Configuring Internet Explorer Security Zones: A New Tool for the Security Community

Recognizing the security risks from active content technologies such as Java, Javascript and ActiveX, Microsoft introduced a device called security zones into version 4.0 of its browser product that continues to be an integral part of IE to this day. Basically, this device divides a user's Web 'world' into zones which are presumed to have various levels of safety: some sites (such as those contained on a corporate intranet for instance) are far less likely to contain malicious code than others. This paper will review the work of others in discussing the risks inherent in each of the active content technologies and the very different ways in which they approach security. Then it will gather into one place all of the information that the author could find regarding the meanings and implications of all but one of IE's security zone settings. After that we shall discuss Microsoft's System Policy Editor tool for Windows NT and how it could have been used to quickly and easily enforce users' IE security zone settings throughout an enterprise had Microsoft only provided a policy editor template for the IE security zones. Finally (and admittedly somewhat belatedly) a template to do just that written by the paper's author shall be presented to the security community.