MS to Lock Down Security Zones in IE7

Continuing its endeavor to ensure Internet Explorer 7 is safe from the attacks that have plagued its predecessor, Microsoft is making changes to the browser's built-in security zones. Zones are used to classify Web sites into different security levels, but also bring risks themselves.

IE includes four standard zones: Internet, Intranet, Trusted Sites and Restricted Sites. Most browsing is done in the Internet zone, with the Intranet zone reserved for accessing local network sites, often used by businesses. The Intranet zone contains fewer restrictions, and in turn is more vulnerable to attack.

By default, Internet Explorer detects where the Web site is located -- on the Web or internally -- and utilizes the appropriate zone. However, it is possible to trick the browser. "If there is a flaw in IE's zone detection logic, a malicious website could try to run in a less restrictive security zone than they should run in," says IE developer Vishu Gupta.

Although Microsoft has improved URL parsing in IE6 SP2 and IE7, the company acknowledges there is an inherent risk associated with such an approach. To fix the problem, IE7 will no longer use the Intranet zone unless the computer has joined a domain.

If the browser is unable to detect a domain, "IE will show an information bar when visiting a probable intranet site. If a user wants to re-enable their intranet zone, they'll be able to," explains Gupta.

Microsoft is also taking steps to lock down the Internet and Trusted Sites zones.

If a URL is in the Trusted Sites, it is given complete access, such as automatically installing ActiveX controls without permission. However, such capability has opened the zone up to abuse. For example, malware could automatically add a malicious site to the Trusted list. That will change in IE7.

In the future, Trusted Sites will be given a default security setting of Medium, the same level as the Internet zone in IE6. Users can manually change the security level back if they so please. "We find that many users don't understand how powerful a site becomes when they make it a Trusted Site," says Gupta.

The Internet zone in IE7 has been moved to a new Medium-High security setting. The change means ActiveX controls will be disabled by default, and users must enable them as needed through the yellow Information Bar. Windows Vista will go even further by running in a "Protected Mode" that runs IE in isolation.

These new features will be available in the public pre-release version of Internet Explorer 7, due in the first quarter of 2006.