Prevent malicious Web page attacks

You've undoubtedly heard the advice that when surfing unknown Web sites, you shouldn't let ActiveX or Java run in your browser. However, to heed this advice, many administrators need a thorough explanation of how to set browser properties. Microsoft Internet Explorer (IE) 4.0 and IE 5.0, which control features such as ActiveX and Java operation, have four security zones that you need to configure for maximum security.

What's a Security Zone?
Microsoft introduced the concept of security zones when the company released IE 4.0. You can think of security zones as invisible boundaries that prevent certain Web-based applications from performing unauthorized actions with a Web browser. To control Web security, you can add and remove sites from a zone, depending on the functionality you want to provide for users on a particular site. During browser operation, the browser checks every site that you access for its security zone membership. If a site's address has membership in one of the zones, then the browser applies that zone's security permissions to all interaction with that site. In this way, security zones offer a method of grouping sites by security classifications.

IE 5.0 has four basic zone classifications: Internet, Local intranet, Trusted sites, and Restricted sites. To access these zones in IE, select Tools, Internet Options, then select the Security tab. Microsoft Outlook 2000 and Outlook 98 also use the Internet and Restricted sites security zones. For more information about how to configure security zones in Outlook 2000 and Outlook 98, see the sidebar "Outlook Security Zones."

On the Security tab, which Screen 1 shows, you can see the four zone classifications listed at the top, with an icon representing each classification. The Internet zone is a catchall zone for sites on the Internet that another zone doesn't already classify. By default, every site you visit that doesn't have membership in another zone inherits the security permissions that the Internet zone defines. The Local intranet zone represents all sites in your LAN environment. Ideally, you would consider this zone to be the most trusted zone, so this zone provides the broadest functionality of the browser's features. The Trusted sites zone serves as an exception zone to the Internet zone; the trusted sites listed in the Trusted sites zone will receive broad browser functionality, and unknown sites will remain in the Internet zone. The Restricted sites zone can pacify even the most paranoid attitude because this zone provides the means to severely restrict interaction between a server and the Web browser. You should place any sites that you have suspicions about in this zone.

The Security tab also has a slider labeled Security level for this zone. The slider has four security levels: High, Medium, Medium-low, and Low. To automatically adjust the security level of a given zone, you select the proper zone icon, then move the slider.

To manually configure the security zones, you can use the Sites, Custom Level, and Default Level buttons on the Security tab of the Internet Options dialog box. Each zone has a common layer of security control that you access using the three buttons. Each button provides a long list of options that you can configure for each zone. To manually adjust the security properties of a zone, you select a zone icon and select a button. You use the Sites button to add and remove a site from a zone. When you select the Internet zone, the Sites button becomes unavailable. Because the Internet zone is the catchall zone for sites that aren't members of other zones, you don't need to add or remove sites from this zone. The Custom Level button displays the Security Settings dialog box, in which you can review and configure all available security parameters, as Screen 2 shows. Each of the four security zones has a set of security parameters that are available in all other zones. Therefore, you have to learn only one set of parameter definitions. For more information about the custom security parameters, see the sidebar "Security Options." The Default Level button simply resets the selected zone's security settings to the default settings.

Configuring Security Zones
Most people want to surf potentially dangerous Internet sites without experiencing intrusion or damage to their local computer. To do so, you must restrict certain actions (such as Java operations) from taking place in the browser. When configuring security settings, be sure to obey your company's policy regarding Web content. If your company's security policy forbids the use of Java from unknown sources, don't turn Java on and disable Java altogether.

You can configure security zone settings in IE automatically or manually. To perform an automatic security configuration, select the appropriate zone, then move the security-level slider to the proper level. When you move the slider, IE performs automatic parameter adjustments behind the scenes. To view the slider security settings, you can select the Custom Level button, which presents the Security Settings dialog box with the current parameters and settings.

To manually adjust the settings, you can select the Disable, Enable, or Prompt radio buttons in the Security Settings dialog box. Selecting Disable turns off a feature, selecting Enable turns on a feature, and selecting Prompt turns on a feature but tells the browser to prompt the user before allowing any action.

I ordinarily configure my IE browser with the Internet zone and have the browser prompt for most functionality types to provide high security. This way, I can simply choose Yes or No to use specific site features after the browser warns me of the security risks. If I visit a Web site that uses an ActiveX control (such as a navigation bar) and my ActiveX properties are all set to Prompt, a dialog box pops up and asks me if I want to let the ActiveX object run in my browser.

The benefit of using the Prompt setting is that you don't have to go back and reconfigure your security settings to use any extended site functionality—you simply answer the prompt that appears in the window. The downside to this setting is that you might find yourself responding to an unruly number of prompts while surfing a given site, which can quickly become annoying. But I have a paranoid mindset, so I find the prompts to be less annoying than I would find an intruder. You might find disabling unwanted features to be more reasonable. Then, you simply add sites to your Trusted sites zone to regain the extended functionality that a site offers.

The easiest and quickest way to configure IE for strong security in the Internet zone is to select Default Level, which resets all parameters to the default setting and redisplays the security-level slider (which disappears when you choose Custom Level). Next, move the security-level slider up to the High setting. The High security level automatically adjusts all the necessary parameters for the Internet zone to keep your browser about 98 percent secure (an undiscovered security problem can still exist) when you surf unknown sites.

After you've adjusted the slider to High security, you can select the Custom Level button to review the security settings or select Apply to cause the settings to take effect immediately. If you review the security settings, you'll notice that each item, including the ActiveX and Java items, now has the Prompt setting selected. You can go through the list and disable any items that you know you won't use, so you won't continually receive prompts when surfing unknown Web sites.

If you want to further configure the security of your Web browser, you can use the Advanced tab on the Internet Options dialog box. For more information about how to configure the advanced security options, see the sidebar "Advanced Security Settings."

Now You Know
The security zones within IE might seem confusing at first, but the zones are easy to configure after you understand what each zone represents and the hierarchy of configurable properties in the zone. You need to make manual adjustments to the browsers on your network and be aware of the effect when choosing default settings. Doing so will prevent most of the malicious Web-based and email-based HTML content from interacting with your computer and will render your network environment a much safer place to work