Logo - tutorial.programming4.us
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows 7

Using Internet Explorer 8 : Security and Privacy Options (part 1) - Working with Protected Mode & Using and Customizing Internet Security Zones

3/13/2011 4:33:44 PM
The bedrock of security in Internet Explorer 8 is its consistent use of Windows permissions to limit what webpages and add-ons can do. This security fence around the browser window is called Protected Mode. In the following sections, among other things, we explain how Protected Mode defangs potentially dangerous add-ons by restricting their access to system files and redirecting files they save or create to locked-down virtualized locations. We also explain how Internet Explorer's use of security zones lets you apply different levels of security to different categories of sites.

1. Working with Protected Mode

Using a web browser exposes you to special security risks; by clicking a link in an e-mail or mistyping a web address, you can find yourself on a site containing hostile script or downloadable code intended to take over your system. To mitigate these threats, Internet Explorer runs in Protected Mode. This special mode, which is active in all Internet Explorer security zones except the Trusted Sites zone, takes advantage of a wide range of security-related features, notably User Account Control (UAC). When Protected Mode is enabled (the default setting), Internet Explorer runs with severely limited privileges. These restrictions prevent a website from installing programs without your permission or changing system settings.

In Windows 7, processes run with integrity levels defined by the Mandatory Integrity Control feature. Protected Mode Internet Explorer runs in the Low privilege process. As a result, Internet Explorer is prevented from writing to areas of the file system or the registry that require a higher privilege. The information sent between processes of different integrity levels is also limited with Protected Mode. Add-ons such as ActiveX controls and toolbars run in the same Low process, preventing them from gaining access to any areas except those specifically created for storing potentially unsafe data and programs.

Behind the scenes, Windows creates a set of folders and files for use with Protected Mode Internet Explorer. These folders and files share the same Low privilege level as Internet Explorer. Windows also creates virtual folders to store files that Internet Explorer tries to save in protected locations. Instead of causing an add-on to fail when it tries to write a data file to the Program Files or Windows folders, Windows silently redirects the file write operation to a virtual equivalent. The program is able to continue, believing that it wrote the files to a system location and not realizing that the data files actually wound up in a hidden vir-tualized folder that mirrors the actual path and is stored under the Temporary Internet Files folder. Likewise, any attempt to write to the registry is redirected to a Low-integrity area of the registry.

When Internet Explorer needs to read those virtualized files, a broker process intercepts the operation and asks for your consent before continuing. This represents an important concept of Protected Mode: whenever any action requires a higher privilege level, such as an ActiveX installation or an attempt to save a file, a broker process must be invoked.

On rare occasions, Protected Mode can prevent an application or website from working properly. If all attempts to work around the incompatibility fail, you can disable Protected Mode for the current zone. We recommend against taking this measure; if you must do so, we recommend that you re-enable Protected Mode immediately after you finish the activity that conflicts with it. Follow these steps to disable Protected Mode for the current zone:

  1. From within Internet Explorer, click Tools, and then click Internet Options.

  2. Click the Security tab, and clear the Enable Protected Mode check box.

  3. Click OK to continue, and close the Internet Options dialog box. Windows displays a warning that the current security settings will put your computer at risk. Click OK to continue.

When Protected Mode is off, navigating to any webpage displays a warning message in the Information bar:

To re-enable Protected Mode, click the Information bar and click Open Security Settings. Select the Enable Protected Mode check box, click OK, and then close and reopen Internet Explorer.

Another method for working around Protected Mode for a specific website is to add the website to the Trusted Sites zone, where Protected Mode is not in effect. We recommend that you exercise caution before choosing this technique, however; adding a site to the Trusted Sites zone enables a wide range of potentially risky behaviors, and it's easy to forget to remove the site from the Trusted Sites zone after you finish working with it.

2. Using and Customizing Internet Security Zones

Internet Explorer's security zones are key elements to browsing the web and using the internet without fear. By default, all websites you visit are assigned to the Internet zone, and Internet Explorer severely restricts the action of sites in the Internet zone. If you're concerned about security, you can lock down security zones even more tightly if you like.

By default, Internet Explorer allows you to work with four security zones:

  • The Internet zone includes all sites that are not included in any other category.

  • The Local Intranet zone is for sites on your local network—typically, behind a firewall. Protected Mode is turned off by default in this zone.

  • The Trusted Sites zone allows you to specify sites where you allow certain actions—such as running ActiveX controls or scripts—that you might not permit on other sites in which you have a lower degree of trust. Protected Mode is off by default in this zone.

  • The Restricted Sites zone allows you to specify sites where you want to specifically disallow actions that might otherwise be permitted.

2.1. How Security Zones Affect the Way You Browse

When you open a webpage using Internet Explorer, Windows checks to see which security zone that page is assigned to and then applies restrictions to that page, based on the settings for that zone. Initially, any sites you connect to internally (that is, your own company's sites, which you access by means of an intranet connection) are automatically assigned to the Local Intranet zone, and if you choose to enable intranet settings the Local Intranet zone is accorded a Medium-Low level of security settings. All other sites on the internet are lumped into the Internet zone, which is given a Medium-High security level. As you roam the internet, if you come upon a site that you trust completely, you can move that site into the Trusted Sites zone. Internet Explorer, by default, applies a Medium level of security settings to the Trusted Sites zone. When you discover a site that warrants a high degree of wariness, you can move that site into the Restricted Sites zone. The security settings that apply there, by default, are described as High.

