Internet Explorer 5 Security

Internet Explorer 5 allows you to control security in several ways: through site certificates, Authenticode publishers, and security zones. You can preinstall certificates on users' computers and block users from downloading other certificates. You can also set ratings for the content your users view.

Corporate administrators can specify security settings and ratings in Stage 4 and Stage 5 of the Internet Explorer Customization wizard.

About security zones

The Internet Explorer 5 security options enable you to assign specific Web sites to various zones, depending on how much you trust the content of the Web site.

When you install Internet Explorer 5, the following security zones are set up:

• An Internet zone that by default contains all Internet sites
• A Local Intranet zone for computers connected to a local network
• A Trusted Sites zone, to which you can assign sites you trust
• A Restricted Sites zone, to which you can assign sites you don't trust
• A My Computer zone, which contains the files on the local computer

Note

• You can configure the My Computer zone only from the IEAK; these settings are not available in the browser interface. It is recommended that you generally use the default settings for this zone unless your organization has a specific requirement. Lower security settings could result in security risk, whereas higher security settings could impair functionality.

The following four default settings can be applied to these zones: High, Medium, Medium-low, and Low. In addition, you can set custom security levels for each zone.

You can view all the security settings by clicking the Internet icon in Control Panel, and then clicking the Security tab. For specific information about these options and how they interact, see Internet Explorer Security Options.

Remember, security on the Internet is as good as your settings. Internet Explorer 5 provides you with the information you need to make good security decisions and with flexible tools to implement those decisions.

You can preset security options when you run the Customization wizard, and you can determine whether or not users can change these settings. If you do not preset the security options, then you may want to recommend the optimum security level for your users, based on your organization's needs and your users' level of expertise.

Note

• If the language of the package of the Internet Explorer browser you are building differs from your browser on your computer, and you import your security zones, some unrecognizable characters may appear in the security zones interface of the browsers that you build.

Setting up the Internet zone

The Internet zone consists of all sites not included in any of the other zones. By default, the Internet zone is set to the Medium security level. If you are concerned about possible security problems browsing the Internet, you might want to change the setting to High. If you raise the security setting, some Web pages will not be allowed to perform certain potentially hazardous operations, although this may prevent some useful functionality from working and some pages may appear not to be working properly.

You can choose custom settings so that you can control each individual security decision for the zone. To do this, click the Internet icon in Control Panel, click the Security tab, and then click Custom Level.

Adding sites to the Trusted Sites and Restricted Sites zones

There are two zones available to which you can assign specific Web sites that you trust more or less than those in the Internet zone or the Local Intranet zone. To add sites to these zones, first choose the zone, and then click Sites.

The Trusted Sites zone is assigned a Low security setting by default. It is intended for highly trusted sites, such as companies that you frequently do business with, sometimes known as an "extranet." If you assign a site to the Trusted Sites zone, the site will be allowed to perform more powerful operations. Also, Internet Explorer will ask you to make fewer security decisions. Add a site to this zone only if you trust all of its content never to do anything harmful to your computer. For the Trusted Sites zone, we strongly recommend that you use the HTTPS: protocol or otherwise ensure that connections to the site are secure.

The Restricted Sites zone is assigned a High security setting by default. If you assign a site to the Restricted Sites zone, the site will be allowed to perform only minimal, very safe operations. This zone is for the rare case of a site you don't trust. To ensure a high level of security for content that isn't trusted, many pages in this zone will not function properly.

Setting up the Local Intranet zone (for network administrators)

To be secure, it is imperative that the Local Intranet zone be set up in conjunction with the proxy server and firewall. All sites in the zone should be "inside the firewall," and proxy servers should be configured so that they do not allow an external DNS name to be resolved to this zone. Configuring the client zone security requires a detailed knowledge of the existing network configuration, proxy servers, and secure firewalls. If you don't know this information, contact your network administrator.

By default, the Local Intranet zone consists of local domain names and those set in proxy override on the Connections tab. You can configure these settings on the Connection Settings screen of the Internet Explorer Customization wizard. Note that multiple connection settings can now be configured for each user. The network administrator should confirm that these settings are indeed secure for the installation or adjust the settings to be secure.

When setting up the zone, you can specify which categories of URLs should be considered. You can also add specific sites to the zone.

