IE has very granular security settings that outpace any of its rivals. You can place Web sites in one of five IE security zones, and modify nearly 50 settings for each zone.
Security Zones
Internet Explorer has five different security zones:
-
Internet
-
Local intranet
-
Trusted sites
-
Restricted sites
-
Local computer
Internet security zones allow users to granularly define specific permissions for different Internet or intranet resources. Internet Explorer allows users (or administrators) to define ahead of time particular security permissions and privileges for various Web sites.
Local Computer Zone
The first four zones are readily accessible in IE (see Figure 1) by choosing the Tools menu option, then Internet Options, and then clicking on the Security tab. This unlisted zone is not easily end-user definable and represents content residing on the local computer. Also known as the My Computer zone, Windows now warns the user if content in the Local Computer zone wants to execute in IE. In earlier versions of IE, content from the Local Computer zone ran in the security context of the active user, but in IE 6 on XP SP2 and later versions, it is locked down with additional restrictions to prevent malware execution.
The Local Computer zone lock down establishes the following default behaviors:
-
ActiveX controls may not run.
-
Java applets may not run.
-
Users may be prompted before they can run a script.
-
Users may be prompted before they can open a data source belonging to a different domain than the original server.
The Local Computer zone cannot be manipulated in IE by the end user, but can be configured using registry edits and programmatically. The zones can be manipulated in the registry at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones. Each Zone is represented by the number 0 to 4, going from least to most restrictive. 0 is the My Computer zone, 1 is the Intranet sites zone, 2 is the Trusted Sites zone, 3 is the Internet zone, and 4 is the Restricted sites zone. If you are interested in manipulating zones using the registry read Microsoft KB article #182569 (http://www.support.microsoft.com/?id=182569). Editing zones via the registry allows a higher level of granularity than you can obtain through IE (that is, defining of acceptable TCP/IP port numbers and protocols for each zone), but for most users IE zones settings are best configured in IE.
Internet Site Zone
The Internet site is the default zone for all content not previously defined as residing in one of the other zones. Most of the time when you are surfing on the Internet using IE, the content being downloaded will reside in the Internet zone. The permissions and privileges in the Internet zone are moderately restricted (with a default of Medium-High security) as compared to the other zones. The security level is appropriate for most Internet sites, but is too lax when unpatched vulnerabilities are encountered or overall risk is high.
The Internet zone allows all scripts, signed ActiveX controls and Add-ons to run, although unsigned controls and plug-ins are disabled by default. Many Internet attacks can be stymied if scripting and ActiveX controls are disabled, but doing so will cause problems with many legitimate Web sites. If a widespread vulnerability is present, users can benefit greatly by customizing the security (covered next) to disable scripting and other non-HTML content. Most users could benefit by customizing the Internet security zone to an acceptable level of usability and security.
Local Intranet Zone
The Local intranet zone is a zone with elevated default privileges. The default security level is Medium-low. The intent is that users (or administrators) place internal trusted Web sites in the Local intranet zone, and any sites in this zone will have elevated privileges. By default, all Web sites residing on the local LAN (and other defined private IP subnets) will be placed in the Local intranet zone without the user having to specifically add the Web site. External Web sites can be added as well (see Figure 2), although users should remember that sites in this zone have elevated privileges.
As Figure 2 shows, along with the default selections, there are several options under the Local intranet zone. The first is "Include all local (intranet) sites not listed in other zones." This means that any server sites on the local network not listed in the Trusted Sites or Restricted sites zone will automatically be included here. If you disable this option, sites on the local network will not automatically be included in the Local intranet zone.
The "Include all sites that bypass the proxy server" option assumes that IE uses a non-transparent proxy to access non-local sites. By enabling the option, IE will add any sites to the Local intranet zone that are excluded from having to be filtered through the proxy server. The thinking is that only trusted sites would be excluded from being handled by the proxy server, and because they are trusted, they should be included by default in the Local intranet zone.
