Setting	Description
Include all local (intranet) sites not listed in other zones	Specifies that all sites that appear to be local (e.g., http://local or file://webdoc.doc) are to be considered in the local intranet.
Include all sites that bypass the proxy server	Specifies that all sites configured to  bypass an internal proxy server are to be considered within the local intranet. This setting is used to distinguish intranet from Internet content for purposes of zones only. If the proxy server is configured differently, this option should not be used, and alternative methods should be used to designate intranet zone membership. If you don't use a proxy server, this setting has no effect.
Include all network paths (UNCs)	Specifies that UNC (Universal Naming Convention) paths are treated as local sites. UNC paths (e.g., \\server\share\webdoc.htm)  are commonly used for network files that are included in the Local Intranet zone. Clear this option if you don't want one or more network paths included in the Local Intranet zone.

       To add a site to the Local Intranet zone, click the Advanced button, enter the URL and click Add.  You can also specify whether or not you want to use HTTPS (Hypertext Transfer Protocol Secure) for server verification.

Trusted Sites Zone

       As the name implies, the Trusted Sites zone is intended for use with those sites which you trust not to damage your system or steal your information.  By default, it is set to low security.  There isn't a lot more than can be said about the Trusted Sites zone, except to say that you should use this zone sparingly and carefully.  You might even consider applying a customized level of security, as opposed to using the default low security.  Even if you completely trust the content and code on a web site, it is still a good idea to protect yourself by disabling features you may not need or use.  Trusted web sites can always add content that is stored on other, non-trusted sites.  In addition, it is entirely possible that an unintentional mistake in the coding of an applet or the writing of scripts could produce undesirable effects.  Certainly this won't be as destructive as a malicious script or a rogue applet, but it could produce several annoyances, including a system crash.

To add a site to the Trusted Sites zone, click the Sites button and Add the desired site.  Like sites in the Local Intranet zone, you can also specify that HTTPS be used for these sites.

Restricted Sites Zone

You can liken this zone to a jail.  When used properly, the Restricted Sites zone provide a mechanism for containing web sites that may cause damage to or steal information from your system or your network.  Obviously the best protection would be to simply not visit the sites, but you may find some exceptions.  There may be web sites out there who plain text content you wish to view without the concern of silent executable code being delivered to your computer.

It never hurts to double-check your configuration.  Indeed, as indicated in Microsoft Knowledge Base article Q217260, a trailing space at the end of an URL that you added to the Restricted Sites zone could cause Internet Explorer to apply different zone settings (e.g., Local Intranet or Trusted) to the site.  This could open the door for malicious content.

Like the Local Intranet and Trusted Sites zones, you can add sites to the Restricted Site zone by clicking Sites, entering an URL and clicking Add.  Unlike the other two zones, you cannot specify whether or not restricted sites are required to use HTTPS.

Local Machine Zone

There is a fifth security zone that is not accessible from the Security tab in Control Panel | Internet Options.  This fifth zone ''called the Local Machine zone, or My Computer'' is only available for Windows systems.  In addition, it can only be configured by editing the registry, or by using the Internet Explorer Administration Kit (see Chapter 15).  The Local Machine zone includes all of the content on the local computer, except for data that is stored in the Temporary Internet Files web cache, or classes that have been specifically signed with local machine privileges.  This zone is very much like the Trusted Sites zone.  Security is extremely minimal, or not present at all.  Unless otherwise configured by an administrator, network connections can also fall into this zone.

In theory, even when properly configured, malicious content could make its way into the Local Machine zone.  For example, an employee may be browsing a restricted site.  On one of the pages, there could be a malicious script that looks for and transmits password files to a malicious web site.  As a restricted site, the script is still part of the downloaded web page, but it won't due to the security restrictions that are in place.  But say that the employee decides to save the page to their hard drive for later inspection.  They do this by clicking File and Save As, which saves the page ''including the malicious script'' to their hard drive.  Later they open the page on their hard drive.  Because they are accessing a file on their local system instead of via a World Wide Web URL, the Local Machine zone will be applied.  Because security for this zone is extremely low or nonexistent, the malicious script could execute and cause damage or silently transmit data.  While I am not aware of any real-world instances of this, it is entirely possible and therefore needs to be considered as one of the many security issues related to browsing the web.

