Q: Microsoft Internet Explorer (IE) Security Zones are a powerful browser security feature. However, configuring Security Zones is complex and often users lack the knowledge to configure them correctly. A crucial part of understanding IE Security Zones is knowing how IE classifies Web site URLs (i.e., understanding why IE adds a URL to a particular Security Zone). Can you explain how IE Security Zone classification works and offer some guidance on how to configure it?
A: The IE security settings that are applied to a Web site depend on a Web site's Security Zone classification. This dependence explains the importance of understanding how IE uniquely identifies Web sites.
In a security zone, a Web site is identified using its HTTP or FTP URL. You can manually add sites to all Security Zones except the Internet and Local Computer zones. Remember that a site is automatically added to the Internet zone when it doesn't match any of the other Security Zones; the Local Computer zone applies to all content stored on local machine drives. To add a Web site to a Security Zone, select the appropriate Security Zone in the Security tab of the Internet Options dialog box, then click the Sites… button as Figure 1 shows).
When explicitly adding Web site URLs to the Restricted Sites or Trusted Sites Security Zones, keep in mind that a browser can access Web sites by using both DNS names and plain IP addresses. If you add only Web sites' DNS names to the Restricted Sites or Trusted Sites Security Zones, the site will be classified as part of the Internet Security Zone when it's addressed using its IP address. So make sure that you add both a Web site's DNS name and IP address when classifying it as either a member of the Restricted Sites or Trusted Sites Security Zones.
You can use wildcards to add different Web sites through one administrative action. Adding *.hp.com to Trusted Sites for example, will classify all sites ending in hp.com (e.g., hr.hp.com, emea.hp.com) to the Trusted Sites Security Zone. The configuration of the Local Intranet zone deserves more attention. For the Local Intranet zone, users and administrators will see the following membership configuration options, as Figure 2 shows in the left dialog box):
15(256³) + 29(256²) + 34(256) + 4
In short, if you select the Include all local (intranet) sites not listed in other zones option, and users use URLs without dots to access Internet content, you must make sure to explicitly add these URLs to the Trusted Sites or Restricted Sites Security Zones.
Even more secure than just identifying a Web site for Security Zone classification is authenticating them. Authentication is possible when you use the Secure Sockets Layer (SSL) protocol. The Trusted Sites, the Local Intranet and the Local Computer Security Zones - the zones with the highest security privileges (and thus the lowest security level) You can configure The Trusted Sites, the Local Intranet, and the Local Computer Security Zones-the zones with the highest security privileges (and thus the lowest security level)-to require SSL-based Web site authentication.
The right dialog box in Figure 2 shows how you can configure the Local Intranet Security Zone to require SSL-based authentication for all Web sites that are categorized in this zone. The same option is available for the Trusted Sites and the Local Computer Security Zones. Because these are the three most privileged Security Zones, strong server-side authentication is a welcome security addition. For the Trusted Sites Security Zone, strong SSL-based authentication is a must.
To configure the Local Intranet zone properly, a user must have a detailed knowledge of the organization's network configuration, including proxy servers and firewalls. Because very few users have this knowledge, I recommend you use one of the centralized IE Security Zone configuration options: Group Policy Object (GPO) settings or the Internet Explorer Administration Kit (IEAK).