The Include all network paths (UNCs) option instructs Windows to include any NetBIOS shares in the Local intranet zone. This setting means that any security choices made on the Local intranet zone might impact regular Windows drive mappings. The Advanced button allows sites to be added manually. By default, the sites added to this location must be protected by using the HTTPS protocol to ensure site location authenticity, but this option is often deselected.
| Note |
The Local intranet zone is disabled by default for non-domain computers.
|
Trusted Sites Zone
Sites placed in the Trusted Sites zone have minimal restrictions and a Medium security level, but are not protected by Vista's Protected Mode. Most actions and content will be allowed to execute without user intervention. Even the highest risk actions only require the user to acknowledge before they proceed. Unlike the Local intranet zone, the Trusted Sites zone does not include Web sites by default. New sites can be required to be protected by HTTPS, the default, or just unsecured HTTP.
| Note |
The Trusted Sites zone's default security level in IE 6 was Low.
|
Restricted Sites Zone
The Restricted sites zone, as its name implies, restricts most non-HMTL content and activity by default. The security level is High. The only activity allowed without user intervention is pop-up ad blocking and font downloading. By default, no sites are within this zone. The Restricted sites zone has no HTTPS requirement option.
Most users won't have any entries here because if the Web site is high risk, they should not go there. With that said, if a user plans on visiting a high-risk Web site, they should put the Web site's domain name here, although don't expect IE's High security level setting to prevent all attacks. Malicious Web sites often have unknown "zero-day" attacks or use social engineering methods to trick the user into executing malicious code.
You can also create your own IE security zones programmatically or using registry edits, however, these zones are not easy to configure and cannot be accessed using the IE GUI. For more information, see http://www.blogs.msdn.com/ie/archive/2005/01/26/361228.aspx. I hope that Microsoft creates an easy way for an unlimited number of new zones to be easily created and configured in the future. Why they have not done this already is a mystery. Next, this chapter will cover in detail each IE security setting and their default settings in each of default zones.
Zone Security Settings
IE 7 has over 45 separate security settings that can be customized for each IE security zone. Each one is summarized here along with general recommendations. Recommendations differing from Microsoft's default settings will be noted where applicable.
.NET Framework-Loose XAML
XAML files are markup files that use Extensible Application Markup Language (XAML), which is the user interface markup language for .NET 3.0's Windows Presentation Foundation (WPF) platform. See http://www.en.wikipedia.org/wiki/XAML for more details. Loose XAML is a new .NET capability that allows a user to launch any XAML file on their hard disk (or a URL link on a web page) and run it within a browser without compilation. Loose XAML is a markup language and can only render existing content, making it a low security risk. It is enabled for all zones except for Restricted sites.
.NET Framework-XAML Browser Applications
This security setting covers, for lack of a better description, non-loose XAML, which is compiled and must be run within the confines of a browser. As with Loose XAML, it is low risk, and enabled by default in all zones except for Restricted sites.
.NET Framework-XPS Documents
The XML Paper Specification (XPS) is Microsoft's newest document format. Royalty-free, XPS uses WPF to render a document on the screen the same as when it is printed. Many see XPS as competitor to Adobe's PDF format. XPS doesn't appear to have the sophistication of PDF, and as such, probably isn't much of a security risk. Microsoft has enabled it in all security zones except for Restricted sites.
.NET Framework-Reliant Components-Run Components Not Signed with Authenticode
The .NET Framework is Microsoft's client-server programming environment (with some loose comparison to Java's virtual machine environment). .NET is the dominant form of programming across the Windows platform.
Code is signed to prove authorship. Authenticode is Microsoft's digital signing mechanism for authenticating code, scripts, and ActiveX controls. Any software publisher (vendor) can purchase an Authenticode digital certificate for code signing.
Running an unsigned component means that you cannot automatically authenticate who created and initially distributed the component (and whether or not it is untrusted). Microsoft allows unsigned components to run automatically in all zones but the Restricted zone. I believe Microsoft was too lax on this setting. It should be set to disabled in Internet and Restricted sites zone.
| Note |
This option and the next may not be available unless you have also installed the .NET Framework client software.
|
.NET Framework-Reliant Components-Run Components Signed with Authenticode
Signed code is rarely a problem. Signed code can contain bugs and viruses (we hope that these would be unknown to the signer at the time the code was signed), but it is not common. If you trust the signed code to be non-malicious, you can accept it to run automatically. There have been instances where spyware and adware companies used signed code to distribute their largely unwanted software. Microsoft enables this in all zones, but the Restricted zone. Because of the spyware and adware issues, we suggest this setting be set to Prompt in the Internet zone.
ActiveX Controls and Plug-Ins-Allow Previously Unused ActiveX Controls to Run Without Prompting
This setting instructs IE to allow previously installed ActiveX controls that have never been run before to execute without warning the user. Hackers often take advantage of rarely used, but installed controls. Microsoft has rightly disabled this setting in the Internet and Restricted sites zones.