When adding sites to the Trusted Sites or Restricted Sites zone, you can use the convenience of wildcards.  A wildcard is a character ''in this case an asterisk (*)''  that you can use to represent other characters.  You might find this helpful in adding multiple transport protocols (e.g., HTTP, FTP, etc.) for one site.  For example, entering http://www.safesite.com to your Restricted Sites zone will protect you from content that uses the HTTP protocol, but it won't protect you from content that uses the FTP protocol (e.g., ftp://www.safesite.com).  To add all transport protocols, you can use a wildcard in the URL so that it looks like this: *://www.safesite.com.  The asterisk is translated to mean 'anything.'  New transport protocols will be added to future versions of Internet Explorer, and you won't have to go back to configure the new protocols for the sites you've added to your security zones.  You may have noticed that not all web sites use 'www' as part of their URL.  Wildcards are useful in these cases, as well.  For example, you can use http://*.safesite.com, which will include http://safesite.com, http://www.safesite.com, http://home.safesite.com, etc.  Moreover, you can use a combination of wildcards to add all transport protocols and all URL variations by using the format *://*.safesite.com.

The Choice is Yours

As previously mentioned, you can choose from four security levels: high, low, medium and custom.  High, low and medium have certain options preset to enable, disable or prompt.  When you deviate from one of these predefined combination of options, you are using a custom level.  The default settings for each level within Internet Explorer 5 are listed in the following tables.  Note that some of these settings do not apply to UNIX or 16-bit versions of Internet Explorer:

§         UNIX versions

ActiveX controls and plug-ins

Font download

Software channel permissions

Launching applications and files

Installation of desktop items

 

§         16-bit versions

User authentication

Font download

Software channel permissions

Installation of desktop items

Active scripting

Launching applications and files from an IFrame

 

 

 

 

There are a number of options available when configuring Security Zones.  Because the configured options can adversely affect your ability to view web content or run web applications, it is important to have a solid understanding of what each option controls.  Knowing how to control what web sites can do and what they cannot do is integral to safe browsing.   Clearly, on the Internet, what you don't know can hurt you.

By now you know that ActiveX controls, Java and other dynamic Internet technologies are very powerful, but very dangerous.  Choosing whether or not to enable this kind of content is often related to the factor of trust you have in the web site that provides the content.  You might, for example, choose to run all dynamic content on your company's intranet, but you might disable it completely while on the Internet.  Ultimately, the security settings you use are up to you.  If you're like me, your settings may be constantly evolving.

When you configure Security Zones, it is important to take certain things into account.  For example,

§         The URL determines the security zone.  Keep in mind that some sites use framesets.  Because individual frames determine the security context, one site may span multiple zones.

§         A trusted site can host malicious content.  For example, say you assign http://www.safesite.com to the Trusted Sites zone.  Afterwards, the site adds an executable that is located on another, untrusted, web site. Internet Explorer will download the executable within the security context of the www.safesite.com page.

§         Before changing security zones, consider the existing security context of applets, executables, and pages. When you changing a web page from high security to low security you’re removing the restrictions on that content.

It is fairly straightforward to configure Security Zones.  You simply select the desired zone and drag the slider bar to the desired security level for that zone.  Or if you prefer, you can get fairly granular, as well.  Within Internet Explorer 5, there are seven different categories of settings that you can configure within each Security Zone:

 ActiveX Controls and Plug-Ins allows you to control whether or not signed or unsigned controls are downloaded and executed.  Within this category are five options that you can configure:

 Each options can be set to one of three values: enable ''which turns the option on; disable '' which turns the option off; and prompt '' which displays a dialog box asking you whether or not you want to run the control, on a per-control basis.  Within Internet Explorer 5, Run ActiveX Controls and Plug-ins also has an additional setting for Administrator approved, which allows corporate administrators to allow specific ActiveX controls to be run, while locking out all others.