To specify categories of URLs to include in the zone from the browser

1. On the Tools menu in Internet Explorer, click Internet Options, and then click the Security tab.
2. Click the Local Intranet zone, and then click Sites.
3. Select the following check boxes that apply:

   Include all local (intranet) sites not listed in other zones
   Include all sites that bypass the proxy server
   Include all network paths (UNCs)

Notes

• To add a specific site to this zone, click Advanced, type the URL, and then click Add. To require that server verification be used, select the Require server verification (https:) for all sites in this zone check box.
• To specify categories of URLs for your IEAK packages, click Customize Security Zones settings on the Security Settings screen of the Customization wizard, and then click Modify Settings.

The following rules apply to the Local Intranet zone options. Note that adding a site to any zone takes precedence over the following rules:

• Include all local (intranet) sites not listed in other zones: Intranet sites have names that do not include dots (for example, http://local). A site name such as http://www.microsoft.com is not local because it contains dots. This site would be assigned to the Internet zone. The intranet site name rule applies to file: as well as http: URLs.
• Include all sites that bypass the proxy server: Typical intranet configurations use a proxy server to access the Internet with a direct connection to intranet servers. This setting uses this kind of configuration information to distinguish intranet from Internet content for purposes of zones. If the proxy server is otherwise configured, you should clear this option and use other options to designate files that are assigned to the Local Intranet zone. In systems that do not have a proxy server, this setting has no effect.
• Include all network paths (UNCs): Network paths (for example, \\local\file.txt) are typically used for local network content that should be included in the Local Intranet zone. If there are network paths that should not be in the Local Intranet zone, you should clear this option and use other options to designate files that are assigned to the Local Intranet zone. For example, in certain Common Internet File System (CIFS) configurations, it is possible for a network path to reference Internet content.

After the Local Intranet zone is confirmed secure, consider changing the zone's security level to Medium-Low or Low to enable a wider range of powerful operations to be performed. It is also possible to adjust individual security settings in the Custom Settings dialog box.

If there are parts of your intranet that are less secure or otherwise not trustworthy, they can be excluded from this zone by assigning them to the Restricted Sites zone.

The Local Intranet zone is intended to be configured via the IEAK, although you can also use the options on the Security tab in the Internet Properties dialog box.

Working with domain name suffixes

If you want to be able to reference a Web server by using a shorter version of its address that doesn't include the domain, you can use a domain name suffix. For example, a Web server named sample.microsoft.com can be referenced as sample; the same content can also be accessed by entering http://sample.microsoft.com or http://sample.

To set this up, you must add the domain suffix to the TCP/IP properties domain suffix search order by carrying out the following steps:

1. Right-click the Network Neighborhood icon, and then click Properties.
2. Click TCP/IP, and then click Properties.
3. Click the DNS Configuration tab, and then in the Domain Suffix Search Order area, add the information you want.

It's important to set up security zones correctly for this configuration. By default, the URL without dots (http://sample) is considered to be in the Local Intranet zone, while the URL with dots (http://sample.microsoft.com) is considered to be in the Internet zone. Therefore, when you use such a configuration and there is no proxy server bypass to clearly assign the content to the proper zone, you need to change the zone settings.

Depending on whether the content accessed by the domain suffix is to be considered as intranet or Internet content, you need to assign the ambiguous site URLs to the appropriate zones. To assign URLs such as http://sample to the Internet zone, clear the Include all local (intranet) sites not listed in other zones check box for the Local Intranet zone, and include the site in the site list for the zone.

Other notes about security that apply to all zones

Web content can be addressed either via Domain Name System (DNS) name or by Internet Protocol (IP) address. For sites that use both, it is important to configure both references to the same zone. In the common cases, the Local Intranet sites are identifiable by either local name or by IP addresses in the proxy bypass list; all other names and IP addresses would be mapped to the Internet zone. However, if a site name is entered into the Trusted Sites or Restricted Sites zone list but its IP address range isn't, then the site may be treated as part of the Internet zone if it is accessed by the IP address.

It is important to understand that a user could copy content from one zone to another, potentially increasing or decreasing the level of security intended for the content.

If you are using automatic configuration, and you are supporting both Internet Explorer 5 and Internet Explorer 4.0 with the same automatic configuration file, some security settings that differ between the versions will not be configured on Internet Explorer 4.0.