ActiveX Controls and Plug-Ins-Allow Scriptlets
Scriptlets refers to Dynamic HTML (DHTML) scriptlets, which were deprecated in IE 5. In the past, there were a few malicious exploits that used DHTML scriptlets. For that reason, Microsoft has correctly disabled them in all security zones except the Local intranet zone.
ActiveX Controls and Plug-Ins-Automatic Prompting for ActiveX Controls
ActiveX controls can be virtually any content, executable, or script delivered over a network through IE. Java applets are even delivered as ActiveX controls, in most cases. Windows uses dozens to hundreds of ActiveX controls. Most aren't needed in IE and one of the big changes in IE 7 is to not allow any ActiveX control to run in IE by default, except those expressly authorized by the user or admin. This is the opposite behavior for IE 6.x and before.
This particular setting determines whether or not the user will be prompted by a pop-up dialog box to install an ActiveX control or plug-in. If disabled, the Web site will attempt to download and execute the content, but IE will not prompt the user with a dialog box. Instead (if IE 6.x XP SP2 or higher is installed) the user will be warned on the yellow information bar about an ActiveX control needing to be installed. The information bar warning is less obvious than a pop-up dialog box in the middle of the browser window.
Microsoft enables this option in the Local intranet zone and disables it in the rest. How this setting is configured to is up to the user, although I always like to be prompted in an obvious manner for any ActiveX controls that are trying to be installed. Otherwise, a Web site feature may fail and the cause of the failure might not be readily apparent.
ActiveX Controls and Plug-Ins-Binary and Script Behaviors
Binary behaviors (http://www.msdn.microsoft.com/workshop/browser/behaviors/howto/creating.asp) were introduced in IE 5.5 and allow binary programs to be linked to and control HTML content. A binary behavior is a compiled object that can interact directly with the underlying OS. Its code cannot be read or examined using normal view source commands. They can be used to do many malicious things from a web page.
Prior to Windows XP SP2 and Windows Server 2003 SP1 (where this setting first arrived), there was no way to prevent a binary behavior in any IE security zone, including sites residing in the Restricted sites zone. Now, by default, binary behaviors are disabled in the Restricted sites zone, but allowed in the rest. We believe that binary behaviors are too powerful to be allowed from any Internet site. Accordingly, this option should be set to Disabled (or Administrator approved) for all zones, unless needed.
ActiveX Controls and Plug-Ins-Display Video and Animation on a Web Page That Does Not Use External Media Player
If enabled, this setting could allow an untrusted media player to execute active content within a Web site. Microsoft has correctly disabled this setting for all security zones.
ActiveX Controls and Plug-Ins-Download Signed ActiveX Controls
Signed ActiveX controls usually present little risk unless signed by a spyware or adware vendor. IE prompts the user to approve on zones except for the Restricted sites. These defaults are acceptable.
ActiveX Controls and Plug-Ins-Download Unsigned ActiveX Controls
Unsigned ActiveX controls are highly risky and, generally, should be disabled, or set up to prompt if you plan to come in contact with needed unsigned controls. Microsoft correctly disables them in all zones.
ActiveX Controls and Plug-Ins-Initialize and Script ActiveX Controls Not Marked as Safe for Scripting
Once ActiveX controls or plug-ins (plug-ins are usually ActiveX controls) are downloaded-which is the option being decided in the two options mentioned previously-there is still the matter of whether to execute them. Vendors can mark their ActiveX controls as Safe for Initialization and Safe for Scripting. The first option determines whether the control can be initialized (i.e., started and executed). The second option is whether it can be directed by scripting, which means it could have different outcomes based upon the script. If both options are selected, then any web page can invoke them.
The idea is that if the vendor determines the control is safe (that is, can't be used in a harmful way), then why not let other web pages and programmers re-use the control? Unfortunately, there is no official guidance or testing tool that a vendor can run to find out if their "safe" control is really safe. In more than a dozen different exploits over the years, a control marked safe for scripting, was used to do something malicious.
In this particular option, IE is asking whether or not to allow web pages to initialize and script controls that are not marked safe? Considering that controls marked safe for scripting are potentially dangerous, ones that were tested and not found to be safe by their vendors definitely should not be allowed to run. Microsoft disables them in all zones. The default settings are good.
ActiveX Controls and Plug-Ins-Run ActiveX Controls and Plug-Ins
This setting has a huge impact on IE. It determines whether IE can run ActiveX controls and plug-ins at all, regardless of their safety, and regardless of whether they are signed or unsigned. Disabling this feature defeats many, if not most, exploits that have attacked IE over the years. Unfortunately, it is such an all-or-nothing proposition that disabling it causes problems with many popular Web sites.
