Windows Vista: The Complete Reference (Complete Reference Series)
Internet Explorer can retrieve a wide variety of files and objects, ranging from innocuous plain text files and images to potentially destructive executable programs. Many entertainment and business web sites take advantage of interactive technologies like Adobe Flash, Java, JavaScript, and ActiveX. While these programs are useful, they also create security issues. If web sites can put useful programs on your computer and run them without informing you, precautions must be taken to make sure that they can't also put harmful programs on your computer. Internet Explorer takes certain precautions automatically, and gives you the option to choose additional precautions.
Internet Explorer's downloaded-object security allows you to decide, based on both the web site where an object came from and the type of object, whether to retrieve an object and, once it's retrieved, what to do with it. Internet Explorer defines three levels of object access (low, medium, and high) to give varying amounts of access to your computer. You can also define custom access permissions, if the three standard settings don't meet your needs.
Java, JavaScript, VBScript, and ActiveX
Java is a language for developing small applications (called applets) that can be downloaded over the Web, so that they can be executed by your computer. JavaScript is a language for embedding small programs called scripts in web pages. VBScript , a language that resembles Microsoft's Visual Basic, can be used to add scripts to pages that are displayed by Internet Explorer. Anything that VBScript can do, JavaScript (which Microsoft calls JScript .NET) can do, too, and vice versa.
ActiveX controls , like Java, are a way to embed executable programs into a web page. Unlike Java and JavaScript, ActiveX is a Microsoft system that is not used by Mozilla Firefox except in some work done by the Mozilla ActiveX Project (http://www.iol.ie/~locka/mozilla/mozilla.htm). When Internet Explorer encounters a web page that uses ActiveX controls, it checks to see whether that particular control is already installed; if it is not, Internet Explorer installs the control on your machine.
Caution | ActiveX controls are considerably more dangerous than JavaScript or VBScript scripts or Java applets. Java applets and JavaScript scripts are run in a "sandbox" inside your browser, which limits the accidental or deliberate damage they can do; and VBScript scripts are run by an interpreter, which should limit the types of damage they can do. However, ActiveX controls are programs with full access to your computer's resources. |
Internet Explorer's Zones
Internet Explorer's security policy is based on trust, and the decisions that you make involve who to trust and who not to trust. For example, when a web page wants to run an ActiveX control on your machine, Internet Explorer verifies who wrote the control (Microsoft, for example) and that it hasn't been tampered with. It doesn't consider what the control intends to do or what privileges it requests on your system (rewriting files, for example). Instead, it asks you whether you trust its author.
To determine who to trust, Internet Explorer divides the world into four zones:
-
Internet Includes all sites that are not in one of the other three zones. Objects from this zone generally are given the medium level of access to your computer.
-
Local Intranet Contains computers on your local network. They're usually considered fairly trustworthy, and objects are given a medium level of access to your computer.
-
Trusted Sites Includes the sites that you or Microsoft have listed as trustworthy. Objects from this zone generally are given the highest level of access to your computer.
-
Restricted Sites Includes the sites that you have listed as untrustworthy. Objects from this zone are given the lowest level of access to your computer. Don't change the access level of this zone to grant higher access.
Downloaded ActiveX controls and other executable objects can and should be signed by their authors, using a certificate scheme similar to that used for validating remote servers.
For each of the four zones into which a web page can fall, you can set the security to high, medium, medium-low, or low. For each zone, you can set exactly which remote operations you're willing to perform. To prevent downloading and running software that might infect your system with a virus, see the section "Preventing Infection by Viruses" earlier in this chapter.
Controlling Your Download Security
The rules governing scripts and applets are set zone by zone on the Security tab of the Internet Options dialog box. To examine or change these settings:
-
Open the Internet Options dialog box by selecting Tools Internet Options from the Internet Explorer menu bar.
-
Click the Security tab of the Internet Options dialog box (as shown in Figure 33-3).
Figure 33-3: Security tab of the Internet Options dialog box. -
Select the security zone you want to examine or change. The rest of the information on the Security tab changes to show the settings for that zone.
-
If you want to change the general security setting of the zone without specifying how to handle specific web page elements, move the slider on the Security tab of the Internet Options dialog box. (The slider doesn't appear if the zone has been given custom settings. To reset such a zone to one of the standard settings, click the Default Level button. When the slider reappears, you can move it to the desired setting.)
