning users, explanations and advanced settings for more experienced users, and reference tables for custom settings.
Basic and quick Security Zone settings
If you're new to this or in a hurry, you can quickly improve the security of each zone just by using the IE slider controls.
Open the Internet Options dialog box from either of these locations:
- IE7 > Tools > Internet Options > Security
- Start > Control Panel > Internet Options > Security
Click on each zone, and set its slider to the level shown:
|
Zone |
Recommended setting |
|
Restricted |
High |
|
Internet |
High |
|
Trusted Sites |
Medium-high . If experience shows this is too restrictive for too many sites, you can reduce to Medium or tweak individual settings, but never put any setting below the level it has for Medium. For reference while doing this, there is a table showing all the individual settings for each security level. |
|
Local Intranet |
Medium-low |
When done, click OK.
When visiting unfamiliar websites, these settings ensure that you have High security. When you are on a website that you trust and you need to allow features that the High setting doesn't permit (such as file downloads, JavaScript, or ActiveX), you can manually add that site to your Trusted Sites list, where security is lower and the needed features are allowed.
How to add a website to Trusted Sites
All sites start out in the Internet Zone. To add a site to Trusted Sites, go to:
- IE7 > Tools > Internet Options > Security > Trusted sites (click the green checkmark image) > Sites (button)
- Clear
(uncheck) the "Require server verification for all sites in this zone" box.
This box appears to have been an afterthought, and when it is checked, it makes the Trusted Sites concept virtually useless. It only allows sites to be Trusted if they a) use secure "https" encryption on their web pages to prevent eavesdropping, and b) present an authorized certificate that guarantees their identity. The result is that only online banks and big commercial sites can ever qualify to be Trusted. https is too high a standard to expect all Trusted Sites to meet.
From the standpoint of personal information protection, https is important, and you should make sure it is used on any site where you enter credit card numbers or other critical personal information. It protects you from data interception and from fraudulent websites pretending to be other websites (phishing).
However, that has nothing to do with what the Security Zones were supposed to be for: keeping malware off your computer. From that standpoint, the more appropriate standard for trust is: "If I lower my security for this website, do I trust it not to install malware?"
- If you're currently viewing the site you want to add, IE7 automatically puts the URL (web address) in the "Add this website to the zone:" box. (If the address isn't in the box, it means this site is already Trusted.)
If you're not viewing the site at the time you want to add it, manually type or copy-and-paste its URL into the "Add this website..." box. The URL looks like: http://www.websitename.com.
- When the site's address is in the box, click Add, then Close, then OK.
- (If you get an error message when trying to add the site, check to see if it is already in Trusted, or maybe in Restricted. A site can only be in one zone.)
- At the bottom right of the IE7 screen, you'll see the zone has changed from Internet to Trusted Sites.
- Refresh/Reload the page (F5) to turn on the newly-allowed features.
For those who want more detail
Why does a browser need security settings?
Web pages are plain text files which, by themselves, cannot harm your computer. So are emails. However, some of the text in them can be instructions to your browser or email viewer that tell it to do the following things:
- Launch a programming language such as JavaScript or VBScript and submit some text to it so it executes (runs) as a computer program.
- Fetch additional non-text content such as an image and place it on the page.
- Fetch non-text content such as a movie, Flash, audio, PDF, or Word document, Excel spreadsheet, etc., and feed it to an application (a plug-in, browser helper object, program on your local computer, or the Java Runtime Environment) which will then display it on the web page, play it, or render it in whatever media format is appropriate for it.
Each of these types of objects does have the potential to harm your computer under some circumstances.
- A JavaScript or VBScript program can be designed to do malicious things to your computer. Although its text can't harm your computer by itself, it CAN when it's fed into your browser's scripting engine and executed as a program.
- Images are occasionally crafted to be malicious.
- A Flash movie, or any of the other non-text files listed above, and others, can be designed to do malicious things to your computer. So although the plain text code containing the instructions to load them can't do any damage, the files themselves CAN, when they are loaded into the plug-in programs and displayed, played, or otherwise rendered.
The key to making your browsing safer is to restrict what types of these "secondary" objects are allowed to be fetched, restrict JavaScript and VBScript from executing, and restrict what types of applications (plug-ins, browser helper objects, or programs on the local computer) are permitted to be activated as the result of instructions on a web page or in an email.
You can be very secure if you ALWAYS disable ALL of these secondary objects and disallow ALL plug-ins, so that your browser only displays the text on the web page and absolutely nothing else, but you might find these restrictions unacceptably limiting, and some of your favorite web pages might not work properly.
How Internet Explorer Security Zones work
Shouldn't there be a way to differentiate between places whose content you believe is probably safe and other places where you suspect it might not be? That's what Internet Explorer's Security Zones are for.
Different sources deserve different levels of trust. A well known website you've visited many times without problems deserves more trust than a site you've never seen before and know nothing about.
By assigning sites to different zones, you can manage the amount of risk you face. When visiting new unfamiliar sites, your defenses are high, but if a trustworthy site requires additional features, you can put it in the Trusted Sites zone to enable them.