Microsoft enables this option by default in all zones, but the Restricted sites zone, where it is disabled. This is an acceptable default. However, if you are worried about a widespread, malicious IE vulnerability that cannot be stopped by disabling this option, consider disabling this option until a patch or other alternative defense can be applied.
Alternately, IE can be instructed only to allow administrator-approved controls to run. In order to use this option, you must use group policy, an administrative template, a security template, or the IE Administrator's Kit-and know the control's CLSID.
ActiveX Controls and Plug-Ins-Script ActiveX Controls Marked Safe for Scripting
This setting discusses whether controls previously marked "safe" can be scripted. This is one of the toughest calls because ActiveX controls that were thought to be safe for scripting have been involved in many vulnerabilities over the years, but disabling it causes problems with many legitimate Web sites. Microsoft enables it by default in all zones except the Restricted sites zone, where it is disabled. This is an acceptable default. However, if you are worried about a widespread, malicious IE vulnerability that can be stopped by disabling this option, consider disabling this option until a patch or other alternative defense can be applied.
Downloads-Automatic Prompting for File Downloads
This setting determines whether the user will be prompted by a pop-up dialog box for normal file downloads. In most cases, the answer should be yes. It is always nice to know when a Web site is trying to download content. If this option is disabled, and the next option is enabled, then the user will download and potentially execute files without a primary acknowledgement (although the user may be prompted to confirm a download location). That particular situation would be harder to defend. Microsoft disables this for all zones, except for the Local intranet. This option should be enabled on all zones.
Interestingly, when this setting is disabled, most file downloads still prompt the user before proceeding. Internet Explorer contains a hard coded list of file types (by file extension) that the warning dialog box cannot be disabled for. They are:
-
ASP
-
BAS
-
BAT
-
CHM (IE5 only)
-
CMD
-
COM
-
EXE
-
LNK
-
INF
-
REG
-
ISP
-
PCD
-
MST
-
PIF
-
SCR
-
HLP
-
HTA (IE5 only)
-
JS
-
JSE
-
URL
-
VBS
-
VBE
-
WS
-
WSH
Downloads-File Download
Disabling this option prevents all file downloads. If the previous option is enabled, it is usually safe to enable this option. Microsoft enables this option in all zones, but in the Restricted sites zone where it is disabled. The defaults are acceptable.
Downloads-Font Download
This option determines whether IE HTML fonts, normally needed for the correct presentation of a web page, can be downloaded automatically. It is enabled in all zones by default, except the Restricted sites zone where it is set to Prompt. The default settings are good.
Enable .Net Framework Setup
If enabled, this will prevent .NET Framework from being installed. It is enabled in all zones except Restricted sites.
Java VM-Java Permissions
This setting will not appear unless the Java Virtual Machine (JVM) component has been installed. Microsoft's default settings are acceptable.
Miscellaneous-Access Data Sources Across Domains
This setting determines whether a web page can retrieve data from another server located in a different domain. If set to disabled, it will only allow data to be retrieved from the same server the originating web page is being served from or from another server in the same domain. A few exploits have been accomplished when this setting is enabled. Most Web sites access data on servers in the same domain. If this feature is not needed, keep it disabled. Microsoft disables it in most zones, but prompts it in the Local intranet zone. The default settings are acceptable in most cases.
Miscellaneous-Allow META REFRESH
A Meta-Refresh is an HTML command that instructs a browser to refresh the current web page after a periodic interval. It can also be used to re-direct a user, without their permission, to another web page. It has been used maliciously many times, but as long as other critical vulnerabilities are patched, there is little risk. Legitimate use of Meta-refreshes is common. Microsoft enables this option in all zones, but the Restricted sites zone. The default option is normally okay.
Miscellaneous-Allow Scripting of Internet Explorer Web Browser Control
This is a new option in IE 6.x XP SP2, although the control is not. The Web browser control is a stand-alone ActiveX control that can be used by programmers to add a mini-HTML browser to their application. After a few vulnerabilities were found by enabling this option by default, Microsoft disables it in all zones except for the Local intranet. The default option is acceptable.