-
If you want to specify how to handle specific web page elements, click the Custom Level button to display the Security Settings dialog box, shown in Figure 33-4. Scroll through the settings until you see the item you want to change. Change an item by selecting or deselecting its check box or by selecting a different radio button from the current selection.
Figure 33-4: Enabling and disabling web page elements for a security zone. -
Click OK to close each open dialog box. Click Yes in the confirmation box that asks if you want to change the security settings.
Controlling Which Web Sites Are in the Local Intranet Zone
The Local Intranet zone normally contains sites on your own LAN and is set up that way by your network administrator when he or she sets up the network. When you click the Sites button on the Security tab, Windows displays the Local Intranet dialog box, with these three check boxes:
-
Include All Local (Intranet) Sites Not Listed In Other Zones Select this check box to include all other sites on the same LAN in the Local Intranet zone. This check box is usually checked.
-
Include All Sites That Bypass The Proxy Server Many organizations have a proxy server that mediates access to sites outside the organization. Select this check box to include sites outside your organization to which your organization lets you connect directly in the Local Intranet zone. You can see a list of the sites that bypass the proxy server by displaying the Internet Properties or Internet Options dialog box, clicking the Connections tab, and clicking the Advanced button.
-
Include All Network Paths (UNCs) Select this check box to include all the sites with UNC (Universal Naming Convention) addresses, which apply only to computers on your LAN.
You can also click the Advanced button to add sites individually, as you can for the Trusted Sites and Restricted Sites zones. See Chapter 31 for more information on how networks connect to the Internet.
Controlling Which Web Sites Are in the Trusted Sites and Restricted Sites Zones
The Trusted Sites and Restricted Sites zones start with no web sites listed; you must specify the web sites to include in these zones. To specify sites, select the zone to which you want to add sites and click Sites on the Security tab of the Internet Options dialog box. You see the Trusted Sites or the Restricted Sites dialog box, the first of which is shown in Figure 33-5. To add a new site, type its full address, starting with http:// or https :// , into the Add This Website To The Zone box and click Add. The web site appears in the Websites list. To remove a site, select it in the Websites list and click Remove. You can require a verified secure connection to all sites in this zone by clicking the Require Server Verification (https:) For All Sites In This Zone check box at the bottom of the dialog box; when selected, this setting prevents you from adding any sites that don't support HTTPS, which is described in "Securing Your Web Communication with Encryption and Certificates" later in this chapter.
Managing Java and JavaScript
The security settings that affect how Internet Explorer deals with Java and JavaScript programs are in the Microsoft VM and Scripting sections of the Security Settings dialog box. Follow these steps:
-
On the Security tab of the Internet Options dialog box, click the zone for which you want to change or see the settings.
-
Click the Custom Level button to display the Security Settings dialog box. You may change what these applets and scripts are allowed to do on your computer, or even disable Java or JavaScript entirely, by choosing Disable (Internet Explorer does not run this type of program downloaded from this zone), Enable (Internet Explorer does run this type of program downloaded from this zone), or Prompt (ask before running the program).
Managing ActiveX Controls
We have never been big fans of ActiveX controls. They allow web sites to have too much power over your system and are hard to monitor. If you should happen to download and install a rogue ActiveX control by mistake, it could (on its own) download and install lots more rogue ActiveX controls-which would then be permanent parts of your software environment, even when you are offline. None of this would appear the least bit suspicious to any virus-detecting software you might own, because ActiveX controls aren't viruses: they have the same status as applications that you install yourself.
Disabling ActiveX controls is one option, as described in the previous section. However, if you frequent Microsoft web sites like http://www.Office.microsoft.com and Windowsupdate http://www.microsoft.com, you will be exposed to numerous temptations to turn them back on. We suggest the following compromise: Disable ActiveX controls everywhere but in the Trusted Sites security zone. (Do this from the Security Settings dialog box, following the steps in the previous section.) When you find a Microsoft web site that offers some wonderful service involving ActiveX controls, move that site into the Trusted Sites security zone.
ActiveX controls are stored in the folder C:\Windows\Downloaded Program Files (if Windows is installed in C:\Windows). If you use Internet Explorer, you should check this file periodically to see what applications Internet Explorer has downloaded. Dispose of an ActiveX control by right-clicking its icon and selecting Remove from the shortcut menu.