Internet Explorer 4.0 Security

Internet Explorer 4.0 allows you to control security in several ways: through site certificates, Authenticode publishers, and security zones. You can preinstall certificates on users' computers and block users from downloading other certificates. You can also set ratings for the content your users view.

Corporate administrators can specify security settings and ratings in Stage 4 and Stage 5 of the IEAK wizard.

About security zones

The new Internet Explorer 4.0 security options enable you to assign specific Web sites to various zones, depending on how much you trust the content of the Web site.

When you install Internet Explorer 4.0, the following security zones are set up:

• An Internet zone that by default contains all Internet sites

• A Local Intranet zone for computers connected to a local network
• A Trusted Sites zone, to which you can assign sites you trust
• A Restricted Sites zone, to which you can assign sites you don't trust

The contents of the local system are deemed to be in a My Computer zone, which is trusted (you cannot change membership or settings).

Internet Explorer 4.0 does not try to maintain any existing Internet Explorer 3.0 settings, because the security settings work differently in Internet Explorer 4.0. In addition to the new security zones, the meanings of the High, Medium, and Low security settings have changed. After you install Internet Explorer 4.0, you should review the default security settings and adjust them to your needs.

You can view and change all the security settings by clicking the Internet icon in Control Panel, and then clicking the Security tab. For specific information about these options and how they interact, see Internet Explorer Security Options.

Remember, security on the Internet is as good as your settings. Internet Explorer 4.0 provides you with the information you need to make good security decisions and flexible tools to implement those decisions.

Setting up the Internet zone

The Internet zone consists of all sites not included in any of the other zones. By default, the Internet zone is set to the Medium security level. If you are concerned about possible security problems browsing the Internet, you might want to change the setting to High. If you raise the security setting, some Web pages will not be allowed to perform certain potentially hazardous operations, although this may prevent some useful functionality from working and some pages may appear not to be working properly.

If you are an expert user, you might want to choose custom settings so that you can control each individual security decision for the zone. To do this, click the Internet icon in Control Panel. On the Security tab, click Custom, and then click Settings.

Adding sites to the Trusted and Restricted zones

There are two zones available to which you can assign specific Web sites that you trust more or less than those in the Internet zone or the Local Intranet zone. To add sites to these zones, first choose the zone, and then click Add Sites.

The Trusted Sites zone is assigned a Low security setting by default. It is intended for highly trusted sites—such as companies that you frequently do business with—sometimes known as an "extranet." If you assign a site to the Trusted Sites zone, the site will be allowed to perform more powerful operations. Also, Internet Explorer will ask you to make fewer security decisions. Add a site to this zone only if you trust all of its content never to do anything harmful to your computer. For the Trusted Sites zone, we strongly recommend that you use the HTTPS: protocol or otherwise ensure that connections to the site are secure.

The Restricted Sites zone is assigned a High security setting by default. If you assign a site to the Restricted Sites zone, the site will be allowed to perform only minimal, very safe operations. This zone is for the rare case of a site you don't trust. To ensure a high level of security for content that isn't trusted, many pages in this zone will not function properly.

Setting up the Local Intranet zone (for network administrators)

To be secure, it is imperative that the Local Intranet zone be set up in conjunction with the proxy server and firewall. All sites in the zone should be "inside the firewall," and proxy servers should be configured so that they do not allow an external DNS name to be resolved to this zone. Configuring the client zone security requires a detailed knowledge of the existing network configuration, proxy servers, and secure firewalls. If you don't know this information, contact your network administrator.

By default, the Local Intranet zone consists of local domain names and those set in proxy override on the Connections tab. The network administrator should confirm that these settings are indeed secure for the installation, or adjust the settings to be secure.

When setting up the zone, you can specify which categories of URLs should be considered. You can also add specific sites to the zone.

To specify categories of URLs to include in the zone

1. On the View menu, click Internet Options, and then click the Security tab.
2. In the Zone list, select the zone you want to set the security level for.
3. Click Add Sites, and then select the following check boxes that apply:
   
   
Include all local (intranet) sites not listed in other areas
Include all sites that bypass the proxy server
Include all network paths (UNCs)

Note
To add a specific site to this zone, click Advanced, type the URL, and then click Add. To require that server verification be used, select the Require server verification (https:) for all sites in this zone check box.

The following rules apply to the Local Intranet zone options. Note that adding a site to any zone takes precedence over the following rules:

• Include all local (intranet) sites not listed in other zones: Intranet sites have names that do not include dots—for example, http://local. A site name such as http://www.microsoft.com is not local because it contains dots. This site would be assigned to the Internet zone. The intranet site name rule applies to file: as well as http: URLs.
• Include all sites that bypass the proxy server: Typical intranet configurations use a proxy server to access the Internet with a direct connection to intranet servers. This setting uses this kind of configuration information to distinguish intranet from Internet content for purposes of zones. If the proxy server is otherwise configured, this option should be cleared and other options should be used to designate intranet zone membership. In systems without a proxy server this setting has no effect.
• Include all network paths (UNCs): Network paths (for example, \\local\file.txt) are typically used for local network content that should be included in the Local Intranet zone. If there are network paths that should not be in the Local Intranet zone, this option should be cleared, and other options should be used to designate membership. For example, in certain Common Internet File System (CIFS) configurations, it is possible for a network path to reference Internet content.

After the Local Intranet zone is confirmed secure, consider changing the zone's security level to Low to enable a wider range of powerful operations to be performed. It is also possible to adjust individual security settings in the Custom Settings dialog box.

If there are parts of your intranet that are less secure or otherwise not trustworthy, they can be excluded from this zone by assigning them to the Restricted Sites zone.

The Local Intranet zone is intended to be configured via the IEAK, although the options on the Security tab in the Internet Properties dialog box can also be used.

Working with domain name suffixes

If you want to be able to reference a Web server by using a shorter version of its address that doesn't include the domain, you can use a domain name suffix. For example, a Web server named sample.microsoft.com can be referenced as sample; the same content can also be accessed by entering http://sample.microsoft.com or http://sample.

To set this up, you must add the domain suffix to the TCP/IP properties domain suffix search order by carrying out the following steps:

1. Right-click the Network Neighborhood icon, and then click Properties.
2. Click TCP/IP, and then click Properties.
3. Click the DNS Configuration tab, and then in the Domain Suffix Search Order area, add the information you want.

It's important to set up security zones correctly for this configuration. By default, the URL without dots (http://sample) is considered to be in the Local Intranet zone, while the URL with dots (http://sample.microsoft.com) is considered to be in the Internet zone. Therefore, when you use such a configuration, and there is no proxy server bypass to clearly assign the content to the proper zone, you need to change the zone settings.

Depending on whether the content accessed by the domain suffix is to be considered as intranet or Internet content, you need to assign the ambiguous site URLs to the appropriate zones. To assign URLs such as http://sample to the Internet zone, clear the Include all local (intranet) sites not listed in other zones check box for the Local Intranet zone, and include the site in the site list for the zone.

Other notes about security that apply to all zones

Web content can be addressed either via Domain Name System (DNS) name or by Internet Protocol (IP) address: for sites that use both, it is important to configure both references to the same zone. In the common cases, the Local Intranet sites are identifiable by either local name or by IP addresses in the proxy bypass list; all other names and IP addresses would be mapped to the Internet zone. However, if a site name is entered into the Trusted or Restricted zone site list but its IP address range isn't, then the site may be treated as part of the Internet zone if it is accessed by the IP address.

It is important to understand that a user could copy content from one zone to another, potentially increasing or decreasing the level of security intended for the content.