Miscellaneous-Allow Script-Initiated Windows Without Size or Position Constraints
This option determines whether or not a Web site can open a new IE window anywhere and of any size. Unscrupulous web advertisers often make oddly sized browser screens (i.e. either very small or very large) to make it difficult on the user to close the pop-up advertising window. It is disabled by default in all zones except Restricted sites. This is an acceptable default choice.
Miscellaneous-Allow Web Pages to Use Restricted Protocols for Active Content
You can define, in the zone registry settings, which protocols and port numbers are allowed in a particular zone. Using this setting you can define whether or not Web sites in this zone can use protocols and port numbers not explicitly defined in the registry. Microsoft has this option set to Prompt in most zones, and disabled in the Restricted sites. The default options are acceptable.
Miscellaneous-Allow Websites to Open Windows Without Address or Status Bars
Many malicious Web sites and adware try to fool users by opening windows without addresses or status bars. This is disabled for Internet and Restricted sites zones, and enabled for Local intranet and Trusted Sites zones. The defaults are acceptable.
Miscellaneous-Display Mixed Content
This option determines whether or not you will be prompted if a web page tries to display content from a HTTP and HTTPS communications streams at the same time. In IE 6, if it was set to Prompt, they could receive the following "Security Information" message on the web pages that contain both secure (https) and nonsecure (http) content:
This page contains both secure and nonsecure items.
Do you want to display the nonsecure items?
This is a very common occurrence on HTTPS Web sites, although to be truly secure they should never mix content types. All but the security paranoid disable this feature, even though Microsoft's default on all zones is Prompt. The default is acceptable unless you are particularly worried about spoofed HTTPS Web sites.
This option has been enhanced in IE 7 and users will no longer see the mixed-content dialog box prompt shown previously. IE7 will only render the secure content by default, and offers the user the opportunity to unblock the not secure content using the new Information Bar. This is an excellent change because in previous versions of IE, the user was asked the question without really knowing the difference between the secure and not secure content. Now, they will see the secure content first, separated from the non-secure content. Besides preventing some types of malicious attacks, it will prevent a lot of Web site advertising.
Miscellaneous-Don't Prompt for Client Certificate Selection When No Certificates or Only One Certificate Exists
This setting was introduced in IE 5.5 SP1. When this option is set to Enable, IE does not prompt the user with a "Client Authentication" message when it connects to a Web site that has no certificate or only one certificate. When Disabled, IE will display the following "Client Authentication" message even if the Web site does not have a certificate or has only one certificate:
Identification
The Web site you want to view requests identification.
Select the certificate to use when connecting.
Microsoft enables it in the Local intranet zone and disables elsewhere. This is an acceptable setting, although it also means that you may be sending your identity to the connected server.
Miscellaneous-Drag and Drop or Copy and Paste Files
Determines whether files and folders can be dragged and dropped between client and server, or whether files and folders can be copied and pasted between client and server. Strangely, if disabled in the Internet zone, it will not allow the described options between mapped drives on your computer if the NetBIOS shares were mapped using IP addresses instead of names. Dragging and dropping files is also helpful for FTP and WebDAV operations. Microsoft enables this setting in all zones except Restricted sites, where it is set to prompt. There is little misuse possible, so the defaults are acceptable. The one attack type the authors are aware of involves a timing attack where the user is tricked into overwriting an unintended file in an unintended location. This has been proven in theory, and even demonstrated a few times. However, this type of attack has never been used in a widespread manner, so Prompt should be acceptable.
Miscellaneous-Include Local Directory Path When Uploading Files to a Server
Enabled on all zones except for Restricted sites by default, it passes along the local directory path when uploading files using HTTP or FTP (within IE). Defaults are acceptable.
Miscellaneous-Installation of Desktop Items
Determines whether or not a Web site can install shortcuts and content to the user's desktop. Should be disabled or set to Prompt in most zones. Microsoft set it to Prompt in all zones, except for the Restricted sites zone, where it is disabled. The defaults are acceptable.
Miscellaneous-Launching Applications and Unsafe Files
Determines whether or not the hard coded file types listed previously can be launched or their associated programs executed. This is Enabled on the Local intranet, disabled on Restricted sites zone, and set to Prompt on the Internet and Trusted Sites zones. The defaults are acceptable.
Miscellaneous-Launching Programs and Files in an Iframe
Determines whether programs and files can be executed in an inline floating IE frame (IFRAME). Several vulnerabilities have used this feature over the years. It should be set to Prompt or Disabled. Microsoft sets it to prompt in all zones except where it disables it in the Restricted sites zone. The defaults are acceptable.