2.2. Adding Sites to a Zone

To change the zone in which a site resides or to reconfigure the security settings associated with a zone, you use the Security tab of the Internet Options dialog box (click Tools, Internet Options, and then click the Security tab), which is shown in Figure 1.

Figure 1. Use this dialog box to add sites to particular zones or modify the security settings associated with a zone.

To add a site to your Trusted Sites or Restricted Sites zone, follow these steps:

  1. On the Security tab of the Internet Options dialog box (shown in Figure 6-16), select Trusted Sites or Restricted Sites.

  2. Click Sites. You'll see the following dialog box (or one similar if you selected Restricted Sites):

  3. The URL for the current site appears in the Add This Website To The Zone box. Edit or replace this value if necessary and then click Add.

By design, the Trusted Sites zone is most appropriate for use with secure sites, where you already have a high degree of confidence that the site you're interacting with is legitimate. Thus, the default settings for this zone require that Internet Explorer verify that the site's server is secure (in other words, that its URL begins with https:) before establishing a connection. To add a non–Secure Sockets Layer (SSL) site to the list, clear the check box at the bottom of the Trusted Sites dialog box. (After adding the site, you can select the check box again.) When you add a domain (such as http://www.microsoft.com) to either of these zones, all URLs located within that domain are assigned to the zone you selected.

By default, Internet Explorer populates the Local Intranet zone with the following:

  • All intranet sites that you haven't moved into either the Trusted Sites zone or the Restricted Sites zone

  • All sites that bypass your proxy server, if one exists on your network

  • All network servers accessed via UNC paths (\\server_name)

To remove one or more of those categories (so that the affected category joins the Internet zone), select Local Intranet in the Internet Options dialog box and then click Sites. You'll see the following dialog box. Clear the appropriate check boxes.

If you want to add a site to the Local Intranet zone, click the Advanced button. Then type the site's URL and click Add.

2.3. Changing a Zone's Security Settings

Any site placed in a security zone is subject to the same privileges and restrictions as all other sites in that zone. Thus, if you change the overall security settings associated with the zone, you change the security settings for all of its member sites. You can change the security settings for a zone to one of the predefined groups by following these steps:

  1. On the Security tab of the Internet Options dialog box (shown earlier in Figure 6-16), click the icon for the zone you want to adjust.


    If you've previously made any customizations to security settings for a particular zone, those settings will be wiped out as soon as you click Default Level. If you've made specific changes to allow a program or site to work correctly, be sure you document those settings so that you can reapply them after changing other security settings.

  2. In the Security Level For This Zone section of the dialog box, click the Default Level button to reveal a slider control (if the slider isn't already visible).

  3. Move the slider up to apply more stringent security measures or down to be more lenient. As you move the slider from level to level, the description to the right of the slider summarizes the current level's settings.

To fine-tune the settings for a zone or to read all the particulars about the current level of settings, click Custom Level. In the Security Settings dialog box that appears, you can use the option buttons to adjust individual settings.

If you've customized a security zone's settings and you want to start over from a clean slate, open the Security Settings dialog box, choose a predefined level from the Reset To dropdown list, and then click Reset.

Other -----------------
- Personalizing Internet Explorer (part 2) - Managing Toolbars, Managing and Troubleshooting Add-ons & Using (or Refusing) AutoComplete
- Personalizing Internet Explorer (part 1) - Adding, Removing, and Managing Search Providers & Configuring Accelerators
- Using Internet Explorer 8 : Working with RSS Feeds and Web Slices
- Working with Virtual Hard Disks
- Managing Existing Disks and Volumes (part 4) - Checking the Properties and Status of Disks and Volumes
- Managing Existing Disks and Volumes (part 3) - Mapping a Volume to an NTFS Folder
- Managing Existing Disks and Volumes (part 2) - Converting a FAT32 Disk to NTFS
- Managing Existing Disks and Volumes (part 1) - Extending a Volume & Shrinking a Volume
- Setting Up a New Hard Disk (part 2) - Choosing a File System
- Setting Up a New Hard Disk (part 1) - Adding a New Disk to an Existing Windows Installation
Top 10
- Microsoft Exchange Server 2013 : Working with cmdlets (part 2) - Understanding cmdlet errors, Using cmdlet aliases
- Microsoft Exchange Server 2013 : Working with cmdlets (part 1) - Using Windows PowerShell cmdlets, Using cmdlet parameters
- Microsoft Exchange Server 2013 : Using Windows PowerShell (part 2) - Running and using cmdlets, Running and using other commands and utilities
- Microsoft Exchange Server 2013 : Using Windows PowerShell (part 1) - Running and using Windows PowerShell
- Troubleshooting Stop Messages : Being Prepared for Stop Errors - Prevent System Restarts After a Stop Error
- Troubleshooting Stop Messages : Memory Dump Files (part 3) - Using Memory Dump Files to Analyze Stop Errors - WinDbg Debugger
- Troubleshooting Stop Messages : Memory Dump Files (part 2) - Using Memory Dump Files to Analyze Stop Errors - Using Problem Reports And Solutions
- Troubleshooting Stop Messages : Memory Dump Files (part 1) - Configuring Small Memory Dump Files, Configuring Kernel Memory Dump Files
- Troubleshooting Stop Messages : Stop Message Overview - Identifying the Stop Error, Finding Troubleshooting Information
- Deploying IPv6 : Planning for IPv6 Migration - Understanding ISATAP, Migrating an Intranet to IPv6