If you use Windows, you have Microsoft Internet Explorer (IE) installed. You might choose not to use it and instead use some other Web browser such as Mozilla or Opera, but IE is still installed, and some of your Web activity might require its use. For example, you can't download patches from Microsoft's Windows Update Web site without using IE. In addition, some Web sites are designed exclusively for IE and might not function properly with other browsers.
A lot of security bugs have been discovered in IE--several, recently. You're probably aware that a few exploits take advantage of multiple IE vulnerabilities to penetrate various levels of network and system security. Almost invariably, such exploits are designed to somehow gain access to local system resources. Using IE's built-in security zones to help control Web functionality is a good way to protect your network.
You might lock down the Internet Zone by disallowing ActiveX controls, scripting, and cookie functionality. And you or your users might loosen access for the Local Intranet zone because that zone should be a trusted network for all users. You can also instruct users to add appropriate Internet-based Web sites to the Trusted Sites zone, which you've adjusted to allow the desired functionality.
That sort of configuration strategy is probably typical, and it makes some sense. However, an attacker can exploit various security holes in IE to circumvent even strict security that uses that model to gain access to the My Computer zone, whose security is by default set rather loosely.
Thor Larholm, senior security researcher at PivX Solutions, recently posted a message to the NTBugtraq mailing list that points out another way to strengthen IE security. Larholm said that he uses IE with confidence even when a vulnerability is known and a patch isn't yet available. Instead of leaving the My Computer zone configured with loose security, he locks it down to some extent. He also loosens the Internet Zone configuration to let components such as ActiveX controls and Javascript operate to improve the Web browsing experience.
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0312&L=ntbugtraq&P=396
The My Computer zone isn't listed when you view zone security in IE--you must edit the registry to adjust its security. However, be aware that when doing so, you could make mistakes that cause problems on the desktop and might even prevent the system from booting. You can find a detailed explanation of IE's security zone settings and how to edit them in the registry in the Microsoft article "Description of Internet Explorer Security Zones Registry Entries" ( http://support.microsoft.com/?kbid=182569 ).
I think Larholm's approach makes good sense. You might consider trying it, but instead of manually adjusting the My Computer registry settings, you might consider using a utility to help automate the tasks to reduce your chances of error. PivX is beta testing a new utility called Qwik-Fix, which automates registry adjustments and strengthens the security of other subsystems, settings, and software such as remote procedure call (RPC)/Distributed COM (DCOM), MIME types, Windows Messenger, and Adobe streams. You can learn more about it at the URL below.
http://www.pivx.com/qwikfix
Register
marten December 11, 2003