How to surf more safely with Internet Explorer 7
A HelpWithWindows TechFile
October 25, 2006
After a 20-month development period, Microsoft this month released Internet Explorer 7. Despite a security overhaul of Internet Explorer 6 in Service Pack 2 for Windows XP, Internet Explorer still is the weakest link in any system. And we all know that a chain is as strong as its weakest link. Internet Explorer 7 offers some improvements over previous versions, but as far as I am concerned security is still not taken far enough!
Internet Explorer offers a good mechanism to customize your security, with the Content zones. You can access the settings by selecting Tools > Internet Options from the Internet Explorer menu, and choosing the Security tab.
You will see that Internet Explorer lets you set different levels of security for 4 different types of sites: Internet, Local intranet, Trusted sites and Restricted sites.
Without any further action, the default security for sites on the Internet will be the Internet zone. By default, this is set to Medium-High security (an improvement over IE6 which was set to Medium). I just want to highlight some of the settings which will be in effect:
-
.NET Framework
- Loose XAML: Enable
- XAML browser applications: Enable
- XPS documents: Enable
-
.NET Framework-reliant components (available when you have .NET Framework installed):
- Run components not signed with Authenticode: Disable (changed from Enabled in IE6)
-
ActiveX controls and plug-ins:
- Binary and script behaviors: Enable
- Run ActiveX controls and plug-ins: Enable
- Script ActiveX controls marked safe for scripting: Enable
-
Downloads:
- Font Download: Enable
- Enable .NET Framework setup: Enabled
-
Miscellaneous
- Allow META REFRESH: Enable
- Allow Web pages to use restricted protocols for active content: Prompt
- Display mixed content: Prompt
- Drag and drop or copy and paste files: Enable
- Installation of desktop items: Prompt
- Launching applications and unsafe files: Prompt
- Launching programs and files in an IFRAME: Prompt
- Navigate sub-frames across different domains: Disable (Changed from Enable in IE6)
- Software channel permissions: Medium Safety
- Submit non-encrypted form data: Enable
- Userdata persistence: Enable
- Web sites in less privileged web content zone can navigate into this zone: Enable
-
Scripting:
- Active scripting: Enable
- Allow Programmatic clipboard access: Prompt
- Scripting of Java applets: Enable
So we'll make some changes to make the Internet zone more secure by pressing the Custom Level button, and changing the following settings:
-
.NET Framework
- Loose XAML: Disable
- XAML browser applications: Disable
- XPS documents: Disable
-
ActiveX controls and plug-ins
- Binary and script behaviors: Disable
- Run ActiveX controls and plug-ins: Disable
- Script ActiveX controls marked safe for scripting: Disable
-
Downloads
- Font Download: Disable
- Enable .NET Framework setup: Disable
-
Miscellaneous
- Allow META REFRESH: Disable
- Allow Web pages to use restricted protocols for active content: Disable
- Display mixed content: Disable
- Drag and drop or copy and paste files: Disable
- Installation of desktop items: Disable
- Launching applications and unsafe files: Disable
- Launching programs and files in an IFRAME: Disable
- Software channel permissions: Maximum Safety
- Submit non-encrypted form data: Disable
- Userdata persistence: Disable
- Web sites in less privileged web content zone can navigate into this zone: Disable
-
Scripting:
- Active scripting: Disable *)
- Allow Programmatic clipboard access: Disable
- Scripting of Java applets: Disable
Now this will have an impact on Web sites you visit. If you want to be able to run ActiveX or Scripting on certain Web sites, just add them to the Trusted sites zone. You can add Web sites by selecting the Trusted sites icon, and pressing the Sites button (once you are in Internet Explorer's Security Internet Options). Note that by default, you can only add secure sites here (sites using https), just uncheck the Require server verification (https:) for all sites in this zone, and you can add any site.
Microsoft has a handy tool that will add a menu choice Add to Trusted Zone and Add to Restricted Zone to the Tools menu in Internet Explorer. You can download this tool from the Microsoft Web site [127 KB]. It is called Internet Explorer 5 Power Tweaks Web Accessory, but it works fine on Internet Explorer 7.
By default, the security setting for Trusted sites in Internet Explorer 7 have also been changed. In IE6, Trusted sites where using the default Low setting, In IE7 Trusted sites now uses the Medium security setting that was previously used for the Internet zone. Using the most critical settings as mentioned above, in the Trusted sites zone these are set at:
-
.NET Framework
- Loose XAML: Enable
- XAML browser applications: Enable
- XPS documents: Enable
-
.NET Framework-reliant components (available when you have .NET Framework installed):
- Run components not signed with Authenticode: Enable
-
ActiveX controls and plug-ins:
- Binary and script behaviors: Enable
- Run ActiveX controls and plug-ins: Enable
- Script ActiveX controls marked safe for scripting: Enable
-
Downloads:
- Font Download: Enable
- Enable .NET Framework setup: Enabled
-
Miscellaneous
- Allow META REFRESH: Enable
- Allow Web pages to use restricted protocols for active content: Prompt
- Display mixed content: Prompt
- Drag and drop or copy and paste files: Enable
- Installation of desktop items: Prompt
- Launching applications and unsafe files: Prompt
- Launching programs and files in an IFRAME: Prompt
- Navigate sub-frames across different domains: Disable
- Software channel permissions: Medium Safety
- Submit non-encrypted form data: Enable
- Userdata persistence: Enable
- Web sites in less privileged web content zone can navigate into this zone: Prompt
-
Scripting:
- Active scripting: Enable
- Allow Programmatic clipboard access: Prompt
- Scripting of Java applets: Enable
The changes above won't guarantee you will never have a problem, but they will certainly make it a whole lot less likely. Keep your anti-virus software up-to-date, make sure you have all the latest Windows updates, and make it a practice never to open unknown email attachments.
*) Making the changes listed will affect your Internet experience severely! Most Web sites use JavaScript for their navigation menus, and a lot of Web sites do not take into consideration you want to switch off JavaScript (some 98% of visitors to our Web site have JavaScript enabled).
But the problem with Active Scripting is that it keeps getting used in many exploits, most recent example's are found in the Secunia 22477 and 22542 advisories. When you have active scripting switched off you won't be able to click the links, since they are not 'normal' HTML links but links to activate a JavaScript.
As with a lot of things, if you know what you are doing while browsing the 'Net, that's more than half of your security, but you might want to consider changing some of IE7's default settings. We have just listed the settings which we think should be considered for a change, you can choose your own settings to adjust your Web browsing experience and find a balance between security & usability.
Surf Safe!
Give your comments on this article.