Cookies allows you to turn browser cookies on and off.  Internet Explorer 5 allows per-zone cookie control.  Prior versions used a global cookie setting.  Within this category you have two options to choose from:

 Once again you can choose from enable, disable, and prompt.  As you learned in Chapter 3, cookies are small, harmless files that web sites use to record and track your visit to their site, as well as maintain session information.  Keep in mind that if you turn off cookies, some web sites may not function properly.

Downloads controls whether or not files or font are downloaded.  Font downloads can be set to enable, disable, or prompt, but file downloads can only turned on (enabled) or off (disabled).

Under Java, you only have one option ''Java permissions''  but you have five settings to choose from: Custom, Disable Java, High Safety, Low Safety and Medium Safety.  Choosing Custom allows you to get extremely granular in your control of Java permissions.  When a Java applet runs, it typically requests permission to access things on your system, such as folders, files, printers, system information, and your network connections.  If the Java applet doesn't need a higher level of permission that what you have set, then it will run without requesting permissions.  If it needs more permissions that you have configured, you will be presented with a dialog box requesting the additional privileges necessary for the applet to run properly.

If you choose a Custom setting for Java permissions, a new button called Java Custom Settings will appear.

The Java Custom Settings button allows you to completely customize the security of your Java environment.  There are several reasons you might want to do this.  Java applets help solve some of the client/server problems in a network-concentric computing environment.  Using Java applets, however, adds vulnerability.  For example, an employee browsing an Internet web site for information might unknowingly load and execute a malicious applet without even being aware that the site contains such code.  This silent and automatic distribution of executable code exposes both the employee's computer, and the network to which it is connected.  Since the applet is imported into the user's web browser and runs locally, the malicious code could steal information, damage the system, or plant further malicious code.  Since the malicious code is now behind the company's firewall, it can attack other machines on a corporate network. Moreover, these attacks are not stoppable by standard security measures.  Companies aren't the only ones at risk.  More and more consumers rely on home computers  ''and lately home networks''  for personal correspondence, business and financial management, and entertainment.  Left to chance, both the data and the integrity of these systems are at risk to surreptitiously transmitted malicious code.  Controlling what Java applets can and cannot do is a necessary prerequisite for protecting your computer system and any network to which it is attached.

Within these settings are three sets of permissions:

ooops  

 You can assign permissions to the following objects:

 

In the View Permissions dialog box, you'll see icons that look like traffic signals.  The color of the light indicate the level of security in place.  If the light is green, it means that security is high.  If the light is red, security is low.  A yellow light indicates medium security.  If you write Java applications, or if you would like to control what Java applets can do on your system, you'll want to experiment with your security settings.  When you're finished experimenting you can reset the security settings back to low, medium or high security.

The Miscellaneous category has several options you can configure:

 

Many of the Miscellaneous settings are the direct result of specific Internet Explorer security vulnerabilities that were reported to, and subsequently fixed by, Microsoft.

The Scripting category allows you to control active scripting, script access to java applets, and script access to the clipboard.  These are important settings for several reasons.  First, active scripting can expose the contents of files to malicious webmasters.  Second, access to the Windows clipboard could expose personal data or passwords.  Third, and most important, a script that has access to a java applet could cause extensive damage to both the system on which it is running and the network to which the system is attached.  Within this category you have three options you can set to enable, disable or prompt:

There are some web sites that require authentication in order to access the site content.  Many intranet sites also use authentication to control employee access to internal data.  The User Authentication option allows you to control the transmission of authentication credentials (e.g., username and password) to web sites.  You can choose one of four settings: