Share via


Internet Explorer Security and IEAK

Windows® Internet Explorer® 9 contains the following features that enhance security. You can use Internet Explorer Administration Kit 9 (IEAK 9) to configure or manage some of these features.

For more information about Internet Explorer 9 features, see https://go.microsoft.com/fwlink/?linkid=110324.

  • Cross-Domain Barriers

  • Redesigned URL Parsing

  • Protected Mode

  • Security Zones

  • Default Security Settings

  • Internet Zone

  • Trusted Sites and Restricted Sites Zones

  • Local Intranet Zone

Cross-domain barriers

This feature limits script on webpages from interacting with content from other domains or windows. This safeguard helps protect your users by limiting the potential for malicious websites to manipulate flaws in other websites, or to cause your users to download undesired content or software.

Updated URL handler

This feature ensures consistent processing of URLs and minimizes possible security vulnerabilities. The new URL handler helps centralize critical data parsing and increases data consistency throughout Internet Explorer.

Protected mode

Internet Explorer 9 in Windows Vista® runs in isolation from other applications in the operating system. Users must give their explicit consent for software to be able to write to any folder beyond the <systemdrive>\Windows\Temp\Temporary Internet Files folder.

Security zones

The Internet Explorer security options enable you to assign specific websites to various zones, depending on how much you trust the content of the website.

When you install Internet Explorer, the following security zones are set by default:

  • An Internet zone that contains all Internet sites by default.

  • A Local Intranet zone for computers connected to a local network.

  • A Trusted Sites zone, to which you can assign sites you trust.

  • A Restricted Sites zone, to which you can assign sites you do not trust.

  • A My Computer zone, which contains the files on the local computer.

    Note

    You can configure the My Computer zone only from the registry. These settings are not available in the browser interface. Unless your organization has a specific requirement, you should use the default settings for this zone. For more information, see article 315933 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?linkid=68964).

Default security settings

You can apply the following settings to these zones: High, Medium-high, Medium, Medium-low, and Low. In addition, you can set custom security levels for each zone. You can view all the security settings by clicking Internet Options in Control Panel, and then clicking the Security tab.

You can set security options, and determine whether your users can change these settings. In addition, if you are using a computer running Windows Server 2003, you can apply the Internet Explorer Enhanced Security Configuration to your users. This configuration is designed to further decrease the exposure of your network and resources to security threats. For detailed instructions on applying the enhanced configuration to your users and computers, see Managing Internet Explorer Enhanced Security Configuration (https://go.microsoft.com/fwlink/?linkid=26091).

To keep your users protected from browsing with unsafe settings, Internet Explorer now warns users when current security settings may put them at risk. On the Security tab, items are highlighted in red when they are configured unsafely. In addition to alerts in the dialog warning about unsafe settings, your users will continue to receive reminders as long as the settings remain unsafe. They can instantly reset Internet security settings to the Medium-High default level by clicking the Fix My Settings option in the Information Bar.

Internet zone

The Internet zone consists of all sites that are not included in any of the other zones. By default, the Internet zone is set to the Medium security level. If you are concerned about possible security problems browsing the Internet, you might want to change the setting to High. If you raise the security setting, some webpages will not be allowed to perform certain potentially hazardous operations, although this could prevent some useful functionality from working and some pages might appear not to be working properly.

You can choose custom settings to control each individual security decision for the zone. To do this, click Start, click Control Panel, click Internet Options, click the Security tab, and then click Custom Level.

Trusted Sites and Restricted Sites zones

The Trusted Sites zone is assigned a Medium security setting by default. It is intended for highly trusted sites, such as companies that you frequently do business with. If you assign a site to the Trusted Sites zone, the site will be allowed to perform more powerful operations. Add a site to this zone only if you trust all of its content never to do anything harmful to your computer. For the Trusted Sites zone, you should use the HTTPS protocol or otherwise ensure that connections to the site are secure.

The Restricted Sites zone is assigned a High security setting by default. If you assign a site to the Restricted Sites zone, the site will be allowed to perform only minimal, very safe operations. To ensure a high level of security for content that is not trusted, many pages in this zone will not function properly.

Local Intranet zone

To be secure, the Local Intranet zone must be set up in conjunction with the proxy server and firewall. All sites in the zone should be inside your organization's firewall, and proxy servers should be configured so that they do not allow an external Domain Name System (DNS) name to be resolved to this zone. Configuring this zone requires a detailed knowledge of the existing network configuration, proxy servers, and secure firewalls.

By default, the Local Intranet zone consists of local domain names and domain names that have been set in the proxy override on the Connections tab in Internet Options. You can configure these settings on the Connection Settings page. Note that multiple connection settings can now be configured for each user. You should confirm that these settings are indeed secure for the installation, or adjust the settings to be secure.

When setting up the zone, you can specify which categories of URLs should be considered. You can also add specific sites to the zone.

To specify categories of URLs to include in the zone from the browser

  1. On the Tools menu in Internet Explorer, click Internet Options, and then click the Security tab.

  2. Click the Local Intranet zone, and then click Sites.

  3. Select the following check boxes that apply:

    • Include all local (intranet) sites not listed in other zones. Intranet sites have names that do not include periods (for example, http://local). A site name such as https://www.microsoft.com/ is not local because it contains periods (.). This site would be assigned to the Internet zone. The intranet site name rule applies to URLs that start with "file:" as well as "http:".

    • Include all sites that bypass the proxy server. Typical intranet configurations use a proxy server to access the Internet with a direct connection to intranet servers. This setting uses this kind of configuration information to distinguish intranet from Internet content for purposes of zones. If the proxy server is otherwise configured, you should clear this option and use other options to designate files that are assigned to the Local Intranet zone. In systems that do not have a proxy server, this setting has no effect.

    • Include all network paths (UNCs). Network paths (for example, \\local\file.txt) are typically used for local network content that should be included in the Local Intranet zone. If there are network paths that should not be in the Local Intranet zone, you should clear this option and use other options to designate files that are assigned to the Local Intranet zone. For example, in certain Common Internet File System (CIFS) configurations, it is possible for a network path to reference Internet content.

    Note

    To add a specific site to this zone, click Advanced, type the URL, and then click Add. To require that server verification be used, select the Require server verification (https:) for all sites in this zone check box.

After the Local Intranet zone is confirmed secure, consider changing the zone's security level to Medium-Low or Low to enable a wider range of operations to be performed. It is also possible to adjust individual security settings in the Custom Settings dialog box.

If there are parts of your intranet that are less secure or otherwise not trustworthy, they can be excluded from this zone by assigning them to the Restricted Sites zone.

Additional references