Here are the 4 Security Zones:
|
Local Intranet |
Your local computer and the local area network it's connected to, if any. You and your family or coworkers probably have not created malicious files to damage your own computer system, so this zone has a low level of security. Web pages and files in this zone normally run with few restrictions or warning prompts. |
|
Trusted Sites |
Websites you're confident will not try to damage your computer with malicious files. A site only gets into the Trusted Sites zone if you put it there manually. You can base your decision on your experience or the website's reputation. The "trust" implied here only concerns whether you think a site might try to harm your computer. You might or might not like or trust a company in various different ways, for example, but any site can go in Trusted Sites as long as you're confident that its site isn't designed to be malicious and is competently enough maintained that it's not likely to get hacked and become malicious. The Trusted Sites zone has a medium level of security, higher than your local computer but low enough to allow various types of enhanced content to run or be displayed. |
|
Restricted Sites |
Websites you think WILL try to damage your computer with malicious files. Why this is a Zone, I don't know. Why would you go there? Putting a site in this zone (which you do manually) doesn't prevent you from going there. It would be more useful if it did, preventing you from accidentally returning to a site you discovered was bad. The Restricted Sites zone has a high level of security. |
|
Internet |
All other websites: ones you've never visited before and ones that fully function without your having to put them in Trusted Sites. By default, IE7 sets Internet Zone security lower than Restricted Zone. This makes no sense. You must go to an unfamiliar site, such as the hundreds of unfamiliar ones listed in search engine result pages, with your security set to the highest possible level. Otherwise, when do you move a site to the Restricted Zone? After you've gone there and it's already damaged your computer? No! Thus, the Internet Zone must be the one with the highest security level, and the Restricted Zone is basically useless. |
Achieving Higher than High security
|
|
For advanced users who want maximum security or enjoy tweaking settings, High is not the highest you can go. You can achieve "higher than high" security in the Restricted and Internet zones. In the Restricted Zone, absolutely everything possible should be disabled "on general principles" (even though you'll probably never use the zone, anyway). In the Internet Zone, two settings can be slightly lower than maximum because they are not that important and can be quite inconvenient, but Internet Zone security must still be very high for the reason given above: it includes all sites you've never visited before, and any one of them could be malicious.
A large text table of all the recommended settings for all the security zones is farther down this page.
The thumbnail at left goes to a composite screenshot of the recommended security settings for the Internet Zone only, as they appear in the Internet Options dialog box. (143 KB. After it loads, click the image to enlarge it.) |
More security: disable risky plug-ins
Disable plug-ins from this location:
- IE7 > Tools > Manage Add-ons > Enable or Disable Add-ons > Add-ons that have been used by Internet Explorer
Locate and select the plug-in, and then click Disable.
Disable Shockwave Flash
New security vulnerabilities keep surfacing in the Adobe Flash Player. In addition, Flash provides scripting capabilities that allow a Flash file to be maliciously designed. A user has no ability to disable these scripts. The only solution is to disable Flash. It's all or nothing. Disable Flash by disabling these Add-ons:
- Shockwave Flash Object
- Shockwave ActiveX Control
Where Flash is required and you believe it's safe, re-enable the Flash Object. So far, I have never needed to enable the ActiveX.
You can set a few Flash security and privacy settings at the Adobe/Macromedia Flash Player Settings Manager. On that page, you specify the settings you want, and the web page configures those settings in the Flash Player installation on your computer. I was recently unable to make the Settings Manager work. The solution was to use Adobe's Flash uninstaller to completely uninstall the Flash Player, then use Control Panel > Add/Remove Programs to uninstall the Shockwave Player, and then reinstall only Flash from scratch.
Disable Adobe Reader plug-in
Adobe Reader is another plug-in that has had its security woes. I keep both of the following plug-ins disabled all the time. When opening a .pdf in IE7, I get a warning popup that says, "One or more Adobe PDF extensions are disabled. This may impact how PDF's are displayed in Internet Explorer." In spite of that warning, the files display perfectly normally:
- Adobe PDF Reader
- Adobe PDF Reader Link Helper
Disable other plug-ins: Java, QuickTime...
Browsing through the list, you might find other plug-ins that you seldom use. If you don't use them, you probably don't keep them up to date, and out of date versions are often a security hazard. It is easy to re-enable a plug-in when you find you need it:
- Java (one or more items labeled "Java Plug-in")
- QuickTime ("QuickTime Object")
- Windows Messenger ("Windows Messenger")
Filter or block dangerous websites
Internet Explorer never actually blocks a web page from being fetched, even if you "block" it with Content Advisor. What it does is download the page to your Temporary Internet Files folder and then refuse to display it.
To really block pages from being downloaded, you can use an internet security suite such as the one from Trend Micro. When you block a site with its Web Site Access Controls filter, it prevents your browser from sending requests to disallowed sites.
Notes
1) IE7 does not warn about viruses
Off-topic update 7-27-2008
Some people have been ending up on this page while searching for information about IE7 blocking them from accessing every website they attempt to visit, and showing a popup box that says: "Internet Explorer Warning - visiting this web site may harm your computer"
This is NOT a legitimate message from Internet Explorer. It is a malware popup. If you see this warning, something is trying to infect your computer or has already done it. If the popup tries to make you visit a website to purchase an "antivirus" scanner, do not go there. The scanner program is a fake that installs malware instead.
Try doing a web search on rogue antivirus. (That's what these things are being called.) That will give you useful information and maybe screenshots to help you identify which one you are being attacked by.
Internet Explorer by itself does not warn you about viruses or malware web pages, except for its Phishing Filter which only warns about phishing sites. Any virus warning that says it is from Internet Explorer is a fake.
These places do warn you about viruses:
- Your antivirus program, but only if you ARE using an antivirus program!
- Google and Yahoo show warning messages about harmful sites in their search results. The Google warning even says, "This site may harm your computer", but it is plain text on the page. It is NOT a popup in your browser.
- Firefox 3 compares the sites you visit against the Google "Safe Browsing" database and blocks access to malicious pages, but it does NOT pop up messages trying to make you buy the phony XP Antivirus program.
The Internet Explorer 8 SmartScreen Filter does warn about phishing sites and other websites that Microsoft has determined are unsafe. The IE8 warning message is "This website has been reported as unsafe".
|
|