Miscellaneous-Navigate Sub-Frames Across Different Domains
Determines whether it is possible to open up a child sub-frame that references a server located in a different domain than its parent. A malicious Web site could mimic a legitimate Web site by inserting a window as a frame within the legitimate Web site's window. This feature was used in a few exploits years ago, but now is not considered overly dangerous. Microsoft disables this setting in all zones, except for the Local intranet zone. I prefer to set the option to Prompt in the Internet zone for usability reasons.
Miscellaneous-Open Files Based on Content, Not File Extension
This option determines whether IE will read the first 200 bytes of a file's header to determine if the file meets the MIME Type the Web site claims it to be. If the extension matches the MIME type, IE does not check the file header. But if there is a disagreement, IE reads the file header in an attempt to determine the correct MIME Type. It has been enabled in all zones except for the Restricted sites zone. We would Enable it there as well.
Miscellaneous-Software Channel Permissions
This setting specifies the computer's level of access for Web-based software distribution channels. The possible values are: High Safety/Low Safety/Medium Safety
-
High Safety: Prevents users from being notified about software updates by e-mail, software packages from being automatically downloaded to users' computers, and software packages from being automatically installed on users' computers.
-
Medium Safety: Notifies users about software updates by e-mail, and allows software packages to be automatically downloaded to (but not installed on) users' computers. The software packages must be validly signed; users are not prompted about the download.
-
Low Safety: Notifies users about software updates by e-mail, allows software packages to be automatically downloaded to users' computers, and allows software packages to be automatically installed on users' computers.
The Internet zone and Local intranet zones are set to Medium safety. The Trusted Sites zone is set to Low safety. The Restricted sites zone is set to High safety. The selections are reasonable.
Miscellaneous-Submit Non-Encrypted Form Data
This option determines whether HTML pages in the zone can submit unencrypted forms to or accept unencrypted forms from servers in the zone. Forms sent using SSL are always allowed. This option is usually enabled, except for Restricted sites where it is set to Prompt. The defaults are good.
Miscellaneous-Use Phishing Filter
Enabling this filter tells IE 7 to send each new domain URL to Microsoft's anti-phishing servers for inspection before allowing the page to be displayed. If a site has been defined as fraudulent, the user is warned. It slows down web surfing, but increases security significantly. It should be enabled on zones except Local intranet sites (because it isn't needed and only affects performance), and these are the Microsoft defaults.
Miscellaneous-Use Pop-Up Blocker
Determines whether the built-in pop-up blocker is turned on. As with the previous setting, this should be enabled for all zones, except the Local intranet. This is the Microsoft default, as well.
Miscellaneous-Userdata Persistence
Determines whether a Web site can save a data about the user or the current session on the user's hard drive, much like a cookie would be able to do. This feature is used by many legitimate Web sites, and although it can possibly be used maliciously, it's best to leave it turned on. The mischief caused by enabling this is limited to tracking-no code execution or exposure of local data (unless you count browsing habits). Microsoft leaves it turned on by default for all zones, but the Restricted sizes zone and this is acceptable.
Miscellaneous-Web Sites in Less Privileged Web Content Zone Can Navigate into This Zone
This setting prevents less privileged content from initiating new connections into higher privileged zones. This was created to defeat a new type of malicious attack. Microsoft has this option enabled in most zones, but disabled in the Restricted sites zone. It should be disabled by default in the Internet zone.
Scripting-Active Scripting
This setting determines whether scripting is allowed in IE. If turned off, this disables JavaScript and VBScript engines. Although many IE exploits rely on scripting to work, so do most Web sites. Leave this enabled unless you are trying to defend against a widespread attack that cannot be stopped by using alternative defenses. Microsoft enables on all zones except the Restricted sites zone and this is acceptable.
Scripting-Allow Programmatic Clipboard Access
In previous versions of IE, a malicious Web site could script language to copy the data last used in the Clipboard application (from user's Edit, Copy, Edit, Paste operation) to their Web site. Users and administrators often use the Clipboard to copy long and complex passwords during a logon sequence. This vulnerability could potentially let a malicious Web site see confidential data.
This option used to be called "Allow paste operations via script" in previous versions. See http://www.sourcecodesworld.com/special/clipboard.asp to determine if your browser is vulnerable to paste operations manipulations. In IE 6, Microsoft enabled this option in all zones except the Restricted sites zone. In IE 7, this value is set to Prompt in the Internet and Trusted Sites zones, enabled in the Local intranet zone, and Disabled in the Restricted sites zone. It should be disabled on all zones unless needed. When set to prompt, the user will see a dialog box, similar to Figure 4, when a Web site attempts to access the Clipboard.
