Site menu:



Home > TechFiles


How to surf more safely with Internet Explorer (Windows XP SP2 version)

A HelpWithWindows TechFile

By:

• September 23, 2004 •


Despite a security overhaul in Service Pack 2 for Windows XP, Internet Explorer still is the weakest link in any system. And we all know that a chain is as strong as its weakest link.

Many people are suggesting dumping Internet Explorer & using a different browser. I don't think that's a "cure-all" suggestion. Most other browsers have their own weaknesses & vulnerabilities, and the more people that start using these browsers, the more malicious code-writers will take notice & starting to attack these browsers too.

I prefer to shore up Internet Explorer's security, so just follow me here.

Internet Explorer offers a good mechanism to customize your security, with the Content zones. You can access the settings by selecting Tools > Internet Options from the Internet Explorer menu, and choosing the Security tab.

Internet Explorer's Content Zone's

You will see that Internet Explorer lets you set different levels of security for 4 different types of sites: Internet, Local intranet, Trusted sites and Restricted sites.

Without any further action, the default security for sites on the Internet will be the Internet zone. By default, this is set to Medium security. I just want to highlight some of the settings which will be in effect:

  • .NET Framework-reliant components:
    • Run components not signed with Authenticode: Enable
  • ActiveX controls and plug-ins:
    • Binary and script behaviors: Enable
    • Run ActiveX controls and plug-ins: Enable
    • Script ActiveX controls marked safe for scripting: Enable
  • Downloads:
    • Font Download: Enable
  • Miscellaneous
    • Allow META REFRESH: Enable
    • Allow Web pages to use restricted protocols for active content: Prompt
    • Display mixed content: Prompt
    • Drag and drop or copy and paste files: Enable
    • Installation of desktop items: Prompt
    • Launching programs and files in an IFRAME: Prompt
    • Navigate sub-frames across different domains: Enable
    • Software channel permissions: Medium Safety
    • Userdata persistence: Enable
    • Web sites in less privileged web content zone can navigate into this zone: Enable
  • Scripting:
    • Active scripting: Enable
    • Allow paste operations via script: Enable
    • Scripting of Java applets: Enable

So we'll make some changes to make the Internet zone more secure by pressing the Custom Level button, and changing the following settings:

  • .NET Framework-reliant components
    • Run components not signed with Authenticode: Disable
  • ActiveX controls and plug-ins
    • Binary and script behaviors: Disable
    • Run ActiveX controls and plug-ins: Disable
    • Script ActiveX controls marked safe for scripting: Disable
  • Downloads
    • Font Download: Disable
  • Miscellaneous
    • Allow META REFRESH: Disable
    • Allow Web pages to use restricted protocols for active content: Disable
    • Display mixed content: Disable
    • Drag and drop or copy and paste files: Disable
    • Installation of desktop items: Disable
    • Launching programs and files in an IFRAME: Disable
    • Navigate sub-frames across different domains: Disable
    • Software channel permissions: Maximum Safety
    • Userdata persistence: Disable
    • Web sites in less privileged web content zone can navigate into this zone: Disable
  • Scripting:
    • Active scripting: Disable *)
    • Allow paste operations via script: Disable
    • Scripting of Java applets: Disable

Now this will have some impact on Web sites you visit. If you want to be able to run ActiveX or Scripting on certain Web sites, just add them to the Trusted sites zone. You can add Web sites by selecting the Trusted sites icon, and pressing the Sites button. Note that by default, you can only add secure sites here (sites using https), just uncheck the Require server verification (https:) for all sites in this zone, and you can add any site.

Internet Explorer Tools menu Microsoft has a handy tool that will add a menu choice Add to Trusted Zone and Add to Restricted Zone to the Tools menu in Internet Explorer. You can download this tool from the Microsoft Web site [127 KB]. It is called Internet Explorer 5 Power Tweaks Web Accessory, but it works fine on Internet Explorer 6.

By default, the security setting for Trusted sites is set to Low. Using the most critical settings as mentioned above, these are now set at:

  • .NET Framework-reliant components:
    • Run components not signed with Authenticode: Enable
  • ActiveX controls and plug-ins:
    • Binary and script behaviors: Enable
    • Run ActiveX controls and plug-ins: Enable
    • Script ActiveX controls marked safe for scripting: Enable
  • Downloads:
    • Font Download: Enable
  • Miscellaneous
    • Allow META REFRESH: Enable
    • Allow Web pages to use restricted protocols for active content: Prompt
    • Display mixed content: Prompt
    • Drag and drop or copy and paste files: Enable
    • Installation of desktop items: Enable
    • Launching programs and files in an IFRAME: Enable
    • Navigate sub-frames across different domains: Enable
    • Software channel permissions: Low Safety
    • Userdata persistence: Enable
    • Web sites in less privileged web content zone can navigate into this zone: Prompt
  • Scripting:
    • Active scripting: Enable
    • Allow paste operations via script: Enable
    • Scripting of Java applets: Enable

The changes above won't guarantee you will never have a problem, but they will certainly make it a whole lot less likely. Keep your anti-virus software up-to-date, make sure you have all the latest Windows updates, and make it a practice never to open unknown email attachments.

*) Making the changes listed will affect your Internet experience severely! Most Web sites use JavaScript for their navigation menus, and a lot of Web sites do not take into consideration you want to switch off JavaScript (some 98% of visitors to our Web site have JavaScript enabled).

But the problem with Active Scripting is that it keeps getting used in many exploits, most recent example's are found in the Secunia 22477 and 22542 advisories. When you have active scripting switched off you won't be able to click the links, since they are not 'normal' HTML links but links to activate a JavaScript.

As with a lot of things, if you know what you are doing while browsing the 'Net, that's more than half of your security, but you might want to consider changing some of IE7's default settings. We have just listed the settings which we think should be considered for a change, you can choose your own settings to adjust your Web browsing experience and find a balance between security & usability.

Surf Safe!
Give your comments on this article.