Scripting-Allow Status Bar Updates Via Script
This option determines whether a Web site can update the status bar using a script. Some malicious Web sites use scripts to fraudulently modify IE's status bar, such as indicating whether SSL is enabled or not. It is correctly disabled for Internet and Restricted sites zones.
Scripting-Allow Websites to Prompt for Information Using Scripted Window
This setting determines whether a Web site can query IE for personal information (for example, your e-mail address). Microsoft has appropriately turned it off in the Internet and Restricted sites zones.
Scripting-Scripting of Java Applets
This determines whether Java applets can be scripted. Although there have been dozens of Java exploits found over the years, only one has ever been widespread. The overall risk is low. You can enable the scripting of Java applets on all zones except the Restricted sites zone, which is the Microsoft default.
User Authentication
Last, this option determines how IE responds to a request for the browser to authenticate the user. In previous versions of IE, IE would always respond to authentication requests by trying to log in with the current user's name and password. Unfortunately, it is possible for malicious Web sites to force unprotected Windows computers to use older, weaker authentication protocols (LAN Manager), which are easy to crack.
A common ploy for a spammer was to send the victim a spam e-mail that contained a 1-pixel graphic (called a web spider or beacon) that needed to be downloaded from the spammer's malicious web server to display in the e-mail. Previous versions of Outlook and Outlook Express would attempt to download the graphic automatically to display in the e-mail. The hostile Web site would request user authentication to download the web spider, and tell the victim's computer that it only understands the LM authentication protocol. Thus, all the victim did was open an e-mail and their computer was sending back their login name and password in an easily hackable format.
Now IE will only send the user's current logon name and password if the site is listed in the user's Local intranet sites zone. Otherwise, IE will try to logon anonymously or prompt the user for their logon name and password. IE's default settings are acceptable.
Table 1 summarizes IE's default zone security settings. We make practical recommendation changes as highlighted in parenthesis where appropriate.
Table 1: Summary of Internet Explorer 7's Security Zone Settings
Open table as spreadsheet
|
DEFAULT SETTING PER ZONE (AND RECOMMENDATION IF THEY VARY FROM MICROSOFT'S DEFAULTS)
|
|
SETTING
|
INTERNET
|
LOCAL INTRANET
|
TRUSTED SITES
|
RESTRICTED SITES
|
|
Default Security level
|
Medium-High
|
Medium-Low
|
Medium
|
High
|
|
Protected Mode
|
On
|
On
|
Off
|
Off
|
|
.NET Framework-Loose XAML
|
Enable
|
Enable
|
Enable
|
Disable
|
|
.NET Framework-XAML browser applications
|
Enable
|
Enable
|
Enable
|
Disable
|
|
.NET Framework-XPS documents
|
Enable
|
Enable
|
Enable
|
Disable
|
|
.NET Framework-reliant components-Run components not signed with Authenticode
|
Enable (Disable or Prompt)
|
Enable (Disable or Prompt)
|
Enable (Disable or Prompt)
|
Disable
|
|
.NET Framework-reliant components-Run components signed with Authenticode
|
(Enable Prompt)
|
Enable
|
Enable
|
Disable
|
|
ActiveX controls and plug-ins-Allow previously unused ActiveX controls to run without prompting
|
Disable
|
Enable
|
Enable
|
Disable
|
|
ActiveX controls and plug-ins-Allow Scriptlets
|
Disable
|
Enable
|
Disable
|
Disable
|
|
ActiveX controls and plug-ins-Automatic prompting for ActiveX controls
|
Disable
|
Enable
|
Disable
|
Disable
|
|
ActiveX controls and plug-ins-Binary and script behaviors
|
Enable (Disable or Prompt)
|
Enable (Disable or Prompt)
|
Enable (Disable or Prompt)
|
Disable
|
|
ActiveX controls and plug-ins-Display video and animation on web page that does not use external media player
|
Disable
|
Disable
|
Disable
|
Disable
|
|
ActiveX controls and plug-ins-Download signed ActiveX controls
|
Prompt
|
Prompt
|
Prompt
|
Disable
|
|
ActiveX controls and plug-ins-Download unsigned ActiveX controls
|
Disable
|
Disable
|
Disable
|
Disable
|
|
ActiveX controls and plug-ins-Initialize and script ActiveX controls not marked safe for scripting
|
Disable
|
Disable
|
Disable
|
Disable
|
|
ActiveX controls and plug-ins-Run ActiveX controls and plug-ins
|
Enable
|
Enable
|
Enable
|
Disable
|
|
ActiveX controls and plug-ins-Script ActiveX controls marked safe for scripting
|
Enable
|
Enable
|
Enable
|
Disable
|
|
Downloads-Automatic prompting for file downloads
|
Disable (Enable)
|
Enable (Enable)
|
Disable (Enable)
|
Disable
|
|
Downloads-File download
|
Enable
|
Enable
|
Enable
|
Disable
|
|
Downloads-Font download
|
Enable
|
Enable
|
Enable
|
Disable
|
|
Enable .NET Framework setup
|
Enable
|
Enable
|
Enable
|
Disable
|
|
Java VM-Java Permissions*
|
High safety
|
Medium safety
|
High safety
|
Disable Java
|
|
Miscellaneous-Access data sources across domains
|
Disable
|
Prompt
|
Disable
|
Disable
|
|
Miscellaneous-Allow META REFRESH
|
Enable
|
Enable
|
Enable
|
Disable
|
|
Miscellaneous-Allow scripting of Internet Explorer web browser control
|
Disable
|
Enable
|
Disable
|
Disable
|
|
Miscellaneous-Allow script-initiated windows with size or position constraints
|
Disable
|
Enable
|
Disable
|
Disable
|
|
Miscellaneous-Allow web pages to use restricted protocols for active content
|
Prompt
|
Prompt
|
Prompt
|
Disable
|
|
Miscellaneous-Allow Web sites to open windows without address or status bars
|
Disable
|
Enable
|
Enable
|
Disable
|
|
Miscellaneous-Display mixed content
|
Prompt
|
Prompt
|
Prompt
|
Prompt
|
|
Miscellaneous-Don't prompt for client certificate selection when no certificates or only one certificate exists
|
Disable
|
Enable
|
Disable
|
Disable
|
|
Miscellaneous-Drag and drop or copy and paste files
|
Enable
|
Enable
|
Enable
|
Prompt
|
|
Miscellaneous-Include local directory path when uploading files to a server
|
Enable
|
Enable
|
Enable
|
Disable
|
|
Miscellaneous-Installation of desktop items
|
Prompt
|
Prompt
|
Prompt
|
Disable
|
|
Miscellaneous-Launching applications and unsafe files
|
Prompt
|
Enable
|
Prompt
|
Disable
|
|
Miscellaneous-Launching programs and files in an IFRAME
|
Prompt
|
Prompt
|
Prompt
|
Disable
|
|
Miscellaneous-Navigate sub-frames across
|
Disable (Prompt)
|
Enable
|
Disable
|
Disable
|
|
Miscellaneous-Open files based on content, not file extension
|
Enable
|
Enable
|
Enable
|
Disable (Enable)
|
|
Miscellaneous-Software channel permissions
|
Medium safety
|
Medium safety
|
Medium safety
|
High safety
|
|
Miscellaneous-Submit non-encrypted form data
|
Enable
|
Enable
|
Enable
|
Prompt
|
|
Miscellaneous-Use Phishing Filter
|
Enable
|
Disable
|
Enable
|
Enable
|
|
Miscellaneous-Use Pop-up Blocker
|
Enable
|
Disable
|
Enable
|
Enable
|
|
Miscellaneous-User data persistence
|
Enable
|
Enable
|
Enable
|
Disable
|
|
Miscellaneous-Web sites in less privileged web content zone can navigate into this zone
|
Enable (Disable)
|
Enable
|
Enable
|
Disable
|
|
Scripting-Active Scripting
|
Enable
|
Enable
|
Enable
|
Disable
|
|
Scripting-Allow Programmatic clipboard access
|
Prompt (Disable or Prompt)
|
Enable (Disable)
|
Prompt (Disable)
|
Disable
|
|
Scripting-Allow status bar updates via script
|
Disable
|
Enable
|
Enable
|
Disable
|
|
Scripting-Allow Web sites to prompt for information using scripted window
|
Disable
|
Enable
|
Enable
|
Disable
|
|
Scripting-Scripting of Java applets
|
Enable
|
Enable
|
Enable
|
Disable
|
|
User Authentication
|
Automatic only in Intranet zone
|
Automatic only in Intranet zone
|
Automatic only in Intranet zone
|
Prompt for username and password
|
